[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap authentication howto?
There must be a FAQ or HOWTO about how to change my Linux box's authentication
method to LDAP based?
I've managed to scatter a few pieces of information from here and there. Maybe
someone could put together the puzzle for me :)
Here's what I've got installed on my RH7.1 box:
--snip--
openldap-2.0.7-14 (from RH7.1 CD)
openldap-servers-2.0.7-14
openldap-clients-2.0.7-14
openldap-devel-2.0.7-14
openldap12-1.2.11-4
pam-0.74-22 (from RH7.1 CD)
pam_krb5-1.31-1
pam-devel-0.74-22
pam_ldap-108-1 (from rpmfind.net)
nss_ldap-126-1
--snip--
I have my LDAP server (dc=fivetec,dc=com) running and I can add and modify
entries with LDAPExplorer fine (except 8bit support).
I created a user named peter. I used padl.com's MigrationTool
migrate_passwd.pl to convert my passwd db. I extracted the part regarding user
peter to a separate ldif file:
--snip--
dn: uid=peter,ou=People,dc=fivetec,dc=com
uid: peter
cn: peter
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$euuT5nGM$F4rDeC4yX3QQPNCGYvSdI1
shadowLastChange: 11470
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/peter
--snip--
Relying on the advice offered by LDAP-HOWTO I changed my /etc/pam.d/login to
look like this:
--snip--
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
--snip--
and was it LDAP-Implementation-HOWTO that told me to change a part of my
nsswitch.conf to look like this, I don't remember anymore:
--snip--
passwd: files ldap nisplus
shadow: files ldap nisplus
group: files ldap isplus
--snip--
After that I used /usr/sbi/userdel to delete user peter from the passwd db.
I tried logging in with ssh -- didn't work. Here's what my secure log say:
--snip--
May 28 17:15:09 jolo sshd[4104]: input_userauth_request: illegal user peter
May 28 17:15:10 jolo sshd[4104]: Failed none for illegal user peter from
192.168.0.4 port 40450 ssh2
May 28 17:15:12 jolo sshd[4104]: Failed password for illegal user peter from
192.168.0.4 port 40450 ssh2
--snip--
As I'm using clear text passwds I changed user peter's userPassword to a clear
text one with LDAPExplorer but that did not change the situation.
What am I missing?
Do I have to edit some other files? Do I have to restart some services or
reboot or something to get the system aware of the changes?
A bit lost here,
Peter
PS. Some advice on how to get crypted passwords in use would be nice -- these
things really should be in the FAQ!