Re: [pamldap] pam_ldap.so and Debian...making it work!

[Tim Jordan <timothy_jordan@labor.state.ak.us>]

Thanks Bren, your login config did get pam_ldap to check authentication.  

I did run into a few issues in the auth.log which prompted a few questions:

>From the auth.log:
>    PAM pam_parse: expecting return value; [...module_unkown=ignore default=die success=done >    user_unkown=ignore system_err=ignore service_err=ignore authinfo_unavail=ignore]

Is this due to my syntax being incorrect in pam.d/login?
---------------
>   FAILED LOGIN (1) on 'tty1' FOR 'root', Authentication service cannot retrieve authentication info.

I must be able to login as atleast 'root'....does your config limit this option?
-----------------
>  pam_ldap: ldap_simple_bind cannot contact LDAP server.

I did a simple bind search against the LDAP server prior to changing my pam.d/login then rebooted...perhaps slapd didn't restart...I'll check that.


Thanks again,
TJ



> On Thu, 2004-04-29 at 09:01, Tim Jordan wrote:
> > I noticed that the common-session is included under the login config. 
> > Although; I can't think of what session would have to do with user
> > authentication. 
> > 
> > Also, since there is "auth" lines in the login config perhaps I should
> > include the pam_ldap.so at the top of the login config?  
> > 
> > **I included comments showing how the respective config file is set.**
> > 
> > Debian Testing /etc/pam.d/login:
> > auth        requisite        pam_securetty.so     #Disallows root
> > logins except on tty's..
> > auth        requisite        pam_nologin.so     #Disallows other than
> > root logins when /etc/nologin exist
> > auth        required        pam_env.so          #Parses
> > /etc/environment
> > 
> > @include    common-auth                   #auth    required   
> > pam_login.so
> > @include    common-account             #account     required   
> > pam_login.so
> > @include    common-session             #session    required   
> > pam_unix.so
> > 
> > session        optional    pam_lastlog.so # prints last login info
> > upon succesful login
> > session        optional    pam_motd.so  # prints the motd upon
> > succesful loing
> > session        optional    pam_mail.so    standard    noenv # prints
> > status of users mbx upon login
> > 
> > 
> > Is there a "test" that would ensure that pam_ldap.so is being called? 
> > Just looking at the auth.log is not providing much except pam_unix.so
> > entries.
> > 
> > Thanks,
> > Tim Jordan
On Fri, 2004-04-30 at 06:46, Brendon Colby wrote:
> I just modified /etc/pam.d/login a little:
>
> auth       requisite  pam_securetty.so
> auth       requisite  pam_nologin.so
> auth       required   pam_env.so
> auth       required   pam_ldap.so
> auth       required   pam_unix.so nullok use_first_pass
> account   [module_unknown=ignore default=die success=done
> user_unknown=ignore \
>            system_err=ignore service_err=ignore authinfo_unavail=ignore]
> \
>            pam_ldap.so
> account    required   pam_unix.so 
> session    required   pam_unix.so
> session    optional   pam_lastlog.so
> session    optional   pam_motd.so
> session    optional   pam_mail.so standard noenv
> password   sufficient pam_ldap.so
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
>
>
> This is off a stock Debian Woody box. Local logins do auth against LDAP.
> It works great, unless my LDAP server is unavailable. Then, the box is
> locked out. This is why I haven't put this into production yet.
>
> If you want ssh to auth against LDAP, then you have to modify
> /etc/pam.d/ssh using the same lines as above.