[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux LDAP problem

I just finished an LDAP cofiguration successfully and found out, that the configuration is tricky - I had to be very careful. I had the same problem with double passwords - the order in the PAM config files was wrong.

Also I found out, that if PAM was not able to bind to the server anonyously, though I configured it in the slapd.conf. So I created a Manager with read only permission. For some reason my ldap.conf accepts _only_ an IP in the host entry, everywhere else the domainname works.

my /etc/pam.d/login:

auth     required   /lib/security/pam_securetty.so
auth     required   /lib/security/pam_nologin.so
auth     sufficient /lib/security/pam_ldap.so
auth     required   /lib/security/pam_unix_auth.so use_first_pass
account  sufficient /lib/security/pam_ldap.so
account  required   /lib/security/pam_unix_acct.so
password required   /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix_passwd.so use_first_pass md5 shadow
session  required   /lib/security/pam_unix_session.so

/etc/pam.d/pop || imap || su
auth       sufficient   pam_ldap.so
auth     required       pam_unix_auth.so
account  required       pam_unix_acct.so
password required       pam_unix_passwd.so
session  required       pam_unix_session.so


<--- snip --->
access to attr=userPassword
        by self write
        by dn="cn=Manager,dc=domain,dc=com" write
        by dn="cn=pam,dc=domain,dc=com" read
        by anonymous auth
        by * none
access to *
        by self write
        by dn="cn=Manager,dc=domain,dc=com" write
        by * read
</--- snip --->


<--- snip --->
binddn cn=pam,dc=domain,dc=com
bindpw xxxxxxxxx
<--- snip --->

This configuration works om my System:
Potato AXP, LDAP 2.0.11 (compiled)


Sergio Talens-Oliag wrote:
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió:


I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login.

Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day.

  I think your problem is in your pam module configuration, I use something
  like that for auth:

auth       required     pam_nologin.so
auth       sufficient   pam_unix.so
auth       required     pam_ldap.so use_first_pass

  With this setup the user is only asked once; if 'pam_unix' succeds the user
  is authorized and if it fails 'pam_ldap' tries to authenticate using the
  same password entered.

  Hope this helps.

Reply to: