[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems...

To: <awilliam@whitemice.org>
Subject: Re: Problems...
From: "Denny Snyder" <DSnyder@suscom.com>
Date: Tue, 19 Mar 2002 15:52:34 -0500
Cc: <OpenLDAP-software@OpenLDAP.org>


Denny Snyder
Network Engineer
Susquehanna Communications
1050 E. King St
York, PA 17403
Office: (717)771-2613
Fax:    (717)843-5400
dsnyder@suscom.com
postmaster@suscom.net
"Nothing in life is worse than SPAM....  well.... maybe cold coffee!"  ;)

>>> Adam Williams6 <awilliam@whitemice.org> 03/19/02 03:30PM >>>
>I seem to be having a bit of a problem with OpenLDAP ver 2.0.22-2 (RPM on RedHat 7.2)
>I have an email server with over 27K accounts, all in flat file format....  (i.e. /etc/passwd, /etc/groups, /etc/shadow, etc...)  I want to migrate over to a central LDAP authentication model for my Qpopper, Postfix, FTP, and Apache Home_Dir stuff....
>I downloaded the Migration Tools from podl.com and ran the pass2ldap to get an LDIF file.  I then transferred that file to my test LDAP box (that has no local users.)  After modifying the LDIF file for the home directories, I imported them using ldapadd.  I then tested pop3 auth against ldap and I always get a "Password supplied for "username" is incorrect."
>I can use plenty of LDAP administration programs to see everything in the dir, and everything looks fine....  color me a little lost (and an LDAP newbie)
>Here are my relevant configs (chopped for space...):

>/etc/ldap.conf  (I've tried different pam_password values to no avail)
>host 127.0.0.1
>base dc=suscom,dc=net
>uri ldap://127.0.0.1/

Why do you specify the uri when you specified the host and base?

This is the way it is upon install....  I don't know enough yet to question it.....

>binddn cn=Manager,dc=suscom,dc=net
>bindpw ldap_test
>pam_password crypt

Below you say this is SSHA in the user object, here you say crypt.  
Password changing will be odd.

When I first looked at this, password_crypt was uncommented and so was password_md5 (which was stuck at the end of the file looking like an afterthought...)  When I first generated the rootpw it only seemed to except SSHA.  Auth failed while testing, and then I started commenting/uncommenting different pam_password values and nothing seemed to change....

># pam_password exop
>#pam_password clear
>ssl no
>#pam_password md5
>
>/etc/openldap/slapd.conf (played around with suffix and defaultsearchbase to no avail)
>loglevel 4
>defaultsearchbase "ou=accounts,dc=suscom,dc=net"
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
>include         /etc/openldap/schema/redhat/autofs.schema
>include         /etc/openldap/schema/redhat/kerberosobject.schema
>database        ldbm
>suffix          "dc=suscom,dc=net"
>suffix          "ou=accounts,dc=suscom,dc=net"

This suffix is below the other suffix.  Why do you specify two suffix-es?  
I don't think this will work.  Just "dc=suscom,dc=net" unless this is a 
partition.

Thanks...  I was curious about that....  I'll remove the redundant entry.

>rootdn          "cn=Manager,dc=suscom,dc=net"
>rootpw          {SSHA}sTyh4meQBWdEfopKtyTf9drN2t+e7y9A
>directory       /var/lib/ldap
>index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
>index   cn,mail,surname,givenname                       eq,subinitial
>access to attr="userPassword"
> by self write
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by anonymous auth
> by * none
>access to dn=".*,ou=accounts,dc=suscom,dc=net"
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by * read
>access to *
> by dn="cn=Manager,dc=suscom,dc=net" write
> by * read
>
>
>/etc/openldap/ldap.conf
>HOST 127.0.0.1
>BASE dc=suscom,dc=net
>
>
>my initial LDAP import:
>dn: dc=suscom,dc=net
>objectclass: top
>objectclass: dcObject
>dc: suscom
>
>dn: ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: organizationalUnit
>ou: accounts
>
>dn: cn=lmcadmin,ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: person
>objectclass: inetOrgPerson
>cn: lmcadmin
>sn: lmcadmin
>uid: lmcadmin
>userPassword: {SSHA}npuxDYqHSDybRycKcNNOjM6ZP+GSfYHr


I think PAM wants an objectclass of posixAccount or account unless you 
specify otherwise.  The above is niether.

Here is a sample of a couple of entries from the LDIF I imported....  Hope it helps....

dn: uid=hvnurse-lyma,ou=accounts,dc=suscom,dc=net
uid: hvnurse-lyma
cn: hvnurse-lyma
sn: hvnurse-lyma
mail: hvnurse-lyma@suscom.net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: {crypt}0u5iArEwup3oY
shadowLastChange: 11656
shadowMax: 99999
shadowWarning: 7
krbname: hvnurse-lyma@SUSCOM.NET
loginShell: /bin/false
uidNumber: 517
gidNumber: 517
homeDirectory: /home/hvnurse-lyma

dn: uid=dbrooks-lyma,ou=accounts,dc=suscom,dc=net
uid: dbrooks-lyma
cn: dbrooks-lyma
sn: dbrooks-lyma
mail: dbrooks-lyma@suscom.net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: {crypt}0u1M.a7GGuG5Y
shadowLastChange: 11656
shadowMax: 99999
shadowWarning: 7
krbname: dbrooks-lyma@SUSCOM.NET
loginShell: /bin/false
uidNumber: 518
gidNumber: 518
homeDirectory: /home/dbrooks-lyma

I can see posixAcount specified...  and a ldapsearch -x "uid=dbrooks-lyma" | less  gives me:
version: 2

#
# filter: uid=dbrooks-lyma
# requesting: ALL
#

# dbrooks-lyma, accounts, suscom, net
dn: uid=dbrooks-lyma,ou=accounts,dc=suscom,dc=net
uid: dbrooks-lyma
cn: dbrooks-lyma
sn: dbrooks-lyma
mail: dbrooks-lyma@suscom.net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
shadowLastChange: 11656
shadowMax: 99999
shadowWarning: 7
krbName: dbrooks-lyma@SUSCOM.NET
loginShell: /bin/false
uidNumber: 518
gidNumber: 518
homeDirectory: /home/dbrooks-lyma

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



Does nss appear to work?
I'm not using nss....  



>/etc/pam.d/pop3
>#%PAM-1.0
>auth       sufficient   /lib/security/pam_ldap.so
>auth       required     /lib/security/pam_unix_auth.so try_first_pass
>account    sufficient   /lib/security/pam_ldap.so
>account    required     /lib/security/pam_unix_acct.so

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Denny Snyder
TEL;WORK:717-771-2613
ORG:;Technical Operations
TEL;PREF;FAX:717-843-5400
EMAIL;WORK;PREF;NGW:DSnyder@suscom.com
N:Snyder;Denny
TITLE:Network Engineer
X-GWUSERID:DSnyder
END:VCARD

Prev by Date: RE : RE : how to generate passwords?
Next by Date: Re: RE : how to generate passwords?
Index(es):
- Chronological
- Thread