[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using LDAP as central authentication unit

Hamidreza Hamedtoolloei skrev, on 23-02-2008 02:09:

Thanks for your comment..I played more with my ldap and here is what I found out.. If a user in in both /etc/passwd and ldap directory with the same password, linux authentication is used. However, if user etc/passwd is different than the ldap passwd, depending on what passwd is used during the login, appropriate authentication is used(i.e both passwords work just fine)
However, here is what I still dont understand:
if a user is only in etc/passwd, after executing su user, it seems that there are still some activities in the ldap site. fir instance when I do su karan where karan ONLY exists in the etc/passwd, I get the following in the logfile(/vat/log/local4)

I have no idea. My only point was meant to be that people who write HOWTOs or give concrete rules for how things are, or for doing particular things shouldn't, without concrete caveats about the contexts or investigating the consequences for themselves. I'm tempted to extrapolate this into the theological, but I won't.

My /etc/ldap.conf is probably different from yours, I've indexed all my attributes that can be indexed (you haven't), I can't equate my system with yours (because you don't say what your system is).

Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 fd=20 ACCEPT from IP=127.0.0.1:33277 (IP=0.0.0.0:389)
Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 BIND dn="" method=128
Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 RESULT tag=97 err=0 text=
Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=502))"
Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 22 14:54:03 gamaalien slapd[7896]: <= bdb_equality_candidates: (uidNumber) not indexed 

Index, then go further.

Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 ACCEPT from IP=127.0.0.1:33278 (IP=0.0.0.0:389)
Feb 22 14:55:04 gamaalien slapd[7896]: conn=42 fd=20 closed (connection lost)
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 BIND dn="" method=128
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 RESULT tag=97 err=0 text=
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=karan))"
Feb 22 14:55:04 gamaalien slapd[7896]: <= bdb_equality_candidates: (uid) not indexed 

Index, then go further.

Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=karan))"
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH attr=gidNumber
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 closed (connection lost)

do you know whats going on here? if linux authentication is used and karan is not in the ldap directory then why ldap is called?

I've no idea, see the above. This is all pam_ldap stuff, perhaps you should be posting to that list.

Bet,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl