[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP & PAM on Redhat 8 Problem
It runs fine for me, isn't it a pb of crypt password ? I compile my ldap
server with --enable-crypt to conform tu my userPassword {crypt} entries !
here's a config that works .
$ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)
$ rpm -qa | grep ldap
nss_ldap-198-3
openldap-2.1.12-1
openldap-servers-2.1.12-1
openldap-devel-2.1.12-1
php-ldap-4.2.2-8.0.5
openldap-clients-2.1.12-1
cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_localuser.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
Paul Holman wrote:
I'm working on setting up OpenLDAP on a Redhat 8.0 server. I'm
attempting to authenticate logins to a Redhat 8 client using pam_ldap.
I've followed all the documentation and tutorials I can find, and
everything works, except the login. I can use ldapsearch on the server
& client. I'm able to obtain userPassword this way if I bind as a user
allowed by my ACL to read that field. Here is the error my client
generates when I attempt to log in:
Feb 5 02:30:25 thebit login(pam_unix)[9065]: check pass; user unknown
Feb 5 02:30:25 thebit login(pam_unix)[9065]: authentication failure;
logname=LO
GIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 5 02:30:28 thebit login[9065]: FAILED LOGIN 1 FROM (null) FOR
testuser3, Au
thentication failure
testuser3 is in my LDAP database, the password I use has been thrice
checked. Here is the log on my LDAP server when this happens:
Feb 5 03:01:35 isaev slapd[9043]: daemon: conn=2 fd=10 connection from
IP=10.1.
1.49:33378 (IP=0.0.0.0:636) accepted.
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 BIND
dn="CN=PROXYUSER,DC=KADREVIS,DC=COM" method=128
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 5 03:01:35 isaev slapd[9151]: conn=2 op=1 SRCH
base="ou=People,dc=kadrevis,dc=com" scope=1
filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9151]: conn=2 op=1 SEARCH RESULT tag=101
err=0 text=
Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SRCH
base="ou=People,dc=kadrevis,dc=com" scope=1
filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SEARCH RESULT tag=101
err=0 text=
Feb 5 03:01:38 isaev slapd[9151]: conn=2 op=3 SRCH
base="ou=People,dc=kadrevis,dc=com" scope=1
filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:39 isaev slapd[9151]: conn=2 op=3 SEARCH RESULT tag=101
err=0 text=
My current theory is that something about the way pam_unix operates on
Redhat 8 is different than the rest of the Linux world. I've edited
/etc/pam.d/system-auth to look like all the examples I've seen.
I can send out my config files to anyone willing to help.
Thanks, pablos.
pablos@kadrevis.com