[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap authentication howto?
question how do i get ldappasswd or slapdpasswd to use a range of encryption
for the password??
I look at my shadow file and i see a really long password
$1$g.BeRcko$xqHl8fZgjB/bNsvBwrdeB1
i know what the above password is...
and when i try to use say perl DIGEST::MD5 or DIGEST::SHA1
my password is not as long in HEX or base64
so what encoding does the shadow file use? and how do i use this when i have
ldap running?
----- Original Message -----
From: "Peter Peltonen" <peter.peltonen@fivetec.com>
To: "openldap-software@openLDAP.org" <openldap-software@OpenLDAP.org>
Sent: Monday, May 28, 2001 7:21 AM
Subject: ldap authentication howto?
>
> There must be a FAQ or HOWTO about how to change my Linux box's
authentication
> method to LDAP based?
>
> I've managed to scatter a few pieces of information from here and there.
Maybe
> someone could put together the puzzle for me :)
>
> Here's what I've got installed on my RH7.1 box:
>
> --snip--
> openldap-2.0.7-14 (from RH7.1 CD)
> openldap-servers-2.0.7-14
> openldap-clients-2.0.7-14
> openldap-devel-2.0.7-14
> openldap12-1.2.11-4
>
> pam-0.74-22 (from RH7.1 CD)
> pam_krb5-1.31-1
> pam-devel-0.74-22
>
> pam_ldap-108-1 (from rpmfind.net)
> nss_ldap-126-1
> --snip--
>
> I have my LDAP server (dc=fivetec,dc=com) running and I can add and modify
> entries with LDAPExplorer fine (except 8bit support).
>
> I created a user named peter. I used padl.com's MigrationTool
> migrate_passwd.pl to convert my passwd db. I extracted the part regarding
user
> peter to a separate ldif file:
>
> --snip--
> dn: uid=peter,ou=People,dc=fivetec,dc=com
> uid: peter
> cn: peter
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}$1$euuT5nGM$F4rDeC4yX3QQPNCGYvSdI1
> shadowLastChange: 11470
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 500
> gidNumber: 500
> homeDirectory: /home/peter
> --snip--
>
> Relying on the advice offered by LDAP-HOWTO I changed my /etc/pam.d/login
to
> look like this:
>
> --snip--
>
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so try_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> password required /lib/security/pam_cracklib.so
> password required /lib/security/pam_ldap.so
> password required /lib/security/pam_pwdb.so use_first_pass
> session required /lib/security/pam_unix_session.so
> --snip--
>
> and was it LDAP-Implementation-HOWTO that told me to change a part of my
> nsswitch.conf to look like this, I don't remember anymore:
>
> --snip--
> passwd: files ldap nisplus
> shadow: files ldap nisplus
> group: files ldap isplus
> --snip--
>
> After that I used /usr/sbi/userdel to delete user peter from the passwd
db.
>
> I tried logging in with ssh -- didn't work. Here's what my secure log say:
>
> --snip--
> May 28 17:15:09 jolo sshd[4104]: input_userauth_request: illegal user
peter
> May 28 17:15:10 jolo sshd[4104]: Failed none for illegal user peter from
> 192.168.0.4 port 40450 ssh2
> May 28 17:15:12 jolo sshd[4104]: Failed password for illegal user peter
from
> 192.168.0.4 port 40450 ssh2
> --snip--
>
> As I'm using clear text passwds I changed user peter's userPassword to a
clear
> text one with LDAPExplorer but that did not change the situation.
>
> What am I missing?
>
> Do I have to edit some other files? Do I have to restart some services or
> reboot or something to get the system aware of the changes?
>
> A bit lost here,
>
> Peter
>
> PS. Some advice on how to get crypted passwords in use would be nice --
these
> things really should be in the FAQ!