[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pam Authenticate

To: Apadana Instituye <apadana_inst@hotmail.com>
Subject: Re: Pam Authenticate
From: Alex Vorobiev <sasha@mathforum.com>
Date: Mon, 5 Mar 2001 10:59:56 -0500
Cc: OpenLDAP-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <F297tdmH4s2ApuyAbfB00004df3@hotmail.com>; from apadana_inst@hotmail.com on Sun, Mar 04, 2001 at 03:51:08PM +0330
References: <F297tdmH4s2ApuyAbfB00004df3@hotmail.com>
User-agent: Mutt/1.2.5i

hi,

i have it working with RH7.0, your mileage may vary.

i've got the following packages:

openldap-2.0.7-12
nss_ldap-143-1
authconfig-4.1.1

redhat provides a brief reference for migrationt to pam/ldap
authentication.  here is one for 6.2:

http://www.redhat.com/support/manuals/RHL-6.2-Manual/ref-guide/s1-ldap-redhattips.html

there is a similar one for 7.0, that may or may not be identical.

- edit your openldap config files. 
- migrate your passwd and group files (and others, if necessary).
- run authconfig, and choose LDAP for authentication.

my biggest challenge has been to enable secure communication between pam
and ldap, and ldap clients and ldap server via (start)tls.

for secure pam/ldap, you need to:
1. reate a suitable self-signed certificate:
	cd /usr/share/ssl/certs
	make slapd.pem
2. uncommend two TLS lines in the /etc/openldap/slapd.conf
3. if you haven't already, use authconfig (new, from rawhide) to enable
	TLS.  that basically adds "ssl start_tls" to /etc/ldap.conf, which
	is an pam_ldap config file.

that worked great for my shell logins.  what was confusing, i couldn't get
the server to log any TLS debugging.  the only way i could check that
traffic was encrypted was by attaching to the server process with strace
(as suggested by a redhat engineer).

getting openldap clients, like ldapsearch and ldapadd, to use starttls
with the server was more difficult.  the latest RH package seems broken in
that respect.  i recompiled mine without kerberos and sasl, and it worked
great.  another quirk was that the current RH glibc, 2.2-12, has a bug in
pthreads.  to recomplile openldap, you would have to go back to 2.2-9,
which is nowhere to be found, or go up to 2.2.1-3, which is in the fisher
beta.  trying the latest 2.2.2 from rawhide dind't work 'cause it depended
on kernel > 2.4.0 (i am still running 2.2.x).

i am also trying to get mod_auth_pam to work with apache, but haven't been
successful so far.

phew.  hope this helps,

--sasha

On Sun, Mar 04, 2001 at 03:51:08PM +0330, Apadana Instituye wrote:
> hello every body,
> 
> I installed openldap 2.0.7 in red hat 6.2 ,and we have users that I want to 
> authenticate via Linux, should I use PAM authenticate? if yes would you 
> please advice me how can I configure it for that ?
> 
> I installed pam_ldap too, but I don't know how should I config it, please 
> advice me
> 
> thanks
> Sonbol
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>

References:
- Pam Authenticate
  - From: "Apadana Instituye" <apadana_inst@hotmail.com>

Prev by Date: Re: Openldap and Solaris 8
Next by Date: Re: some Jpegphoto (Base64) questions for browsers
Index(es):
- Chronological
- Thread