[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP & PAM on Redhat 8 Problem



It runs fine for me, isn't it a pb of crypt password ? I compile my ldap server with --enable-crypt to conform tu my userPassword {crypt} entries !

here's a config that works .

$ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)
$ rpm -qa | grep ldap
nss_ldap-198-3
openldap-2.1.12-1
openldap-servers-2.1.12-1
openldap-devel-2.1.12-1
php-ldap-4.2.2-8.0.5
openldap-clients-2.1.12-1

 cat /etc/pam.d/login
#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so


$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_localuser.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so


password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so



Paul Holman wrote:
I'm working on setting up OpenLDAP on a Redhat 8.0 server. I'm attempting to authenticate logins to a Redhat 8 client using pam_ldap. I've followed all the documentation and tutorials I can find, and everything works, except the login. I can use ldapsearch on the server & client. I'm able to obtain userPassword this way if I bind as a user allowed by my ACL to read that field. Here is the error my client generates when I attempt to log in:

Feb 5 02:30:25 thebit login(pam_unix)[9065]: check pass; user unknown
Feb 5 02:30:25 thebit login(pam_unix)[9065]: authentication failure; logname=LO
GIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 5 02:30:28 thebit login[9065]: FAILED LOGIN 1 FROM (null) FOR testuser3, Au
thentication failure


testuser3 is in my LDAP database, the password I use has been thrice checked. Here is the log on my LDAP server when this happens:

Feb 5 03:01:35 isaev slapd[9043]: daemon: conn=2 fd=10 connection from IP=10.1.
1.49:33378 (IP=0.0.0.0:636) accepted.
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 BIND dn="CN=PROXYUSER,DC=KADREVIS,DC=COM" method=128
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 5 03:01:35 isaev slapd[9151]: conn=2 op=1 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9151]: conn=2 op=1 SEARCH RESULT tag=101 err=0 text=


Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SEARCH RESULT tag=101 err=0 text=


Feb 5 03:01:38 isaev slapd[9151]: conn=2 op=3 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:39 isaev slapd[9151]: conn=2 op=3 SEARCH RESULT tag=101 err=0 text=


My current theory is that something about the way pam_unix operates on Redhat 8 is different than the rest of the Linux world. I've edited /etc/pam.d/system-auth to look like all the examples I've seen.

I can send out my config files to anyone willing to help.

Thanks, pablos.
pablos@kadrevis.com