[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PAM and LDAP Problem

Well, I got things working from PAM, but it broke my other app (samba).
BTW, uniquemember works if the pam_member_attribute is appropriately set in
the ldap.conf.

My problem seems to be the password scripts.  Here's some output:
[root@fpott01 bin]# ./smbpasswd -a ndressler -D 255
Building passwd hash table
Building passwd hash table for the first time
ndressler not found
ndressler not found
NDRESSLER not found
Ndressler not found
ndressleR not found
User "ndressler" was not found in system password file.
[root@fpott01 bin]# su ndressler
[ndressler@fpott01 bin]$ passwd
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
passwd: User not known to the underlying authentication module
[ndressler@fpott01 bin]$ adduser ndressler
adduser: user ndressler exists
[ndressler@fpott01 bin]$

SMBPASSWD seems to be using a call to getpwnam.  Do I have something
misconfigured where this is not returning the LDAP version?  The passwd
script seems to have a similar problem, even though the account exists.

My nsswitch.conf file has the following:
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files nisplus nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files nisplus nis
aliases:    files nisplus

Any ideas?

-----Original Message-----
From: Chris Garrigues [mailto:cwg-dated-051069fed2681750@deepeddy.com]
Sent: Thursday, July 05, 2001 3:16 PM
To: Norm Dressler
Cc: openldap-software@OpenLDAP.org
Subject: Re: PAM and LDAP Problem

> From:  "Norm Dressler" <ndressler@dinmar.com>
> Date:  Thu, 5 Jul 2001 15:08:35 -0400
> Not sure if this is the right place for the question, but I'm certain
> someone out there must be using it.
> I have set up my ldap server, and its working fine.  I can log into my
> RedHat 7.0 linux box using an LDAP account with no problems.
> I have tried to establish groups in my LDAP directory as well.  I am using
> a
> tool called directory_administrator and its working great.  It creates the
> following in my ldap:
> dn: cn=mygroup,dc=dinmar,dc=com
> objectclass: top
> objectclass: posixGroup
> cn: mygroup
> gidnumber: 2005
> uniquemember: uid=ndressler, dc=dinmar,dc=com
> The problem is, my Linux box doesn't seem to recognize these groups.  I've
> implemented the PAM modules from padl.com as per their instructions
> (although they are using a version 2 of ldap, while I'm using version
> (because I need samba support in there as well).
> I created a directory called /groups/mygroup.  I chowned it to chown -R
> :2005 mygroup, and chmod -R 770 mygroup.  When I log in as ndressler, it
> gives me an access denied to the directory.
> I'm not sure where to begin looking - any hints?

If you look at the definition of a posixGroup:

objectclass ( NAME 'posixGroup' SUP top STRUCTURAL
        DESC 'Abstraction of a group of accounts'
        MUST ( cn $ gidNumber )
        MAY ( userPassword $ memberUid $ description ) )

you won't find a uniqueMember attribute, instead you'll find a memberUid

memberUid contains member names, so you instead want something like this:

dn: cn=mygroup,dc=dinmar,dc=com
objectclass: top
objectclass: posixGroup
cn: mygroup
gidnumber: 2005
memberuid: ndressler

seems that directory_administrator has a non-standard idea of what a group


Chris Garrigues                 http://www.DeepEddy.Com/~cwg/
virCIO                          http://www.virCIO.Com
4314 Avenue C
Austin, TX  78751-3709          +1 512 374 0500

  My email address is an experiment in SPAM elimination.  For an
  explanation of what we're doing, see http://www.DeepEddy.Com/tms.html

    Nobody ever got fired for buying Microsoft,
      but they could get fired for relying on Microsoft.