[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication Modules / System-Auth

To: <OpenLDAP-software@OpenLDAP.org>
Subject: Authentication Modules / System-Auth
From: "Michael Lackner" <michael.lackner@unileoben.ac.at>
Date: Tue, 20 Jan 2004 15:32:49 +0100
Organization: Montanuniversität Leoben, Institut für angewandte Mathematik und Geometrie, Abt. IT

Greetings!

It seems as if my OpenLDAP Server is now up and running, i can
authenticate users against the LDAP Server. However, as soon as
i deactivate the LDAP Server (OpenLDAP 2.0.27-8), i cannot login,
not even with users that are stored in the common Linux files, I
have been told / i have read, that this is a common problem with
PAM frequently discussed here.

I'm currently using some older packages that can be found as RPM's
on the RH9 CD's, server is set up with RH9 in that case of course.
--
OpenLDAP 2.0.27-8
pam-0.75-48
openssl-0.9.7c-3 (installed for gq)
gq-0.7.0.0.beta2.6
--

I logged in as root, shut down the LDAP server, then logged out
and tried to log in again. I also tried to login as an LDAP-only
stored user to see how this would show up in the syslog. Here
it is (The LDAP only user is "testuser"):

/var/log/messages:
------------------------------
login(pam_unix)[3409]: session opened for user root by LOGIN(uid=0)
-- root[3409]: ROOT LOGIN ON tty1
ldap: slapd shutdown succeeded
login(pam_unix)[3409]: session closed for user root
login(pam_unix)[3498]: check pass; user unknown
login(pam_unix)[3498]: authentication failure; logname= uid=0 euid=0
tty=tty1 ruser= rhost=
login(pam_unix)[3498]: could not identify user (from getpwnam(testuser))
login[3498]: pam_ldap: ldap_simple_bind Can't contact LDAP server
------------------------------

/etc/pam.d/system-auth (generated by RH9 authconfig with ldap enabled)
------------------------------
auth    required    /lib/security/$ISA/pam_env.so
auth    sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth    sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth    required    /lib/security/$ISA/pam_deny.so

account    required    /lib/security/$ISA/pam_unix.so
account    [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]    /lib/security/$ISA/pam_ldap.so

password    required    /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authok
password    required    /lib/security/$ISA/pam_deny.so

session    required    /lib/security/$ISA/pam_limits.so
session    required    /lib/security/$ISA/pam_unix.so
session    required    /lib/security/$ISA/pam_ldap.so
------------------------------

/etc/pam.d/login:
------------------------------
auth    required    pam_securetty.so
auth    sufficient    pam_stack.so service=system-auth
auth    required    pam_nologin.so
account    required    pam_stack.so service=system-auth
password    required    pam_stack.so service=system-auth
session    required    pam_stack.so service=system-auth
session    optional    pam_console.so
------------------------------

If you need more information, please let me know.

Thanks in advance.

MfG,
Michael Lackner
--
Montanuniversität Leoben
Institut für angewandte Mathematik und Geometrie
Abteilung für Informationstechnologie, IT-Administration
michael.lackner@unileoben.ac.at  |  +43 (0)3842/402-1505
http://www.hardoverclock.com | thrawn@hardoverclock.com

Follow-Ups:
- Re: Authentication Modules / System-Auth
  - From: "Medievalist" <ldap@hbcs.org>
- Re: Authentication Modules / System-Auth
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: ldapadd requires confidentiality
Next by Date: Re: User Authentication Hangs.. I'm losing my sanity!
Index(es):
- Chronological
- Thread