Re: Linux LDAP problem
I just finished an LDAP cofiguration successfully and found out, that
the configuration is tricky - I had to be very careful. I had the same
problem with double passwords - the order in the PAM config files was wrong.
Also I found out, that if PAM was not able to bind to the server
anonyously, though I configured it in the slapd.conf. So I created a
Manager with read only permission. For some reason my ldap.conf accepts
_only_ an IP in the host entry, everywhere else the domainname works.
my /etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix_passwd.so use_first_pass md5
shadow
session required /lib/security/pam_unix_session.so
/etc/pam.d/pop || imap || su
auth sufficient pam_ldap.so
auth required pam_unix_auth.so
account required pam_unix_acct.so
password required pam_unix_passwd.so
session required pam_unix_session.so
/etc/openldap/slapd.conf:
<--- snip --->
access to attr=userPassword
by self write
by dn="cn=Manager,dc=domain,dc=com" write
by dn="cn=pam,dc=domain,dc=com" read
by anonymous auth
by * none
access to *
by self write
by dn="cn=Manager,dc=domain,dc=com" write
by * read
</--- snip --->
/etc/linnss-ldap.conf:
<--- snip --->
binddn cn=pam,dc=domain,dc=com
bindpw xxxxxxxxx
<--- snip --->
This configuration works om my System:
Potato AXP, LDAP 2.0.11 (compiled)
martin
Sergio Talens-Oliag wrote:
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió:
Hey,
I've got a slight problem, at school we run two major networks, one half is
Novell Netware based, and the other half is unix based. We basically one
centralized system of authentication, so that user don't have to remember two
different passwords to use either system. We been trying to get linux to use
ldap to authenticate with the novell ldap server, and have had no luck. We
know the novell ldap server is fine, however something seems fishy with the
linux side. The problem is that when using the PAM_LDAP modules, is that
when a user tries to login, they are asked for a password twice, once the
normal password, and the second one being the ldap based password. However,
even if you type in the correct passwords, LDAP says permission denied, or
authentication failed. What makes it really odd is how at the same time the
novell netware server states it has seen the authenticated user, and even
gives it an OK to login.
Anyone have any clue as to how to make it work? Are there any docs about
getting Netware+linux+ldap to work? thanks for any info that you might pass
along. have a nice day.
I think your problem is in your pam module configuration, I use something
like that for auth:
---
auth required pam_nologin.so
auth sufficient pam_unix.so
auth required pam_ldap.so use_first_pass
---
With this setup the user is only asked once; if 'pam_unix' succeds the user
is authorized and if it fails 'pam_ldap' tries to authenticate using the
same password entered.
Hope this helps.
Reply to: