Re: Skolelinux und Ubuntu

To: debian-edu@lists.debian.org
Subject: Re: Skolelinux und Ubuntu
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 4 Jan 2010 22:27:31 +0100
Message-id: <20100104212731.GD31388@login1.uio.no>
In-reply-to: <4B425489.5010603@web.de>
References: <4B425489.5010603@web.de>

[Martin Schulte]
> Hello,
> I'm trying to add an Ubuntu-PC to an skolelinux (etch) network using 
> this HowTo: http://wiki.skolelinux.de/Skolelinux/Ubuntu .
> I did all things, written there, and I also set an link from 
> /etc/ldap.conf to /etc/ldap/ldap.conf (sudo unlink /etc/ldap.conf && 
> sudo ln -s ldap/ldap.conf /etc/ldap.conf ), because Ubuntu 9.10 stores 
> the ldap.conf directly in the /etc/ and not in /etc/ldap/.
> After restarting, I run "getent passwd" and I saw all debian-edu users.
> After trying su - <username> , password: was prompted. After typing the 
> password, I got the alert: "Authentication failure" I get the same 
> error, when trying login after reboot.
> The important lines in the auth.log are (username = mschulte):
> -----
> Jan  4 21:25:19 rootgym-laptop login[2838]: pam_unix(login:auth): 
> authentication failure; logname=rootgym uid=0 euid=0 tty=/dev/pts/2 
> ruser= rhost=  user=mschulte
> Jan  4 21:25:19 rootgym-laptop login[2838]: pam_ldap: error trying to 
> bind as user "uid=mschulte,ou=People,dc=skole,dc=skolelinux,dc=no" 
> (Confidentiality required)
> Jan  4 21:25:21 rootgym-laptop login[2838]: FAILED LOGIN (2) on 
> '/dev/pts/2' FOR 'mschulte', Authentication failure
> Jan  4 21:25:29 rootgym-laptop login[2838]: pam_ldap: error trying to 
> bind as user "uid=mschulte,ou=People,dc=skole,dc=skolelinux,dc=no" 
> (Confidentiality required)
> Jan  4 21:25:31 rootgym-laptop login[2838]: FAILED LOGIN (3) on 
> '/dev/pts/2' FOR 'mschulte', Authentication failure
> -----
> Can somebody help me?

I would suspect your /etc/pam_ldap.conf do not contain 'ssl start_tls'
or the LDAP server SSL certificate is missing in /etc/ldap/ssl/.
Password checks via LDAP require an encrypted LDAP connection, which
is ensured using TLS, and TLS should be configured to check the server
sertificate.  The /etc/init.d/fetch-ldap-cert script is used in
Skolelinux to download the LDAP SSL certificate on the clients.  Note
that the LDAP configuration is intended to be different for NSS and
PAM, where NSS isn't encrypted while PAM is.

This is the current pam_ldap.conf settings in Debian Edu/Lenny:

  tjener:~# grep -v '#' /etc/pam_ldap.conf |sort -u

  base ou=People,dc=skole,dc=skolelinux,dc=no
  host ldap
  ldap_version 3
  pam_filter objectclass=posixAccount
  pam_password exop
  ssl start_tls
  tjener:~#    

> Another Question: Is there a possibility to assign the hostnames 
> automatically?

You mean like /etc/init.d/update-hostname is doing in Skolelinux?

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Skolelinux und Ubuntu
  - From: Martin Schulte <schulte-martin@web.de>

References:
- Skolelinux und Ubuntu
  - From: Martin Schulte <schulte-martin@web.de>

Prev by Date: Skolelinux und Ubuntu
Next by Date: Re: Skolelinux und Ubuntu
Previous by thread: Skolelinux und Ubuntu
Next by thread: Re: Skolelinux und Ubuntu
Index(es):
- Date
- Thread