[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re[2]: ldap authentication howto?
Hey dino,
Try 3DES?
--
Kevin
Tuesday, May 29, 2001, 3:22:35 AM, you wrote:
db> question how do i get ldappasswd or slapdpasswd to use a range of encryption
db> for the password??
db> I look at my shadow file and i see a really long password
db> $1$g.BeRcko$xqHl8fZgjB/bNsvBwrdeB1
db> i know what the above password is...
db> and when i try to use say perl DIGEST::MD5 or DIGEST::SHA1
db> my password is not as long in HEX or base64
db> so what encoding does the shadow file use? and how do i use this when i have
db> ldap running?
db> ----- Original Message -----
db> From: "Peter Peltonen" <peter.peltonen@fivetec.com>
db> To: "openldap-software@openLDAP.org" <openldap-software@OpenLDAP.org>
db> Sent: Monday, May 28, 2001 7:21 AM
db> Subject: ldap authentication howto?
>>
>> There must be a FAQ or HOWTO about how to change my Linux box's
db> authentication
>> method to LDAP based?
>>
>> I've managed to scatter a few pieces of information from here and there.
db> Maybe
>> someone could put together the puzzle for me :)
>>
>> Here's what I've got installed on my RH7.1 box:
>>
>> --snip--
>> openldap-2.0.7-14 (from RH7.1 CD)
>> openldap-servers-2.0.7-14
>> openldap-clients-2.0.7-14
>> openldap-devel-2.0.7-14
>> openldap12-1.2.11-4
>>
>> pam-0.74-22 (from RH7.1 CD)
>> pam_krb5-1.31-1
>> pam-devel-0.74-22
>>
>> pam_ldap-108-1 (from rpmfind.net)
>> nss_ldap-126-1
>> --snip--
>>
>> I have my LDAP server (dc=fivetec,dc=com) running and I can add and modify
>> entries with LDAPExplorer fine (except 8bit support).
>>
>> I created a user named peter. I used padl.com's MigrationTool
>> migrate_passwd.pl to convert my passwd db. I extracted the part regarding
db> user
>> peter to a separate ldif file:
>>
>> --snip--
>> dn: uid=peter,ou=People,dc=fivetec,dc=com
>> uid: peter
>> cn: peter
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> userPassword: {crypt}$1$euuT5nGM$F4rDeC4yX3QQPNCGYvSdI1
>> shadowLastChange: 11470
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 500
>> gidNumber: 500
>> homeDirectory: /home/peter
>> --snip--
>>
>> Relying on the advice offered by LDAP-HOWTO I changed my /etc/pam.d/login
db> to
>> look like this:
>>
>> --snip--
>>
>> #%PAM-1.0
>> auth required /lib/security/pam_securetty.so
>> auth required /lib/security/pam_nologin.so
>> auth sufficient /lib/security/pam_ldap.so
>> auth required /lib/security/pam_unix_auth.so try_first_pass
>> account sufficient /lib/security/pam_ldap.so
>> account required /lib/security/pam_unix_acct.so
>> password required /lib/security/pam_cracklib.so
>> password required /lib/security/pam_ldap.so
>> password required /lib/security/pam_pwdb.so use_first_pass
>> session required /lib/security/pam_unix_session.so
>> --snip--
>>
>> and was it LDAP-Implementation-HOWTO that told me to change a part of my
>> nsswitch.conf to look like this, I don't remember anymore:
>>
>> --snip--
>> passwd: files ldap nisplus
>> shadow: files ldap nisplus
>> group: files ldap isplus
>> --snip--
>>
>> After that I used /usr/sbi/userdel to delete user peter from the passwd
db> db.
>>
>> I tried logging in with ssh -- didn't work. Here's what my secure log say:
>>
>> --snip--
>> May 28 17:15:09 jolo sshd[4104]: input_userauth_request: illegal user
db> peter
>> May 28 17:15:10 jolo sshd[4104]: Failed none for illegal user peter from
>> 192.168.0.4 port 40450 ssh2
>> May 28 17:15:12 jolo sshd[4104]: Failed password for illegal user peter
db> from
>> 192.168.0.4 port 40450 ssh2
>> --snip--
>>
>> As I'm using clear text passwds I changed user peter's userPassword to a
db> clear
>> text one with LDAPExplorer but that did not change the situation.
>>
>> What am I missing?
>>
>> Do I have to edit some other files? Do I have to restart some services or
>> reboot or something to get the system aware of the changes?
>>
>> A bit lost here,
>>
>> Peter
>>
>> PS. Some advice on how to get crypted passwords in use would be nice --
db> these
>> things really should be in the FAQ!