ons, 2002-07-17 kl. 10:41 skrev Stefan Froehlich: > Next step was pam_ldap - again, after some reading it worked, but > only almost. Whenever I login, I have to enter the password _twice_ > until it is accepted. I only realized that this is a problem, when I > wanted to deploy nss_ldap. This simply did not work for me. For a > login, the logfiles tell me the following: With regard to having to log in twice, and I having to do the same until Geoff Silver helped me, try the following /etc/pam.d/login. *** However, make sure you have all these modules in /lib/security first! *** I have Red Hat 7.2 and was surprised to see I had these modules, since the following login conf is completely different from the one red Hat serves up: auth requisite pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth sufficient pam_ldap.so auth required pam_unix.so nullok use_first_pass account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 With regard to what your log reports, put your log level at 256 - it's hard to tell what it's trying to do (though my experience is with 2.1.38). I have a standard tail -f of /var/log/slapd.log (that's where I told syalog to log all the time, to see what's going on). Lastly, check the ACLs that give permissions in slapd.conf, and to what. You have to be able to search and authenticate to the necessary attributes at the very least. > I waited for 10 seconds after the first password failure to > illustrate what happens until then (i.e. next to nothing, for my > knowledge). The procedure after the second login try looks perfectly > fine to me (so the ldap configuration should be correct?) - but why > not as well at the first try? Probably because you give 2 alternatives (files ldap) in nsswitch.conf (perfectly normal). The long wait could have to do with a defective DNS, don't know. > Now, if I enable nss_ldap and try to execute a "getent group", I can > see the following: > > | Jul 17 10:35:03 slapd[18148]: daemon: conn=27 fd=15 connection from IP=10.10.0.6:33815 (IP=0.0.0.0:389) accepted. > | Jul 17 10:35:03 slapd[18150]: conn=27 op=1 UNBIND > | Jul 17 10:35:03 slapd[18150]: conn=-1 fd=15 closed As I said, it's logging too little. You should be able to see every step it's taking. > I tried to increase the log level of slapd, but this gives me > _exhaustive_ results which I am not able to interpret. If you need a > special log level, please tell me. Also, if some of the > configuration files are of special interest for this kind of > problem, please tell. A log level of 256 should be good enough. This is what I have in my daemon start up script. It's not the same as '-d256', by the way. Best, Tony -- Tony Earnshaw e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel