[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: redhat 7.2 and ldap.conf



On Wed, 24 Oct 2001, Nalin Dahyabhai wrote:

> [Julio removed from reply list because he's on openldap-software.]
>
> On Wed, Oct 24, 2001 at 06:52:51PM +0200, Julio Sanchez Fernandez wrote:
> > <Jehan.Procaccia@int-evry.fr> writes:
> >
> > > Could it be because I choosed "security medium" during install ?,
> >
> > I don't know what that option would mean.
>
> It has to do with the default firewall setup, which shouldn't ever
> affect LDAP client operation.
>
> > > PS: "ask RedHAT" ! to what address should I send that request (apart from
> > > nalin@redhat.com !)
> >
> > Don't nag Nalin directly, go to http://bugzilla.redhat.com, check if
> > there is something like that reported or add your own entry if not.
> >
> > But check the logs first...
>
> Good advice.  I've just checked that setting my own userPassword
> data to "{crypt}$1$saltines$0zSZmGIqyWj5ouZGdTD.B." allows me to
> log in using "password" as a password, so I suspect a configuration
> problem somewhere.
>

Here's the test with logs, hostname corne=localhost = openldap client,
openldap 2.0.11 server is openldap.int-evry.fr:

Client:

[mciadmin@corne mciadmin]$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.9-7 on an i686
login: test

openldap server log after the client entered the login:

Oct 25 09:47:33 openldap slapd[6264]: daemon: conn=6 fd=16 connection from
IP=157.159.21.54:1170 (IP=157.159.15.17:34049) accepted.
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=0 BIND dn="" method=128
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=0 RESULT tag=97 err=0
text=
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=1 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=posixAccount)(uid=test))"
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=1 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=2 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=posixAccount)(uid=test))"
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=2 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=3 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=shadowAccount)(uid=test))"
Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=3 SEARCH RESULT tag=101
err=0 text=

Back to the client, where user test enter his password

Password: xxxxxxx

Authentication failure
Connection closed by foreign host.

openldap server log says after the client entered the password:

Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=4 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=posixAccount)(uid=test))"
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=4 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=5 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=shadowAccount)(uid=test))"
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=5 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:56 openldap slapd[6264]: daemon: conn=7 fd=17 connection from
IP=157.159.21.54:1171 (IP=157.159.15.17:34049) accepted.
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=0 BIND dn="" method=128
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=0 RESULT tag=97 err=0
text=
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=1 SRCH
base="dc=int-evry,dc=fr" scope=2 filter="(uid=test)"
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=1 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=2 BIND
dn="UID=TEST,OU=PEOPLE,DC=INT-EVRY,DC=FR" method=128
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=2 RESULT tag=97 err=0
text=
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=3 BIND dn="" method=128
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=3 RESULT tag=97 err=0
text=
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=6 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=posixAccount)(uid=test))"
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=6 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=7 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=shadowAccount)(uid=test))"
Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=7 SEARCH RESULT tag=101
err=0 text=
Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=4 UNBIND
Oct 25 09:47:56 openldap slapd[6264]: conn=-1 fd=17 closed
Oct 25 09:47:56 openldap slapd[6264]: conn=-1 fd=16 closed

back to localhost (client corne ) /var/log/messages says:

Oct 25 09:47:56 corne login(pam_unix)[2864]: check pass; user unknown
Oct 25 09:47:56 corne login(pam_unix)[2864]: authentication failure;
logname= uid=0 euid=0 tty=pts/3 ruser= rhost=localhost.localdomain
Oct 25 09:47:56 corne login[2864]: Authentication failure

client (corne) /etc/ldap.conf is left to default, everything commented
exept:

host openldap.int-evry.fr
base dc=int-evry,dc=fr
ssl no
pam_password md5

[root@corne root]# cat /etc/pam.d/login
#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

[root@corne root]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadowpassword    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Now I changed original /etc/pam.d/login to :

[root@corne root]# more /etc/pam.d/login
#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient	/lib/security/pam_ldap.so
auth       required	/lib/security/pam_unix_auth.so try_first_pass
account    sufficient	/lib/security/pam_ldap.so
account    required	/lib/security/pam_unix_acct.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required	/lib/security/pam_unix_session.so
#session    optional     /lib/security/pam_console.so

[root@corne root]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.9-7 on an i686
login: test

openldap log says:

Oct 25 10:08:58 openldap slapd[6264]: daemon: conn=436 fd=20 connection
from IP=157.159.21.54:1193 (IP=157.159.15.17:34049) accepted.
Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=0 BIND dn="" method=128
Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=0 RESULT tag=97 err=0
text=
Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=1 SRCH
base="dc=int-evry,dc=fr" scope=2
filter="(&(objectClass=posixAccount)(uid=test))"
Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=1 SEARCH RESULT tag=101
err=0 text=

Back to the client corne:

Password:
Last login: Thu Oct 25 10:06:59 from localhost.localdomain
No directory /mci/mci/test!
Logging in with home = "/".
ksh-2.05$

And it works ! :-) .( I must autofs however ...)

What's wrong with the new /etc/pam.d/login in conjonction with
/etc/pam.d/system-auth ?? If you can help me solve that .


> Does connecting to the server using ldapsearch, and binding to the
> user's entry using simple authentication, work?
>

Yes:

[mciadmin@corne mciadmin]$ ldapsearch "uid=test" -x -h openldap -D
"uid=test,ou=people,dc=int-evry,dc=fr" -W | grep -i pass
Enter LDAP Password:
userPassword:: e2NyeXB0fVNSaFdBWlM1YkJYYzY=

using java ldapbrowser, I see the field userPassword: {crypt}SRhWSDFhg56G6
ldapsearch returns as show above: userPassword:: e2NyeXB0fVNSaFdBWlM1YkJYYzY=
so I'm a little bit confused, is this crypt , md5 ? how should I know and
is the problem running around here ?

> Cheers,
>
> Nalin
>

-- 
Jehan Procaccia
Institut National des Telecommunications| Email: Jehan.Procaccia@int-evry.fr
MCI, Moyens Communs Informatiques	| Tel  : +33 (0) 160764436
9 rue Charles Fourier 91011 Evry France | Fax  : +33 (0) 160764321