[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: odd pam_ldap configuration issues



ons, 2002-07-17 kl. 10:41 skrev Stefan Froehlich:

> Next step was pam_ldap - again, after some reading it worked, but
> only almost. Whenever I login, I have to enter the password _twice_
> until it is accepted. I only realized that this is a problem, when I
> wanted to deploy nss_ldap. This simply did not work for me. For a
> login, the logfiles tell me the following:

With regard to having to log in twice, and I having to do the same until
Geoff Silver helped me, try the following /etc/pam.d/login.

*** However, make sure you have all these modules in /lib/security
first! *** I have Red Hat 7.2 and was surprised to see I had these
modules, since the following login conf is completely different from the
one red Hat serves up:

auth       requisite  pam_securetty.so
auth       required   pam_nologin.so
auth       required   pam_env.so
auth       sufficient pam_ldap.so
auth       required   pam_unix.so nullok use_first_pass
account    sufficient pam_ldap.so
account    required   pam_unix.so
session    sufficient pam_ldap.so
session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
password   sufficient pam_ldap.so
password   required   pam_unix.so nullok obscure min=4 max=8

With regard to what your log reports, put your log level at 256 - it's
hard to tell what it's trying to do (though my experience is with
2.1.38). I have a standard tail -f of /var/log/slapd.log (that's where I
told syalog to log all the time, to see what's going on).

Lastly, check the ACLs that give permissions in slapd.conf, and to what.
You have to be able to search and authenticate to the necessary
attributes at the very least.


> I waited for 10 seconds after the first password failure to
> illustrate what happens until then (i.e. next to nothing, for my
> knowledge). The procedure after the second login try looks perfectly
> fine to me (so the ldap configuration should be correct?) - but why
> not as well at the first try?

Probably because you give 2 alternatives (files ldap) in nsswitch.conf
(perfectly normal).

The long wait could have to do with a defective DNS, don't know.

> Now, if I enable nss_ldap and try to execute a "getent group", I can
> see the following:
> 
> | Jul 17 10:35:03 slapd[18148]: daemon: conn=27 fd=15 connection from IP=10.10.0.6:33815 (IP=0.0.0.0:389) accepted. 
> | Jul 17 10:35:03 slapd[18150]: conn=27 op=1 UNBIND 
> | Jul 17 10:35:03 slapd[18150]: conn=-1 fd=15 closed 

As I said, it's logging too little. You should be able to see every step
it's taking.

> I tried to increase the log level of slapd, but this gives me
> _exhaustive_ results which I am not able to interpret. If you need a
> special log level, please tell me. Also, if some of the
> configuration files are of special interest for this kind of
> problem, please tell.

A log level of 256 should be good enough. This is what I have in my
daemon start up script. It's not the same as  '-d256', by the way.

Best,

Tony


-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel