[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: passwd not working with OpenLDAP / PAM
Hi,
if you are using SuSE you have to adjusz /etc/security/pam_unix2 and not
bother about pam_ldap. It's a SuSe special and works quite fine
hth
Daniel
Am Freitag, 22. November 2002 11:50 schrieb Matthias Eichler:
> Dear List,
>
> first, I know that there is a special pam_ldap-mailinglist, but
> unfortunately my posting there was not so succesful, so maybe here
> somebody knows what to do.
>
> Thanks
>
> I've got a fresh LDAP / SAMBA / PAM setup running here on:
> Debian 3 (x68) with:
> - openldap-2.1.8
> - libpam 0.72-35
> - libpam-ldap 140-1
> - libpam-smbpass 2.2.3a-6
> - libnss-ldap 186-1
>
> What works:
> - I can login with LDAP users
> - I can login with non-LDAP (local) users
>
> The problems are:
> 1) I can not passwd local users at all:
> ---
> passwd: User not known to the underlying authentication module
> ---
>
> 2) I can not passwd LDAP users, the LDAP password
> seems to be incorrect, although I could login with
> it:
> ---
> [test.user@testserver test.user]$passwd
> Enter login(LDAP) password:
> LDAP Password incorrect: try again
> Enter login(LDAP) password:
> LDAP Password incorrect: try again
> Enter login(LDAP) password:
> LDAP Password incorrect: try again
> passwd: Have exhasted maximum number of retries for service.
> ---
>
> 3) User "root" can passwd other users with success.
>
> My files look like:
>
> * /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
>
> * /etc/ldap/slapd.conf:
> ### Schemadaten laden ###
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/samba.schema
> #include /etc/ldap/schema/qmail.schema
>
>
> ### SSL-Zertifikat laden ###
>
> TLSCertificateFile /etc/ldap/server.pem
> TLSCertificateKeyFile /etc/ldap/server.pem
> TLSCACertificateFile /etc/ldap/server.pem
>
>
> ### Definition der LDAP-Datenbank ###
>
> database bdb
> suffix "dc=ame,dc=loc"
> directory /var/ldap
>
> ### Defintion des LDAP-Superusers ###
>
> rootdn "cn=service,dc=ame,dc=loc"
> rootpw password
>
>
> # Indices to maintain
> index objectClass eq
>
>
> ### Definition der ACLs ###
>
> # User darf eigene Attribute <E4>ndern,
> # alle andere sehen nichts
> access to attr=loginShell
> by dn="uid=service,dc=ame,dc=loc" write
> by self write
> by * none
>
>
> # User darf eigene Attribute ändern,
> # authentifizierte User lesen
> # alle andere sehen nichts
> access to
> attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,
>displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mo
> bile,pager,photo,homeTelephoneNumber,favouriteDrink
> by dn="uid=service,dc=ame,dc=loc" write
> by self write
>
> # User darf eigene Attribute ändern,
> # alle andere k<F6>nnen lesen
> access to
> attr=dc,o,ou,uid,cn,givenName,sn,gecos,initials,title,photo,mail
> by dn="uid=service,dc=ame,dc=loc" write
> by self write
> by * read
>
> #
> # User darf eigene Passwörter ändern.
> # anonymous auth macht nur für userPasswort Sinn,
> # st<F6>rt sonst aber nicht.
> # Der Samba Server muss hier schreibrecht haben!
> access to attr=userPassword,lmPassword,ntPassword
> by dn="uid=service,dc=ame,dc=loc" write
> by self write
> by anonymous auth
> by * none
>
> #
> # User darf eigene Attribute lesen,
> # alle andere sehen nichts
> #access to attr=accountStatus,mailQuota,registeredAddress
> # by dn="uid=service,dc=ame,dc=loc" write
> # by self read
> # by * none
>
> access to attr=registeredAddress
> by dn="uid=service,dc=ame,dc=loc" write
> by self read
> by * none
>
> #
> # Grundregel, damit annonyme User das Verzeichnis
> # durchsuchen können
> access to attr=entry,objectClass
> by dn="uid=service,dc=ame,dc=loc" write
> by * read
>
> #
> # Default Policy: wenn keine der oben angelegten
> # Regeln zieht, dürfen authentifizierte User lesen
> # und alle anderen sehen nichts.
> access to *
> by dn="uid=service,dc=ame,dc=loc" write
> by users read
> by * none
>
>
> * /etc/pam.d/passwd:
> The smbpass.so line is for later stacking of both mechanisms,
> so Linux-passwd also changes the "ntpassword" and
> "lmpassword"-attributes of the user, for password consitency
> between SMB and Linux.
> ---
> #%PAM-1.0
> auth sufficient pam_ldap.so
> auth required pam_unix.so nullok use_first_pass
> account sufficient pam_ldap.so
> account required pam_unix.so
> password required pam_pwcheck.so nullok
> password required pam_ldap.so use_first_pass use_authtok
> #password sufficient pam_smbpass.so audit use_first_pass
> password required pam_unix.so nullok use_first_pass \
> use_authtok min=4 max=15 obscure
> session required pam_unix.so
> ---
>
> * /etc/pam.d/login:
> ---
> auth required pam_securetty.so
> auth required pam_nologin.so
> auth sufficient pam_smbpass.so try_first_pass audit
> auth required pam_unix.so
> account sufficient pam_ldap.so
> account required pam_unix.so
> password required pam_pwcheck.so
> password required pam_smbpass.so debug use_first_pass \
> use_authok
> password required pam_unix.so nullok use_first_pass \
> use_authtok
> session required pam_unix.so none # debug or trace
> session required pam_limits.so
> session required pam_env.so
> session optional pam_mail.so
> ---
>
> * /etc/ldap.conf
> The rootbind-pw lies in /etc/ldap.secret, with 600.
> ---
> BASE dc=ame,dc=loc
> URI ldap://10.1.1.50
>
> BINDDN ou=nss,dc=ame,dc=loc
> BINDPW password
> ROOTBINDDN ou=service,dc=ame,dc=loc
> ---
>
> My logfiles say at passwd of a ldap user:
> * LDAP-Log:
> ---
> Nov 20 11:50:17 testserver slapd[1079]: daemon: conn=21 fd=16 connection
> from IP=127.0.0.1:33014 (IP=0.0.0.0:389) accepted.
> Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 RESULT tag=97 err=0
> text=
> Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SRCH
> base="dc=ame,dc=loc" scope=2 filter="(uid=test.user)"
> Nov 20 11:50:17 testserver slapd[1084]: <= bdb_equality_candidates:
> index_param failed (18)
> Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 RESULT tag=97
> err=50 text=
> Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 RESULT tag=97 err=0
> text=
> Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 RESULT tag=97
> err=50 text=
> Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 RESULT tag=97
> err=50 text=
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1079]: daemon: conn=22 fd=17 connection
> from IP=127.0.0.1:33015 (IP=0.0.0.0:389) accepted.
> Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SRCH
> base="dc=ame,dc=loc" scope=2
> filter="(&(objectClass=shadowAccount)(uid=test.user))"
> Nov 20 11:50:25 testserver slapd[1082]: <= bdb_equality_candidates:
> index_param failed (18)
> Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=8 UNBIND
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 fd=16 closed
> Nov 20 11:50:25 testserver slapd[1079]: conn=22 fd=17 closed
> ---
>
> * AUTH.LOG
> ---
> Nov 20 11:50:20 testserver passwd[1116]: pam_ldap: error trying to bind
> as user "uid=test.user,ou=Muenchen,dc=ame,dc=loc" (Insufficient access)
> Nov 20 11:50:25 testserver last message repeated 2 times
> Nov 20 11:50:25 testserver PAM_unix[1116]: password - (old) token not
> obtained
> ---
>
> Thank you very much in advance for your help, this is really the last
> topic to make this server ready and I struggle here very badly...:-/
>
> Matthias