[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: new user, question about authentication



i've run authconfig, and on the first screen selected nothing but Use LDAP, set the server, and the base DN, then on the second screen, i have Use Shadow Passwords, Use MD5 Passwords, and Use LDAP Authentication selected. i hit okay, and it stops nscd.

then, i edited /etc/nsswitch.conf to put ldap at the top of the pecking order for authentication.

when i go to edit /etc/pam.d/system-auth, i don't have the line you mention below. the closest thing i have is:
account required /lib/security/pam_unix.so


if i change that to:
account    required    /lib/security/pam_ldap.so

i can't log in at all. not with users that exist in ldap or those that don't (which i need to be able to do. i want root to be a local account on each machine, not one in ldap).

here's what my system-auth file looks like the commented line is the one added by me, i just commented out the one above it as opposed to removing it):

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
#account required /lib/security/pam_ldap.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so


password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so


session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

On Thursday, Mar 20, 2003, at 13:47 US/Central, Matthew Schumacher wrote:

Jacob,

The simple way to make this work on redhat is by using the command `authconfig`, however if the directory is unavalable then everything breaks.

To fix that you must change the line in system-auth:

from> account     sufficient      /lib/security/pam_unix.so
to  > account     required        /lib/security/pam_ldap.so

While this lets you login when ldap is down you have a new problem. See:

http://www.netsys.com/pamldap/2002/06/msg00046.html

for details.

schu

jacob walcik wrote:
i've got openldap working for the first time using the rpm's available with redhat 7.3:
openldap-clients-2.0.27-2.7.3
nss_ldap-189-4
openldap-2.0.27-2.7.3
openldap12-1.2.13-8
openldap-servers-2.0.27-2.7.3
i migrated my configuration/user info with the script that redhat includes for doing so, however, now i've run into a problem. i have two machines setup to authenticate against the ldap directory. the one openldap is running on, and another test box.
on both machines, if i try to log in w/ an account that only exists in ldap, it fails. if i try to log in with an account that only exists on the system, it succeeds. if i try to log in w/ an account that exists in both, only the password for the system works.
i can look in my messages log and see that the login was handled by pam_unix, however i don't see any failures (or any messages at all) from pam_ldap. according to the ldap docs on openldap.org (quickstart guide and the integration chapter) and redhat.com i've added the correct entries to /etc/ldap.conf and /etc/openldap/slapd.conf. can someone get me pointed in the right direction for where to go from here?
ldap.conf:
host sarge.lamc.utexas.edu
base dc=lamc,dc=utexas,dc=edu
ssl no
pam_password md5
nsswitch.conf
passwd: ldap files nisplus
shadow: ldap files nisplus
group: ldap files nisplus
--
jacob walcik
jwalcik@mail.utexas.edu


--
jacob walcik
jwalcik@mail.utexas.edu