[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP - Authentication and SAMBA

To: tech mail <tech-mail@prupref.com>
Subject: Re: LDAP - Authentication and SAMBA
From: Matthew Schumacher <matt.s@aptalaska.net>
Date: Fri, 25 Apr 2003 11:12:20 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <5F71B3C180C8D4119F3200B0D049A7AE01E72BC3@PRUPREF-MAIL>
References: <5F71B3C180C8D4119F3200B0D049A7AE01E72BC3@PRUPREF-MAIL>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

Tech Mail,

First off all you need to understand the difference between pam_ldap and nss_ldap. Pam_ldap allows the pam layer to authenticate against the directory using the user/password. The nss_ldap module allows the system to resolve unix userids and groupids against the directory. So samba_ldap will work without pam_ldap as long as there aren't any unix services you want to authenticate against other than samba. Nss_ldap is required otherwise samba would try to thread as a ldap user and find that the user doesn't exist.

That said, you don't need any ldap related config in pam to use samba_ldap. Because samba manages it's own passwords in the lmPassword and ntPassword attributes you don't need pam to authenticate for you.

The reason why you are getting locked out is because you told pam to require ldap. See notes at:

http://www.netsys.com/pamldap/2003/03/msg00049.html

For a fix.

Because I don't want every service to know about ldap my solution is pretty simple. Move off of redhat and go to a distro that isn't pam aware like slackware. Build the pam libraries and then compile the programs that you want to be pam aware against it. For example my mail server uses ldap for sendmail/pop/imap authentication. There is no need for the system to know about ldap except to authenticate these users and to resolve them against nss. So I configure nss_ldap to resolve the users and create pam config only for these services. Now mail works against ldap, but login and the rest of the system doesn't simply because the binaries are not even pam aware. In short, only use pam for stuff you want to work against ldap.

Hope that helps,

schu

tech mail wrote:

Couple quick items - I am new to the list, just started to set up a LDAP
system to work as an authentication machine for a SAMBA/WINDOZE system.

REDHAT 7.3
SAMBA 2.2.8
OPENLDAP openldap-2.0.27-2.7.3

I basically followed the tutorial:

http://www.mandrakesecure.net/en/docs/ldap-auth.php

and had some hand holding from someone that has also done the same.

First, in that howto, it said that PAM_LDAP was not needed to do basic linux
authentication..well, I couldn't get anywhere until I added pam_ldap to the
/etc/pam.d/system-auth stack.  However, I got hosed and froze out of the
system, and narrowed it down to the line:

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

Whenever I put that in, I was effectively locked out of the system if the
ldap service wasnt started, even though my /etc/nsswitch.conf read files
ldap for the search order.  If I changed it to:

account     sufficient /lib/security/pam_ldap.so

I was fine with or without ldap started and when ldap started could authenticate off LDAP.

has anyone else experienced this, or can explain it to me.  I left it as
sufficient, because after redoing a setup twice because of a lock out, I
didnt want the service to fail after a reboot and hold me dead.

Second..I am going to use this as a complete user authentication database
for our network.  However, I usually do not maintain the adding/deleting of
the user accounts, an non-it person takes care of it.  So I am looking for a
very easy way to add/edit users.  I have heard conflicting stories of the
webmin LDAP module.  I have been looking at the sambaldaptools at:
http://samba.idealx.org/ (there is an english how-to pdf on the side) and
was thinking about calling those from a simple web script (my perl is far
from elegant)..lastly I also found these:

http://yolinux.com/TUTORIALS/LinuxTutorialaWebDap.html
http://yala.sourceforge.net/

It really doesn't need to be any special, I will most likely make a call
from a different page where we enter the user data for our web system, it is
the same information, so it would call this interface url with arguements.

If anyone can give me some guidance for a good utility as well as answer
that strange PAM_LDAP question, please do.

In addition, if there is anyone trying this out and wants to bounce ideas
back and forth, this crap is always easier with multiple brains...

Thanks >

References:
- LDAP - Authentication and SAMBA
  - From: tech mail <tech-mail@prupref.com>

Prev by Date: Re: SuSE 8.0/openldap-2.1.17 & BerkeleyDB
Next by Date: RE: LDAP - Authentication and SAMBA
Index(es):
- Chronological
- Thread