[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need some help with this authentication problem

To: Tony Earnshaw <tonni@billy.demon.nl>
Subject: Re: Need some help with this authentication problem
From: Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>
Date: Tue, 21 Jan 2003 09:01:18 +0100
Cc: charld <charld@yahoo.com>, openldap-software@OpenLDAP.org
References: <20030120193835.72377.qmail@web11601.mail.yahoo.com> <1043131107.18114.23.camel@localhost>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Tony Earnshaw wrote:

man, 2003-01-20 kl. 20:38 skrev charld:
If i 1) login as root and then 2) do a "su - ldaptestuser" this works! i dont need the ldaptestuser password when i su from root. and everything works fine but i cant change or do anything with the passwrod.
This wouuld only confirm what I said about the files in /etc/pam.d. I
don't know how RH organizes things, I've always used source on my RH 7.2
machine.

I use /etc/pam.d files from redhat with no problems !

They are generated by the authconfig command which set them (actually system-auth file) to use ldap If you chosse ldap authentification. All services point to the central module stack file represented by system-auth

exp:

$ cat /etc/pam.d/login
#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass #auth [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so use_first_pass #auth required /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so #account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so account sufficient /lib/security/pam_localuser.so account [default=bad success=ok service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Anyway, it doesn't prevent you from changing system-auth, as I did above for "account pam_localuser" (pb for local logins when ldap server was down) and "account user_unknown=ignore pam_ldap" (pb with /etc/ldap.conf personnal filter not used!)

1) login as myself (i am not in ldap) 2) su - ldaptestuser and i get prompted for the password, i get a password incorrect.

I tried the authconfig command on the client and that didnt help.
I must be missing something real simple but it escapes me. I cut and
past the password from /etc/shadow into the account profile.

You can't just cut 'n paste. Get GQ 0.7 beta and compile and use it,
jump from www.biot.com, and you'll see why. You have to specify how the
password was encrypted ({crypt}, {sha1} etc.

Best,

Tony

References:
- Re: Need some help with this authentication problem
  - From: charld <charld@yahoo.com>
- Re: Need some help with this authentication problem
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: RE ldapadd -D "cn=root" -h ????
Next by Date: RE : Certificate in openldap
Index(es):
- Chronological
- Thread