[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems...
>"Nothing in life is worse than SPAM.... well.... maybe cold coffee!" ;)
You've apparently never had lutefisk. Ick!
>>>> Adam Williams6 <awilliam@whitemice.org> 03/19/02 03:30PM >>>
>>I seem to be having a bit of a problem with OpenLDAP ver 2.0.22-2 (RPM
>>on RedHat 7.2)
>>I have an email server with over 27K accounts, all in flat file format.... (i.e. /etc/passwd, /etc/groups, /etc/shadow, etc...) I want to migrate over to a central LDAP authentication model for my Qpopper, Postfix, FTP, and Apache Home_Dir stuff....
>>I downloaded the Migration Tools from podl.com and ran the pass2ldap to get an LDIF file. I then transferred that file to my test LDAP box (that has no local users.) After modifying the LDIF file for the home directories, I imported them using ldapadd. I then tested pop3 auth against ldap and I always get a "Password supplied for "username" is incorrect."
>>I can use plenty of LDAP administration programs to see everything in the dir, and everything looks fine.... color me a little lost (and an LDAP newbie)
>>Here are my relevant configs (chopped for space...):
>>/etc/ldap.conf (I've tried different pam_password values to no avail)
>>host 127.0.0.1
>>base dc=suscom,dc=net
>>uri ldap://127.0.0.1/
>Why do you specify the uri when you specified the host and base?
>This is the way it is upon install.... I don't know enough yet to question it.....
It did? Get rid of it.
>>binddn cn=Manager,dc=suscom,dc=net
>>bindpw ldap_test
>>pam_password crypt
>Below you say this is SSHA in the user object, here you say crypt.
>Password changing will be odd.
>When I first looked at this, password_crypt was uncommented and so was
>password_md5 (which was stuck at the end of the file looking like an
>afterthought...) When I first generated the rootpw it only seemed to
>except SSHA. Auth failed while testing, and then I started commenting
>/uncommenting different pam_password values and nothing seemed to
>change....
This has to do with user passwords not the manager's password.
>># pam_password exop
>>#pam_password clear
>>ssl no
>>#pam_password md5
>>/etc/openldap/slapd.conf (played around with suffix and defaultsearchbase to no avail)
>>loglevel 4
>>defaultsearchbase "ou=accounts,dc=suscom,dc=net"
>>include /etc/openldap/schema/core.schema
>>include /etc/openldap/schema/cosine.schema
>>include /etc/openldap/schema/inetorgperson.schema
>>include /etc/openldap/schema/nis.schema
>>include /etc/openldap/schema/redhat/rfc822-MailMember.schema
>>include /etc/openldap/schema/redhat/autofs.schema
>>include /etc/openldap/schema/redhat/kerberosobject.schema
>>database ldbm
>>suffix "dc=suscom,dc=net"
>>suffix "ou=accounts,dc=suscom,dc=net"
>This suffix is below the other suffix. Why do you specify two suffix-es?
>I don't think this will work. Just "dc=suscom,dc=net" unless this is a
>partition.
>Thanks... I was curious about that.... I'll remove the redundant entry.
>>rootdn "cn=Manager,dc=suscom,dc=net"
>>rootpw {SSHA}sTyh4meQBWdEfopKtyTf9drN2t+e7y9A
>>directory /var/lib/ldap
>>index objectClass,uid,uidNumber,gidNumber,memberUid eq
>>index cn,mail,surname,givenname eq,subinitial
>>access to attr="userPassword"
>> by self write
>> by dn="cn=Manager,dc=suscom,dc=net" write
>> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
>> by anonymous auth
>> by * none
>>access to dn=".*,ou=accounts,dc=suscom,dc=net"
>> by dn="cn=Manager,dc=suscom,dc=net" write
>> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
>> by * read
>>access to *
>> by dn="cn=Manager,dc=suscom,dc=net" write
>> by * read
>>/etc/openldap/ldap.conf
>>HOST 127.0.0.1
>>BASE dc=suscom,dc=net
>>my initial LDAP import:
>>dn: dc=suscom,dc=net
>>objectclass: top
>>objectclass: dcObject
>>dc: suscom
>>dn: ou=accounts,dc=suscom,dc=net
>>objectclass: top
>>objectclass: organizationalUnit
>>ou: accounts
>>dn: cn=lmcadmin,ou=accounts,dc=suscom,dc=net
>>objectclass: top
>>objectclass: person
>>objectclass: inetOrgPerson
>>cn: lmcadmin
>>sn: lmcadmin
>>uid: lmcadmin
>>userPassword: {SSHA}npuxDYqHSDybRycKcNNOjM6ZP+GSfYHr
>I think PAM wants an objectclass of posixAccount or account unless you
>specify otherwise. The above is niether.
>Here is a sample of a couple of entries from the LDIF I imported.... Hope it helps....
>dn: uid=hvnurse-lyma,ou=accounts,dc=suscom,dc=net
>uid: hvnurse-lyma
>cn: hvnurse-lyma
>sn: hvnurse-lyma
>mail: hvnurse-lyma@suscom.net
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>objectClass: account
>objectClass: posixAccount
>objectClass: top
>objectClass: kerberosSecurityObject
>objectClass: shadowAccount
>userPassword: {crypt}0u5iArEwup3oY
>shadowLastChange: 11656
>shadowMax: 99999
>shadowWarning: 7
>krbname: hvnurse-lyma@SUSCOM.NET
>loginShell: /bin/false
>uidNumber: 517
>gidNumber: 517
>homeDirectory: /home/hvnurse-lyma
>
>I can see posixAcount specified... and a ldapsearch -x "uid=dbrooks-lyma" | less gives me:
>version: 2
Ok, these look alright. Except when I do an ldapsearch the results are
base64 encoded - "userPassword:: e2NyeXB0fVQ3V09qS2Y0RXlmbEU="
If you have the rootbinddn set in /etc/ldap.conf and the root (manager's)
password in /etc/ldap.secret (mode 600) you have password setup to change
LDAP passwords you should be able to change user passwords as root using
the passwd command (passwd {user}). Try that and see if it works.
/etc/pam.d/passwd
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_deny.so
password sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
password required /lib/security/pam_deny.so
--
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------