[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd not working with OpenLDAP / PAM



Hi,

if you are using SuSE you have to adjusz /etc/security/pam_unix2 and not 
bother about pam_ldap. It's a SuSe special and works quite fine

hth 
Daniel


Am Freitag, 22. November 2002 11:50 schrieb Matthias Eichler:
> Dear List,
>
> first, I know that there is a special pam_ldap-mailinglist, but
> unfortunately my posting there was not so succesful, so maybe here
> somebody knows what to do.
>
> Thanks
>
> I've got a fresh LDAP / SAMBA / PAM setup running here on:
> Debian 3 (x68) with:
>         - openldap-2.1.8
>         - libpam 0.72-35
>         - libpam-ldap 140-1
>         - libpam-smbpass 2.2.3a-6
>         - libnss-ldap 186-1
>
> What works:
>         - I can login with LDAP users
>         - I can login with non-LDAP (local) users
>
> The problems are:
>         1) I can not passwd local users at all:
>         ---
>         passwd: User not known to the underlying authentication module
>         ---
>
>         2) I can not passwd LDAP users, the LDAP password
>            seems to be incorrect, although I could login with
>            it:
>         ---
>         [test.user@testserver test.user]$passwd
>         Enter login(LDAP) password:
>         LDAP Password incorrect: try again
>         Enter login(LDAP) password:
>         LDAP Password incorrect: try again
>         Enter login(LDAP) password:
>         LDAP Password incorrect: try again
>         passwd: Have exhasted maximum number of retries for service.
>         ---
>
>         3) User "root" can passwd other users with success.
>
> My files look like:
>
> * /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         files ldap
> shadow:         files ldap
> group:          files ldap
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
>
>
> * /etc/ldap/slapd.conf:
> ### Schemadaten laden ###
>
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/samba.schema
> #include        /etc/ldap/schema/qmail.schema
>
>
> ### SSL-Zertifikat laden ###
>
> TLSCertificateFile      /etc/ldap/server.pem
> TLSCertificateKeyFile   /etc/ldap/server.pem
> TLSCACertificateFile    /etc/ldap/server.pem
>
>
> ### Definition der LDAP-Datenbank ###
>
> database        bdb
> suffix          "dc=ame,dc=loc"
> directory       /var/ldap
>
> ### Defintion des LDAP-Superusers ###
>
> rootdn  "cn=service,dc=ame,dc=loc"
> rootpw  password
>
>
> # Indices to maintain
> index   objectClass     eq
>
>
> ### Definition der ACLs ###
>
> # User darf eigene Attribute <E4>ndern,
> # alle andere sehen nichts
> access to attr=loginShell
>        by dn="uid=service,dc=ame,dc=loc" write
>        by self write
>        by * none
>
>
> # User darf eigene Attribute ändern,
> # authentifizierte User lesen
> # alle andere sehen nichts
> access to
> attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,
>displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mo
> bile,pager,photo,homeTelephoneNumber,favouriteDrink
>        by dn="uid=service,dc=ame,dc=loc" write
>        by self write
>
> # User darf eigene Attribute ändern,
> # alle andere k<F6>nnen lesen
> access to
> attr=dc,o,ou,uid,cn,givenName,sn,gecos,initials,title,photo,mail
>        by dn="uid=service,dc=ame,dc=loc" write
>        by self write
>        by * read
>
> #
> # User darf eigene Passwörter ändern.
> # anonymous auth macht nur für userPasswort Sinn,
> # st<F6>rt sonst aber nicht.
> # Der Samba Server muss hier schreibrecht haben!
> access to attr=userPassword,lmPassword,ntPassword
>        by dn="uid=service,dc=ame,dc=loc" write
>        by self write
>        by anonymous auth
>        by * none
>
> #
> # User darf eigene Attribute lesen,
> # alle andere sehen nichts
> #access to attr=accountStatus,mailQuota,registeredAddress
> #       by dn="uid=service,dc=ame,dc=loc" write
> #       by self read
> #       by * none
>
> access to attr=registeredAddress
>        by dn="uid=service,dc=ame,dc=loc" write
>        by self read
>        by * none
>
> #
> # Grundregel, damit annonyme User das Verzeichnis
> # durchsuchen können
> access to attr=entry,objectClass
>        by dn="uid=service,dc=ame,dc=loc" write
>        by * read
>
> #
> # Default Policy: wenn keine der oben angelegten
> # Regeln zieht, dürfen authentifizierte User lesen
> # und alle anderen sehen nichts.
> access to *
>         by dn="uid=service,dc=ame,dc=loc" write
>         by users read
>         by * none
>
>
> * /etc/pam.d/passwd:
>   The smbpass.so line is for later stacking of both mechanisms,
>   so Linux-passwd also changes the "ntpassword" and
>   "lmpassword"-attributes of the user, for password consitency
>   between SMB and Linux.
> ---
> #%PAM-1.0
> auth     sufficient     pam_ldap.so
> auth     required       pam_unix.so     nullok use_first_pass
> account  sufficient     pam_ldap.so
> account  required       pam_unix.so
> password required       pam_pwcheck.so  nullok
> password required       pam_ldap.so     use_first_pass use_authtok
> #password sufficient     pam_smbpass.so  audit use_first_pass
> password required       pam_unix.so     nullok use_first_pass \
> use_authtok min=4 max=15 obscure
> session  required       pam_unix.so
> ---
>
> * /etc/pam.d/login:
> ---
> auth            required        pam_securetty.so
> auth            required        pam_nologin.so
> auth            sufficient      pam_smbpass.so  try_first_pass audit
> auth            required        pam_unix.so
> account         sufficient      pam_ldap.so
> account         required        pam_unix.so
> password        required        pam_pwcheck.so
> password        required        pam_smbpass.so  debug use_first_pass \
> use_authok
> password        required        pam_unix.so     nullok use_first_pass \
> use_authtok
> session         required        pam_unix.so     none # debug or trace
> session         required        pam_limits.so
> session         required        pam_env.so
> session         optional        pam_mail.so
> ---
>
> * /etc/ldap.conf
>  The rootbind-pw lies in /etc/ldap.secret, with 600.
> ---
> BASE    dc=ame,dc=loc
> URI     ldap://10.1.1.50
>
> BINDDN  ou=nss,dc=ame,dc=loc
> BINDPW  password
> ROOTBINDDN      ou=service,dc=ame,dc=loc
> ---
>
> My logfiles say at passwd of a ldap user:
> * LDAP-Log:
> ---
> Nov 20 11:50:17 testserver slapd[1079]: daemon: conn=21 fd=16 connection
> from IP=127.0.0.1:33014 (IP=0.0.0.0:389) accepted.
> Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 RESULT tag=97 err=0
> text=
> Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SRCH
> base="dc=ame,dc=loc" scope=2 filter="(uid=test.user)"
> Nov 20 11:50:17 testserver slapd[1084]: <= bdb_equality_candidates:
> index_param failed (18)
> Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 RESULT tag=97
> err=50 text=
> Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 RESULT tag=97 err=0
> text=
> Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 RESULT tag=97
> err=50 text=
> Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 BIND
> dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 RESULT tag=97
> err=50 text=
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1079]: daemon: conn=22 fd=17 connection
> from IP=127.0.0.1:33015 (IP=0.0.0.0:389) accepted.
> Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 BIND
> dn="cn=service,dc=ame,dc=loc" method=128
> Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 RESULT tag=97 err=0
> text=
> Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SRCH
> base="dc=ame,dc=loc" scope=2
> filter="(&(objectClass=shadowAccount)(uid=test.user))"
> Nov 20 11:50:25 testserver slapd[1082]: <= bdb_equality_candidates:
> index_param failed (18)
> Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=8 UNBIND
> Nov 20 11:50:25 testserver slapd[1084]: conn=21 fd=16 closed
> Nov 20 11:50:25 testserver slapd[1079]: conn=22 fd=17 closed
> ---
>
> * AUTH.LOG
> ---
> Nov 20 11:50:20 testserver passwd[1116]: pam_ldap: error trying to bind
> as user "uid=test.user,ou=Muenchen,dc=ame,dc=loc" (Insufficient access)
> Nov 20 11:50:25 testserver last message repeated 2 times
> Nov 20 11:50:25 testserver PAM_unix[1116]: password - (old) token not
> obtained
> ---
>
> Thank you very much in advance for your help, this is really the last
> topic to make this server ready and I struggle here very badly...:-/
>
> Matthias