[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problem authenticating using pam
jeremy@xxedgexx.com wrote:
> Basically I'm using the ldapns stuff trying to get my machine to
> authenticate only via ldap. Is this possible yet? This is the error
> I get in messages:
>
> May 27 18:16:12 rep login: FAILED LOGIN 1 FROM srv1.ecropolis.com FOR
> jeremy, User not known to the underlying authentication module
> May 27 18:16:34 rep login: FAILED LOGIN SESSION FROM srv1.ecropolis.com
> FOR p, Error in service module
>
> I'm using a RH 6.0 system.
>
> Thanks!
> -jeremy
Hi Jeremy,
I assume that ldapns means ldap name switch service from PADL. if so
you will aslo need the pam_ldap from PADL. They work together.
SOme things to note, yhis is not a fuill how to just some sticky bits:
1: people you want to use the Names Switch service must be posixaccounts
with valid home directories, uid, gid and shell values. You can chek by
trying to finger the user. ie:
finger fred
Should show fred's unix like details as if fred has an entry in the
/etc/passwd database. This does not mean that fred can authenitcate, only
that the account details as relating to unix are available for Fred from
the ldap server.
THis does however indicate that the search base is ok. There seems to be a
problem with the search base with the openldap server set ( all so far )
where occasionaly setting it too close to where the users reside does not
show them. if in doubt set the search base to the base of your service as
configured in slapd.conf.
2: pam_ldap! the pam file for the login service should look something
like:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so use_authtok
session required /lib/security/pam_pwdb.so
Note that the refence to the pam_ldap module occurs for the auth section
and account section and password section. It is neccessary for the auth
and account otherwise the pam system cannot correctly obtain details.
3: Name Service Switch attributes and objectclasses. I am sure there is a
copy of file for this somewhere but just in case I will attach mine. I
"include" these in slapd.conf, I appologise for the attachments but they
are small and it could same someone some typeing. THese are the ones I use
as I created from the rfc. Someone may like to fix things they don't like.
I hope this helps,
Cheers,
Gerrit Thomson.
attribute uidNumber cis
attribute gidNumber cis
attribute gecos cis
attribute HomeDirectory ces
attribute loginShell ces
attribute shadowLastChange cis
attribute shadowMin cis
attribute shadowMax cis
attribute shadowWarning cis
attribute shadowInactive cis
attribute sahdowExpire cis
attribute shadowFlag cis
attribute memberUid ces
attribute memberNisNetgroup ces
attribute nisNetgroupTriple cis
attribute ipServicePort cis
attribute ipServiceProtocol cis
attribute ipProtocolNumber cis
attribute oncRpcNumber cis
attribute ipHostNumber cis
attribute ipNetworkNumber cis
attribute ipNetmaskNumber cis
attribute MacAddress cis
attribute bootParameter cis
attribute bootFile ces
attribute nisMapName cis
attribute nisMapEntry ces
objectclass posixAccount
requires
objectclass,
cn,
uid,
uidNumber,
gidNumber,
homeDirectory
allows
userPassword,
loginShell,
gecos,
description
objectclass shadowAccount
requires
uidnumber
allows
userPAssword,
shadowLastChange,
shadowMin,
shadowMax,
shadowWarning,
shadowInactive,
shadowExpire,
shadowFlag,
description
objectclass posixGroup
requires
cn,
gidNumber
allows
userPassword,
memberUid,
description
objectclass ipService
requires
cn,
ipServicePort,
ipServiceProtocol
allows
description
objectclass ipProtocol
requires
cn,
ipProtocolNumber,
description
allows
description
objectclass ipHost
requires
cn,
ipHostNumber
allows
description,
manager
objectclass ipNetwork
requires
cn,
ipNetworkNumber
allows
ipNetmaskNumber,
l,
description,
manager
objectclass oncRpc
requires
cn,
oncRpcNumber,
description
allows
decsription
objectclass nisNetgroup
requires
cn
allows
nisNetgroupTriple,
memberNisNetgroup,
description
objectclass nisMap
requires
nisMapName
allows
description
objectclass nisObject
requires
cn,
nisMapEntry,
nisMapName
allows
description
objectclass ieee802Device
requires
macAddress
objectclass bootableDevice
allows
bootFile,
bootParameter