[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
passwd not working with OpenLDAP / PAM
Dear List,
first, I know that there is a special pam_ldap-mailinglist, but
unfortunately my posting there was not so succesful, so maybe here
somebody knows what to do.
Thanks
I've got a fresh LDAP / SAMBA / PAM setup running here on:
Debian 3 (x68) with:
- openldap-2.1.8
- libpam 0.72-35
- libpam-ldap 140-1
- libpam-smbpass 2.2.3a-6
- libnss-ldap 186-1
What works:
- I can login with LDAP users
- I can login with non-LDAP (local) users
The problems are:
1) I can not passwd local users at all:
---
passwd: User not known to the underlying authentication module
---
2) I can not passwd LDAP users, the LDAP password
seems to be incorrect, although I could login with
it:
---
[test.user@testserver test.user]$passwd
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
passwd: Have exhasted maximum number of retries for service.
---
3) User "root" can passwd other users with success.
My files look like:
* /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
* /etc/ldap/slapd.conf:
### Schemadaten laden ###
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
#include /etc/ldap/schema/qmail.schema
### SSL-Zertifikat laden ###
TLSCertificateFile /etc/ldap/server.pem
TLSCertificateKeyFile /etc/ldap/server.pem
TLSCACertificateFile /etc/ldap/server.pem
### Definition der LDAP-Datenbank ###
database bdb
suffix "dc=ame,dc=loc"
directory /var/ldap
### Defintion des LDAP-Superusers ###
rootdn "cn=service,dc=ame,dc=loc"
rootpw password
# Indices to maintain
index objectClass eq
### Definition der ACLs ###
# User darf eigene Attribute <E4>ndern,
# alle andere sehen nichts
access to attr=loginShell
by dn="uid=service,dc=ame,dc=loc" write
by self write
by * none
# User darf eigene Attribute ändern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mo
bile,pager,photo,homeTelephoneNumber,favouriteDrink
by dn="uid=service,dc=ame,dc=loc" write
by self write
# User darf eigene Attribute ändern,
# alle andere k<F6>nnen lesen
access to
attr=dc,o,ou,uid,cn,givenName,sn,gecos,initials,title,photo,mail
by dn="uid=service,dc=ame,dc=loc" write
by self write
by * read
#
# User darf eigene Passwörter ändern.
# anonymous auth macht nur für userPasswort Sinn,
# st<F6>rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
by dn="uid=service,dc=ame,dc=loc" write
by self write
by anonymous auth
by * none
#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
#access to attr=accountStatus,mailQuota,registeredAddress
# by dn="uid=service,dc=ame,dc=loc" write
# by self read
# by * none
access to attr=registeredAddress
by dn="uid=service,dc=ame,dc=loc" write
by self read
by * none
#
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen können
access to attr=entry,objectClass
by dn="uid=service,dc=ame,dc=loc" write
by * read
#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, dürfen authentifizierte User lesen
# und alle anderen sehen nichts.
access to *
by dn="uid=service,dc=ame,dc=loc" write
by users read
by * none
* /etc/pam.d/passwd:
The smbpass.so line is for later stacking of both mechanisms,
so Linux-passwd also changes the "ntpassword" and
"lmpassword"-attributes of the user, for password consitency
between SMB and Linux.
---
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so nullok use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_pwcheck.so nullok
password required pam_ldap.so use_first_pass use_authtok
#password sufficient pam_smbpass.so audit use_first_pass
password required pam_unix.so nullok use_first_pass \
use_authtok min=4 max=15 obscure
session required pam_unix.so
---
* /etc/pam.d/login:
---
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_smbpass.so try_first_pass audit
auth required pam_unix.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_pwcheck.so
password required pam_smbpass.so debug use_first_pass \
use_authok
password required pam_unix.so nullok use_first_pass \
use_authtok
session required pam_unix.so none # debug or trace
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
---
* /etc/ldap.conf
The rootbind-pw lies in /etc/ldap.secret, with 600.
---
BASE dc=ame,dc=loc
URI ldap://10.1.1.50
BINDDN ou=nss,dc=ame,dc=loc
BINDPW password
ROOTBINDDN ou=service,dc=ame,dc=loc
---
My logfiles say at passwd of a ldap user:
* LDAP-Log:
---
Nov 20 11:50:17 testserver slapd[1079]: daemon: conn=21 fd=16 connection
from IP=127.0.0.1:33014 (IP=0.0.0.0:389) accepted.
Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 RESULT tag=97 err=0
text=
Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SRCH
base="dc=ame,dc=loc" scope=2 filter="(uid=test.user)"
Nov 20 11:50:17 testserver slapd[1084]: <= bdb_equality_candidates:
index_param failed (18)
Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 RESULT tag=97
err=50 text=
Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 RESULT tag=97 err=0
text=
Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 RESULT tag=97
err=50 text=
Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 RESULT tag=97
err=50 text=
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1079]: daemon: conn=22 fd=17 connection
from IP=127.0.0.1:33015 (IP=0.0.0.0:389) accepted.
Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SRCH
base="dc=ame,dc=loc" scope=2
filter="(&(objectClass=shadowAccount)(uid=test.user))"
Nov 20 11:50:25 testserver slapd[1082]: <= bdb_equality_candidates:
index_param failed (18)
Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=8 UNBIND
Nov 20 11:50:25 testserver slapd[1084]: conn=21 fd=16 closed
Nov 20 11:50:25 testserver slapd[1079]: conn=22 fd=17 closed
---
* AUTH.LOG
---
Nov 20 11:50:20 testserver passwd[1116]: pam_ldap: error trying to bind
as user "uid=test.user,ou=Muenchen,dc=ame,dc=loc" (Insufficient access)
Nov 20 11:50:25 testserver last message repeated 2 times
Nov 20 11:50:25 testserver PAM_unix[1116]: password - (old) token not
obtained
---
Thank you very much in advance for your help, this is really the last
topic to make this server ready and I struggle here very badly...:-/
Matthias
--
Matthias Eichler <mylists@ame.de>
AME Aigner Media & Entertainment