[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: redhat 7.2 and ldap.conf
I solved the problem replacing /etc/pam.d/login by the one I had in RH
7.1 :
RH 7.2
[root@corne pam.d]# more /etc/pam.d/login.orig
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
with system-auth:
[root@corne pam.d]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadowpassword sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
Now it works with a "standalone" login conf :
[root@corne pam.d]# more /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
#session optional /lib/security/pam_console.so
$ telnet corne
Trying 157.159.21.54...
Connected to corne.
Escape character is '^]'.
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.9-7 on an i686
login: procacci
Password:
Last login: Thu Oct 25 10:07:41 from localhost.localdomain
corne.int-evry.fr:/mci/mci/procacci>
The difference I see is the way modules are stacked, I presume that for
login inthe problem comes fron the "auth" service !?
now it works with:
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
originaly it was in system-auth stacked that way:
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
Indeed I noticed with the latest that it was pam_unix that refused the
connection !
> Oct 25 09:47:56 corne login(pam_unix)[2864]: check pass; user unknown
> Oct 25 09:47:56 corne login(pam_unix)[2864]: authentication failure;
> logname= uid=0 euid=0 tty=pts/3 ruser= rhost=localhost.localdomain
Is the problem here ?
Thanks for your help.
On Thu, 25 Oct 2001 Jehan.Procaccia@int-evry.fr wrote:
> On Wed, 24 Oct 2001, Nalin Dahyabhai wrote:
>
> > [Julio removed from reply list because he's on openldap-software.]
> >
> > On Wed, Oct 24, 2001 at 06:52:51PM +0200, Julio Sanchez Fernandez wrote:
> > > <Jehan.Procaccia@int-evry.fr> writes:
> > >
> > > > Could it be because I choosed "security medium" during install ?,
> > >
> > > I don't know what that option would mean.
> >
> > It has to do with the default firewall setup, which shouldn't ever
> > affect LDAP client operation.
> >
> > > > PS: "ask RedHAT" ! to what address should I send that request (apart from
> > > > nalin@redhat.com !)
> > >
> > > Don't nag Nalin directly, go to http://bugzilla.redhat.com, check if
> > > there is something like that reported or add your own entry if not.
> > >
> > > But check the logs first...
> >
> > Good advice. I've just checked that setting my own userPassword
> > data to "{crypt}$1$saltines$0zSZmGIqyWj5ouZGdTD.B." allows me to
> > log in using "password" as a password, so I suspect a configuration
> > problem somewhere.
> >
>
> Here's the test with logs, hostname corne=localhost = openldap client,
> openldap 2.0.11 server is openldap.int-evry.fr:
>
> Client:
>
> [mciadmin@corne mciadmin]$ telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Red Hat Linux release 7.2 (Enigma)
> Kernel 2.4.9-7 on an i686
> login: test
>
> openldap server log after the client entered the login:
>
> Oct 25 09:47:33 openldap slapd[6264]: daemon: conn=6 fd=16 connection from
> IP=157.159.21.54:1170 (IP=157.159.15.17:34049) accepted.
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=0 BIND dn="" method=128
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=0 RESULT tag=97 err=0
> text=
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=1 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))"
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=1 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=2 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))"
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=2 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=3 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=shadowAccount)(uid=test))"
> Oct 25 09:47:33 openldap slapd[6264]: conn=6 op=3 SEARCH RESULT tag=101
> err=0 text=
>
> Back to the client, where user test enter his password
>
> Password: xxxxxxx
>
> Authentication failure
> Connection closed by foreign host.
>
> openldap server log says after the client entered the password:
>
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=4 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))"
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=4 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=5 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=shadowAccount)(uid=test))"
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=5 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:56 openldap slapd[6264]: daemon: conn=7 fd=17 connection from
> IP=157.159.21.54:1171 (IP=157.159.15.17:34049) accepted.
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=0 BIND dn="" method=128
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=0 RESULT tag=97 err=0
> text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=1 SRCH
> base="dc=int-evry,dc=fr" scope=2 filter="(uid=test)"
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=1 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=2 BIND
> dn="UID=TEST,OU=PEOPLE,DC=INT-EVRY,DC=FR" method=128
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=2 RESULT tag=97 err=0
> text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=3 BIND dn="" method=128
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=3 RESULT tag=97 err=0
> text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=6 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))"
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=6 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=7 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=shadowAccount)(uid=test))"
> Oct 25 09:47:56 openldap slapd[6264]: conn=6 op=7 SEARCH RESULT tag=101
> err=0 text=
> Oct 25 09:47:56 openldap slapd[6264]: conn=7 op=4 UNBIND
> Oct 25 09:47:56 openldap slapd[6264]: conn=-1 fd=17 closed
> Oct 25 09:47:56 openldap slapd[6264]: conn=-1 fd=16 closed
>
> back to localhost (client corne ) /var/log/messages says:
>
> Oct 25 09:47:56 corne login(pam_unix)[2864]: check pass; user unknown
> Oct 25 09:47:56 corne login(pam_unix)[2864]: authentication failure;
> logname= uid=0 euid=0 tty=pts/3 ruser= rhost=localhost.localdomain
> Oct 25 09:47:56 corne login[2864]: Authentication failure
>
> client (corne) /etc/ldap.conf is left to default, everything commented
> exept:
>
> host openldap.int-evry.fr
> base dc=int-evry,dc=fr
> ssl no
> pam_password md5
>
> [root@corne root]# cat /etc/pam.d/login
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> [root@corne root]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
> account required /lib/security/pam_ldap.so
>
> password required /lib/security/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5
> shadowpassword sufficient /lib/security/pam_ldap.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_ldap.so
>
> Now I changed original /etc/pam.d/login to :
>
> [root@corne root]# more /etc/pam.d/login
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so try_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> password required /lib/security/pam_cracklib.so
> password required /lib/security/pam_ldap.so
> password required /lib/security/pam_pwdb.so use_first_pass
> session required /lib/security/pam_unix_session.so
> #session optional /lib/security/pam_console.so
>
> [root@corne root]# telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Red Hat Linux release 7.2 (Enigma)
> Kernel 2.4.9-7 on an i686
> login: test
>
> openldap log says:
>
> Oct 25 10:08:58 openldap slapd[6264]: daemon: conn=436 fd=20 connection
> from IP=157.159.21.54:1193 (IP=157.159.15.17:34049) accepted.
> Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=0 BIND dn="" method=128
> Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=0 RESULT tag=97 err=0
> text=
> Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=1 SRCH
> base="dc=int-evry,dc=fr" scope=2
> filter="(&(objectClass=posixAccount)(uid=test))"
> Oct 25 10:08:58 openldap slapd[6264]: conn=436 op=1 SEARCH RESULT tag=101
> err=0 text=
>
> Back to the client corne:
>
> Password:
> Last login: Thu Oct 25 10:06:59 from localhost.localdomain
> No directory /mci/mci/test!
> Logging in with home = "/".
> ksh-2.05$
>
> And it works ! :-) .( I must autofs however ...)
>
> What's wrong with the new /etc/pam.d/login in conjonction with
> /etc/pam.d/system-auth ?? If you can help me solve that .
>
>
> > Does connecting to the server using ldapsearch, and binding to the
> > user's entry using simple authentication, work?
> >
>
> Yes:
>
> [mciadmin@corne mciadmin]$ ldapsearch "uid=test" -x -h openldap -D
> "uid=test,ou=people,dc=int-evry,dc=fr" -W | grep -i pass
> Enter LDAP Password:
> userPassword:: e2NyeXB0fVNSaFdBWlM1YkJYYzY=
>
> using java ldapbrowser, I see the field userPassword: {crypt}SRhWSDFhg56G6
> ldapsearch returns as show above: userPassword:: e2NyeXB0fVNSaFdBWlM1YkJYYzY=
> so I'm a little bit confused, is this crypt , md5 ? how should I know and
> is the problem running around here ?
>
> > Cheers,
> >
> > Nalin
> >
>
>
--
Jehan Procaccia
Institut National des Telecommunications| Email: Jehan.Procaccia@int-evry.fr
MCI, Moyens Communs Informatiques | Tel : +33 (0) 160764436
9 rue Charles Fourier 91011 Evry France | Fax : +33 (0) 160764321