Re: problemes amb el login des de ldap
A Dissabte 05 Febrer 2005 16:51, Albert Sellarès va escriure:
> Primer de tot, demanar-te dsiculpes per si et faig preguntes referents a
> passos q hagis pogut seguir, ja que no m'he llegit cap d'aquests
> articles q has anomenat, i per tant no se molt bé quins passos has pogut
> segir.
trankil, no t'has de disculpar!
> M'imagino que la teva intenció és tenir tota l'autenticació
> centralitzada per a tots els serveis que en requereixin....
exàcte!!!
> Viam, si dius que fent el su a la màquina on està el client s'et logueja
> l'usuari, és q el client obté bé les dades dl servidor ldap, llavors lo
> més provable seria que el password estiguès malament, tot i q per
> l'error que has dit q et donava, crec q serà una altre cosa...
>
> prova de fer des de la màquina client:
>
> com a root:
> passwd wallas85
em diu:
passwd: Authentication token manipulation error
> i li poses un password ben senzill, llavors fes:
però això ho he fet via phpldapadmin (i a més he posat que no estigui
encriptada)
> su wallas85
m'entra a l'usuari però em diu això:
su: Authentication service cannot retrieve authentication info.
(Ignorat)
i a /var/log/auth.log em surt això:
localhost su[XXXX]: pam_ldap: error trying to bind (Invalid credentials)
localhost su[XXXX]: + pts/0 root:wallas85
localhost su[XXXX]: (pam_unix) session opened for user wallas85 by root(uid=0)
> i un cop loguejat, prova de canviar-li el passowrd. Et demanarà el que
> li has posat avans....
si des de dins l'usuari wallas85 faig: "$passwd wallas85" em sur això:
Changing password for wallas85
(current) UNIX password: (aquí jo poso la contrassenya, que és molt sensilleta
que l'acabo de canviar com he comentat)
passwd: Authentication token manipulation error
> Si et deixa, llavors prova d'autentificar-te amb els diferents serveis
> aviam si n'hi ha algun q et deixi.
>
> En cas de fallar la prova, envia la següent info:
>
> ls /etc/pam.d
chfn, common-auth, common-session, passwd, ssh, chsh, imap, pop3, su,
common-account, common-password, cron, login, ppp, cupsys, other, samba
> cat /etc/pam.conf
rest, tot el que hi ha està comentat
> cat /etc/pam.d/su
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session required pam_limits.so
> cat /etc/pam.d/ssh
# Disallow non-root logins when /etc/nologin exists.
auth required pam_nologin.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Standard Un*x password updating.
@include common-password
> cat /etc/pam.d/passwd
@include common-password
> cat /etc/pam_ldap.conf
host gandalf.lothlorien
# The distinguished name of the search base.
base dc=lothlorien
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw 1
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=lothlorien
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password exop
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
#pam_password local
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your
password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=people,dc=gsr,dc=pt?one
#nss_base_shadow ou=people,dc=gsr,dc=pt?one
#nss_base_group ou=groups,dc=gsr,dc=pt?one
#nss_base_hosts ou=machines,dc=gsr,dc=pt?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl off
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
> ls -l /etc/ldap_secret
-rw-r--r-- 1 root root 39 2005-01-13 21:53 /etc/ldap.secret
> cat /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files ldap dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap nis
> ps aux | grep nscd
nscd 2295 0.0 1.6 48204 2632 ? Ss 22:26 0:00 /usr/sbin/nscd
> ls /etc/ldap/
ldap.conf ldap.conf.bak schema slapd.conf slapd.conf.bak ssl
> cat /etc/ldap/ldap.conf
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
# Your LDAP server. Must be resolvable without using LDAP.
HOST gandalf.lothlorien
# The distinguished name of the search base.
BASE dc=lothlorien
# The port.
# Optional: default is 389. 636 is for ldaps
PORT 389
#PORT 636
> cat /etc/ldap/sldap.conf
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/authldap.schema
include /etc/ldap/schema/samba.schema
#include /etc/ldap/schema/pykota.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_ldbm
#######################################################################
# Specific Backend Directives for ldbm:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend ldbm
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type ldbm:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database ldbm
# The base of your directory in database #1
suffix "dc=lothlorien"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Requerido por OpenLDAP
index objectclass eq
index default sub
index cn pres,sub,eq
index sn pres,sub,eq
# Requerido para soportar pdb_getsampwnam
index uid pres,sub,eq
# Requerido para soportar pdb_getsambapwrid()
index displayName pres,sub,eq
# Descomente las siguientes líneas si está almacenando entradas
# posixAccount y posixGroup en el directorio
index uidNumber eq
index gidNumber eq
index memberUid eq
# Samba 3.*
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
# PyKota
#index pykotaUserName pres,eq,sub
#index pykotaGroupName pres,eq,sub
#index pykotaPrinterName pres,eq,sub
#index pykotaLastJobIdent eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attribute=userPassword
by dn="cn=admin,dc=lothlorien" write
by anonymous auth
by self write
by * none
# allow the "ldap admin dn" access, but deny everyone else
# (Samba related)
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=lothlorien" write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=lothlorien" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=gsr,dc=pt" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be ldbm too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
>
>
> Si has tocat algun altre arxiu que creguis important tb, així com si
> algun d'aquests arxius es diuen algo diferents.
gandalf:/etc/pam.d# cat common-account
# /etc/pam.d/common-account - authorization settings common to all services
account required pam_unix.so
account sufficient pam_ldap.so
gandalf:/etc/pam.d# cat common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
auth sufficient pam_unix.so
auth sufficient pam_ldap.so try_first_pass
auth required pam_env.so
auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
gandalf:/etc/pam.d# cat common-password
# /etc/pam.d/common-password - password-related modules common to all services
password required pam_cracklib.so retry=3 minlen=6 difok=4
password sufficient pam_unix.so use_authtok md5 shadow
password sufficient pam_ldap.so use_authtok
password required pam_warn.so
password required pam_deny.so
gandalf:/etc/pam.d# cat common-session
# /etc/pam.d/common-session - session-related modules common to all services
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
> Sort!
a veure si en tinc. gràcies per l'ajuda!
guillem
Reply to: