[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: LDAP - Authentication and SAMBA

To: "'Matthew Schumacher'" <matt.s@aptalaska.net>, tech mail <tech-mail@prupref.com>
Subject: RE: LDAP - Authentication and SAMBA
From: tech mail <tech-mail@prupref.com>
Date: Fri, 25 Apr 2003 14:14:50 -0500
Cc: openldap-software@OpenLDAP.org
Matt - 

Thanks for the torough explanation, I will give that extra pam entry a try
as described in that link.

as for the nss_ldap .. that was what I was saying wasnt working.  I couldn't
get any authentication against the directory until I added pam_ldap .. drop
samba out of the picture (it wasnt even installed at the time when I was
trying to get that piece to work) ... it was just standard logins that I
couldnt get to work until I changed the system-auth file.

Either way, thanks for the follow-up
Chris 

> -----Original Message-----
> From: Matthew Schumacher [mailto:matt.s@aptalaska.net]
> Sent: Friday, April 25, 2003 2:12 PM
> To: tech mail
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: LDAP - Authentication and SAMBA
> 
> 
> Tech Mail,
> 
> First off all you need to understand the difference between 
> pam_ldap and 
> nss_ldap.  Pam_ldap allows the pam layer to authenticate against the 
> directory using the user/password.  The nss_ldap module allows the 
> system to resolve unix userids and groupids against the 
> directory.  So 
> samba_ldap will work without pam_ldap as long as there aren't 
> any unix 
> services you want to authenticate against other than samba.  
> Nss_ldap is 
> required otherwise samba would try to thread as a ldap user and find 
> that the user doesn't exist.
> 
> That said, you don't need any ldap related config in pam to use 
> samba_ldap.  Because samba manages it's own passwords in the 
> lmPassword 
> and ntPassword attributes you don't need pam to authenticate for you.
> 
> The reason why you are getting locked out is because you told pam to 
> require ldap.  See notes at:
> 
> http://www.netsys.com/pamldap/2003/03/msg00049.html
> 
> For a fix.
> 
> Because I don't want every service to know about ldap my solution is 
> pretty simple.  Move off of redhat and go to a distro that isn't pam 
> aware like slackware.  Build the pam libraries and then compile the 
> programs that you want to be pam aware against it.  For 
> example my mail 
> server uses ldap for sendmail/pop/imap authentication.  There 
> is no need 
> for the system to know about ldap except to authenticate 
> these users and 
> to resolve them against nss.  So I configure nss_ldap to resolve the 
> users and create pam config only for these services.  Now mail works 
> against ldap, but login and the rest of the system doesn't simply 
> because the binaries are not even pam aware.  In short, only 
> use pam for 
> stuff you want to work against ldap.
> 
> Hope that helps,
> 
> schu
> 
> 
> 
> tech mail wrote:
> > Couple quick items - I am new to the list, just started to 
> set up a LDAP
> > system to work as an authentication machine for a 
> SAMBA/WINDOZE system.
> > 
> > REDHAT 7.3
> > SAMBA 2.2.8
> > OPENLDAP openldap-2.0.27-2.7.3
> > 
> > I basically followed the tutorial:
> > 
> > http://www.mandrakesecure.net/en/docs/ldap-auth.php
> > 
> > and had some hand holding from someone that has also done the same.
> > 
> > First, in that howto, it said that PAM_LDAP was not needed 
> to do basic linux
> > authentication..well, I couldn't get anywhere until I added 
> pam_ldap to the
> > /etc/pam.d/system-auth stack.  However, I got hosed and 
> froze out of the
> > system, and narrowed it down to the line:
> > 
> > account     [default=bad success=ok user_unknown=ignore 
> service_err=ignore
> > system_err=ignore] /lib/security/pam_ldap.so
> > 
> > Whenever I put that in, I was effectively locked out of the 
> system if the
> > ldap service wasnt started, even though my 
> /etc/nsswitch.conf read files
> > ldap for the search order.  If I changed it to:
> > 
> > account     sufficient /lib/security/pam_ldap.so
> > 
> > I was fine with or without ldap started and when ldap started could
> > authenticate off LDAP.  
> > 
> > has anyone else experienced this, or can explain it to me.  
> I left it as
> > sufficient, because after redoing a setup twice because of 
> a lock out, I
> > didnt want the service to fail after a reboot and hold me dead.
> > 
> > Second..I am going to use this as a complete user 
> authentication database
> > for our network.  However, I usually do not maintain the 
> adding/deleting of
> > the user accounts, an non-it person takes care of it.  So I 
> am looking for a
> > very easy way to add/edit users.  I have heard conflicting 
> stories of the
> > webmin LDAP module.  I have been looking at the sambaldaptools at:
> > http://samba.idealx.org/ (there is an english how-to pdf on 
> the side) and
> > was thinking about calling those from a simple web script 
> (my perl is far
> > from elegant)..lastly I also found these:
> > 
> > http://yolinux.com/TUTORIALS/LinuxTutorialaWebDap.html
> > http://yala.sourceforge.net/
> > 
> > It really doesn't need to be any special, I will most 
> likely make a call
> > from a different page where we enter the user data for our 
> web system, it is
> > the same information, so it would call this interface url 
> with arguements.
> > 
> > If anyone can give me some guidance for a good utility as 
> well as answer
> > that strange PAM_LDAP question, please do.
> > 
> > In addition, if there is anyone trying this out and wants 
> to bounce ideas
> > back and forth, this crap is always easier with multiple brains...
> > 
> > Thanks  > 
>
Prev by Date: Re: LDAP - Authentication and SAMBA
Next by Date: Re: SuSE 8.0/openldap-2.1.17 & BerkeleyDB
Index(es):
- Chronological
- Thread