[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: new user, question about authentication

To: jacob walcik <jwalcik@mail.utexas.edu>
Subject: Re: new user, question about authentication
From: Matthew Schumacher <matt.s@aptalaska.net>
Date: Thu, 20 Mar 2003 12:34:42 -0900
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3B4C0ECA-5B10-11D7-9F2F-000393914A3A@mail.utexas.edu>
References: <3B4C0ECA-5B10-11D7-9F2F-000393914A3A@mail.utexas.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

I wouldn't do that. You want the local files to work otherwise you will almost certainly kick yourself out at some point.

I don't have much time to dedicate to your problem but setting authconfig to use both MD5 passwords in local files and ldap with the change mentioned in the previous email worked for me. I suggest that you look at the pam_ldap list as the openldap list is somewhat off topic for this list.

schu

jacob walcik wrote:

i've run authconfig, and on the first screen selected nothing but Use LDAP, set the server, and the base DN, then on the second screen, i have Use Shadow Passwords, Use MD5 Passwords, and Use LDAP Authentication selected. i hit okay, and it stops nscd.

then, i edited /etc/nsswitch.conf to put ldap at the top of the pecking order for authentication.

when i go to edit /etc/pam.d/system-auth, i don't have the line you mention below. the closest thing i have is: account required /lib/security/pam_unix.so
if i change that to:
account    required    /lib/security/pam_ldap.so
i can't log in at all. not with users that exist in ldap or those that don't (which i need to be able to do. i want root to be a local account on each machine, not one in ldap).

here's what my system-auth file looks like the commented line is the one added by me, i just commented out the one above it as opposed to removing it):
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so
account required /lib/security/pam_unix.so #account required /lib/security/pam_ldap.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_ldap.so use_authtok password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
On Thursday, Mar 20, 2003, at 13:47 US/Central, Matthew Schumacher wrote:
Jacob,
The simple way to make this work on redhat is by using the command `authconfig`, however if the directory is unavalable then everything breaks.
To fix that you must change the line in system-auth:
from> account     sufficient      /lib/security/pam_unix.so
to  > account     required        /lib/security/pam_ldap.so
While this lets you login when ldap is down you have a new problem. See:
http://www.netsys.com/pamldap/2002/06/msg00046.html
for details.
schu
jacob walcik wrote:
i've got openldap working for the first time using the rpm's available with redhat 7.3: openldap-clients-2.0.27-2.7.3 nss_ldap-189-4 openldap-2.0.27-2.7.3 openldap12-1.2.13-8 openldap-servers-2.0.27-2.7.3 i migrated my configuration/user info with the script that redhat includes for doing so, however, now i've run into a problem. i have two machines setup to authenticate against the ldap directory. the one openldap is running on, and another test box. on both machines, if i try to log in w/ an account that only exists in ldap, it fails. if i try to log in with an account that only exists on the system, it succeeds. if i try to log in w/ an account that exists in both, only the password for the system works. i can look in my messages log and see that the login was handled by pam_unix, however i don't see any failures (or any messages at all) from pam_ldap. according to the ldap docs on openldap.org (quickstart guide and the integration chapter) and redhat.com i've added the correct entries to /etc/ldap.conf and /etc/openldap/slapd.conf. can someone get me pointed in the right direction for where to go from here? ldap.conf: host sarge.lamc.utexas.edu base dc=lamc,dc=utexas,dc=edu ssl no pam_password md5 nsswitch.conf passwd: ldap files nisplus shadow: ldap files nisplus group: ldap files nisplus -- jacob walcik jwalcik@mail.utexas.edu
--
jacob walcik
jwalcik@mail.utexas.edu

References:
- Re: new user, question about authentication
  - From: jacob walcik <jwalcik@mail.utexas.edu>

Prev by Date: Redhat 8.1 shadow to OpenLDAP
Next by Date: Re: Is there a way to specify "simple authentication" in /etc/openldap/ldap.conf file?
Index(es):
- Chronological
- Thread