[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap authentication howto?



There must be a FAQ or HOWTO about how to change my Linux box's authentication
method to LDAP based?

I've managed to scatter a few pieces of information from here and there. Maybe
someone could put together the puzzle for me :) 

Here's what I've got installed on my RH7.1 box:

--snip--
openldap-2.0.7-14 (from RH7.1 CD)
openldap-servers-2.0.7-14
openldap-clients-2.0.7-14
openldap-devel-2.0.7-14
openldap12-1.2.11-4

pam-0.74-22 (from RH7.1 CD)
pam_krb5-1.31-1
pam-devel-0.74-22

pam_ldap-108-1 (from rpmfind.net)
nss_ldap-126-1
--snip--

I have my LDAP server (dc=fivetec,dc=com) running and I can add and modify
entries with LDAPExplorer fine (except 8bit support).

I created a user named peter. I used padl.com's MigrationTool
migrate_passwd.pl to convert my passwd db. I extracted the part regarding user
peter to a separate ldif file:

--snip--
dn: uid=peter,ou=People,dc=fivetec,dc=com
uid: peter
cn: peter
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$euuT5nGM$F4rDeC4yX3QQPNCGYvSdI1
shadowLastChange: 11470
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/peter
--snip--

Relying on the advice offered by LDAP-HOWTO I changed my /etc/pam.d/login to
look like this:

--snip--

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so
--snip--

and was it LDAP-Implementation-HOWTO that told me to change a part of my
nsswitch.conf to look like this, I don't remember anymore:

--snip--
passwd:     files ldap nisplus
shadow:     files ldap nisplus
group:      files ldap isplus
--snip--

After that I used /usr/sbi/userdel to delete user peter from the passwd db.

I tried logging in with ssh -- didn't work. Here's what my secure log say:

--snip--
May 28 17:15:09 jolo sshd[4104]: input_userauth_request: illegal user peter
May 28 17:15:10 jolo sshd[4104]: Failed none for illegal user peter from
192.168.0.4 port 40450 ssh2
May 28 17:15:12 jolo sshd[4104]: Failed password for illegal user peter from
192.168.0.4 port 40450 ssh2
--snip--

As I'm using clear text passwds I changed user peter's userPassword to a clear
text one with LDAPExplorer but that did not change the situation. 

What am I missing?

Do I have to edit some other files? Do I have to restart some services or
reboot or something to get the system aware of the changes?

A bit lost here, 

Peter

PS. Some advice on how to get crypted passwords in use would be nice -- these
things really should be in the FAQ!