[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Linux Authetification with openldap, pam_ldap and nss_ldap
Please direct questions about pam_ldap and nss_ldap to:
<pam_ldap@padl.com>
<nss_ldap@padl.com>
respectively.
Kurt
At 02:13 AM 2/23/2004, Manfred Jordan wrote:
>Hello,
>
>I'm trying to use openldap for authetification for all linux accounts, i.e.
>the users are not in the passwd-file but on the ldap-server wich is in the
>first step on the same server (localhost)
>
>I installed pam_ldap and nss_ldap! I put one user into the ldap tree (see
>attached ldif-file). I made all the configuration according the documentation
>of pam_ldap and nss_ldap.
>
>I can't login to my linux box with the user (mjordan) which is not in the
>passwd-file, only on the ldap-user. I tried to debug a bit.
>
>I see the ldap server is asked, the user found but from the login task there
>is a 'login failed for user mjordan' in /var/log/messages. With ldapsearch I
>can query the ldap server and get the entry for the specific user.
>
>Here are the configuration files:
>
># /etc/openldap/slapd.conf
># ------------------------------------
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/misc.schema
>include /etc/openldap/schema/samba.schema
>
>pidfile /var/run/slapd/slapd.pid
>argsfile /var/run/slapd/slapd.args
>replogfile /var/log/openldap/replication.log
>
>allow bind_anon_dn
>defaultsearchbase dc=berlitz,dc=de
>allow bind_v2
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>database ldbm
>suffix "dc=mydomain,dc=de"
>rootdn "cn=Manager,dc=mydomain,dc=de"
>rootpw mypwd
>directory /var/lib/ldap
>index objectClass eq
>
>------------------------------------------------------------------------------
># /etc/openldap/lapd.conf
># -----------------------
>HOST 127.0.0.1
>BASE dc=berlitz,dc=de
>ldap_version 2
>rootbinddn cn=Manager,dc=mydomain,dc=de
>scope sub
>pam_filter objectclass=posixAccount
>pam_login_attribute cn
>pam_password clear
>
># OpenLDAP SSL mechanism
># start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>#ssl start_tls
>nss_base_passwd o=ehq,dc=mydomain,dc=de
>nss_base_shadow o=ehq,dc=mydomain,dc=de
>nss_base_group o=ehq,dc=mydomain,dc=de
>#ssl on
>ssl no
>------------------------------------------------------------------------------
>/etc/pam.d/login
>----------------
>#%PAM-1.0
>auth required pam_securetty.so
>auth required pam_nologin.so
>auth sufficient pam_ldap.so
>auth required pam_unix2.so nullok use_firt_pass #set_secrpc
>account sufficient pam_ldap.so
>account required pam_unix2.so
>password required pam_pwcheck.so nullok
>password required pam_ldap.so use_first_pass use_authok
>password required pam_unix2.so nullok use_first_pass use_authtok
>session required pam_unix2.so none # debug or trace
>session required pam_limits.so
>session required pam_env.so
>session optional pam_mail.so
>------------------------------------------------------------------------------
>#LDIF-File imported to the openldap-server
>#-----------------------------------------
>
>dn:dc=mydomain,dc=de
>objectclass:Organization
>objectclass:dcObject
>o:Berlitz
>dc:berlitz
>
>dn:o=ehq,dc=mydomain,dc=de
>objectclass:Organization
>o:ehq
>
>dn:cn=mjordan,o=ehq,dc=mydomain,dc=de
>objectClass:account
>objectClass:posixAccount
>objectClass:top
>cn:mjordan
>userPassword:geheim
>uid:mjordan
>uidNumber:501
>gidNumber:100
>homeDirectory:/home/mjordan
>loginShell:/bin/bash
>---------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>So, what I am doing wrong! I would appreciate very much if someone of the ldap
>gurus could give me a hint in the right direction. All google search an
>mailing list archives could not solve this problem.
>
>thanks in advance
>
>Manfred Jordan