Re: Ayuda con OpenLDAP para autenticación remota
2008/3/27, Manuel García <mannyto@gmail.com>:
> On Fri, Mar 28, 2008 at 8:16 AM, andres sarmiento <coolpixgnu@gmail.com> wrote:
> > Estimados:
> > Actualmente tengo instalado un servidor con Debian Etch al cual le
> > instalé openldap. El serv idor actualmente está levantado y funciona
> > localmente.
> > El problema radica cuando necesito autenticar a un usuario remoto.
> >
> > Si un usuario creado con ldap se autentica vía SSH no ocurre problema.
> > el problema, ocurre cuando dicho usuario necesita autenticarse desde
> > otra aplicación. Por ejemplo vía Web.
> > Agradecería si me pueden orientar. Seguí el siguiente Howto:
> > http://moduli.net/sysadmin/sarge-ldap-auth-howto.html
> >
> > Y seguí todos los pasos, pero no ocurre nada.
> > Adjunto los archivos de configuración de slapd.conf, pam_ldap.com nsswitch.conf
> >
> > ### Para slapd.conf ####################################
> > john:/home/andres# cat /etc/ldap/slapd.conf
> > # This is the main slapd configuration file. See slapd.conf(5) for more
> > # info on the configuration options.
> >
> > #######################################################################
> > # Global Directives:
> >
> > # Features to permit
> > #allow bind_v2
> >
> > # Schema and objectClass definitions
> > include /etc/ldap/schema/core.schema
> > include /etc/ldap/schema/cosine.schema
> > include /etc/ldap/schema/nis.schema
> > include /etc/ldap/schema/inetorgperson.schema
> >
> > # Where the pid file is put. The init.d script
> > # will not stop the server if you change this.
> > pidfile /var/run/slapd/slapd.pid
> >
> > # List of arguments that were passed to the server
> > argsfile /var/run/slapd/slapd.args
> >
> > # Read slapd.conf(5) for possible values
> > loglevel 0
> >
> > # Where the dynamically loaded modules are stored
> > modulepath /usr/lib/ldap
> > moduleload back_bdb
> >
> > # The maximum number of entries that is returned for a search operation
> > sizelimit 500
> >
> > # The tool-threads parameter sets the actual amount of cpu's that is used
> > # for indexing.
> > tool-threads 1
> >
> > #######################################################################
> > # Specific Backend Directives for bdb:
> > # Backend specific directives apply to this backend until another
> > # 'backend' directive occurs
> > backend bdb
> > checkpoint 512 30
> >
> > #######################################################################
> > # Specific Backend Directives for 'other':
> > # Backend specific directives apply to this backend until another
> > # 'backend' directive occurs
> > #backend <other>
> >
> > #######################################################################
> > # Specific Directives for database #1, of type bdb:
> > # Database specific directives apply to this databasse until another
> > # 'database' directive occurs
> > database bdb
> >
> > # The base of your directory in database #1
> > suffix "dc=ldap,dc=spcservices,dc=com"
> >
> > # rootdn directive for specifying a superuser on the database. This is needed
> > # for syncrepl.
> > # rootdn "cn=admin,dc=ldap,dc=spcservices,dc=com"
> >
> > # Where the database file are physically stored for database #1
> > directory "/var/lib/ldap"
> >
> > # For the Debian package we use 2MB as default but be sure to update this
> > # value if you have plenty of RAM
> > dbconfig set_cachesize 0 2097152 0
> >
> > # Sven Hartge reported that he had to set this value incredibly high
> > # to get slapd running at all. See http://bugs.debian.org/303057
> > # for more information.
> >
> > # Number of objects that can be locked at the same time.
> > dbconfig set_lk_max_objects 1500
> > # Number of locks (both requested and granted)
> > dbconfig set_lk_max_locks 1500
> > # Number of lockers
> > dbconfig set_lk_max_lockers 1500
> >
> > # Indexing options for database #1
> > index objectClass eq
> >
> > # Save the time that the entry gets modified, for database #1
> > lastmod on
> >
> > # Where to store the replica logs for database #1
> > # replogfile /var/lib/ldap/replog
> >
> > # The userPassword by default can be changed
> > # by the entry owning it if they are authenticated.
> > # Others should not be able to see it, except the
> > # admin entry below
> > # These access lines apply to database #1 only
> > access to attrs=userPassword,shadowLastChange,gecos
> > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > by self write
> > by * read
> >
> > # Ensure read access to the base for things like
> > # supportedSASLMechanisms. Without this you may
> > # have problems with SASL not knowing what
> > # mechanisms are available and the like.
> > # Note that this is covered by the 'access to *'
> > # ACL below too but if you change that as people
> > # are wont to do you'll still need this if you
> > # want SASL (and possible other things) to work
> > # happily.
> > access to dn.base="" by * read
> >
> > # The admin dn has full write access, everyone else
> > # can read everything.
> > access to *
> > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > by * read
> >
> > # For Netscape Roaming support, each user gets a roaming
> > # profile for which they have write access to
> > #access to dn=".*,ou=Roaming,o=morsnet"
> > # by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > # by dnattr=owner write
> >
> > #######################################################################
> > # Specific Directives for database #2, of type 'other' (can be bdb too):
> > # Database specific directives apply to this databasse until another
> > # 'database' directive occurs
> > #database <other>
> >
> > # The base of your directory for database #2
> > #suffix "dc=debian,dc=org"
> >
> > ###########################################################################33
> > Para /etc/ldap/ldap.conf
> >
> > john:/home/andres# cat /etc/ldap/ldap.conf
> > # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
> > 19:57:01 kurt Exp $
> > #
> > # LDAP Defaults
> > #
> >
> > # See ldap.conf(5) for details
> > # This file should be world readable but not world writable.
> >
> > BASE dc=ldap,dc=spcservices,dc=com
> > URI ldap://172.31.20.3
> >
> > #SIZELIMIT 12
> > #TIMELIMIT 15
> > #DEREF never
> >
> > ############################################################################
> > para /etc/nsswitch.conf
> >
> > john:/home/andres# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages installed, try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: ldap compat
> > group: ldap compat
> > shadow: compat
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> >
> >
> > Agradezco las las respuestas, ya que no encuentro la menera de hacerlo
> > funcionar.
> > Saludos Cordiales
> >
> >
>
>
> En /etc/nsswitch.conf deberias tener:
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
>
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
>
> y en /etc/pam.d/ deberias tener un archivo de configuración para la
> autenticación en apache o el servidro web que estés usando, que
> contenga:
>
> @include common-auth
> @include common-account
>
> eso deberia ser suficiente.
>
> además te recomiendo el uso de phpldapadmin para el manejo del ldap.
>
>
>
> --
> Manuel Garcia
> Administrador de redes y servidores
> Corporacion Lynqus
> Debian GNU/Linux 4.1
> codename "Lenny"
>
Muchas gracias manuel por la ayuda, modifiqué el archivo
/etc/nsswitch.conf. E instalé phpldapadmin, peor no comprendo bien lo
del archivo PAM
Te adjunto la salida dela rchivo, quizás tengo algo mal configurado:
######## Para /etc/pam.d/common-account
john:~# cat /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
#account required pam_unix.so
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
#### Para /etc/pam.d/common-session
john:~# cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
### Para /etc/pam.d/common-auth
john:~# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
#auth required pam_unix.so nullok_secure
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
Bueno esa es la configuración de PAM. Te cuento que puedo loguearme y
cambiar la password de un usuario desde otro computaror mediante el
comando:
ldappasswd -x -D cn=admin,dc=ldap,dc=spcservices,dc=com -W -S
uid=nihat,ou=people,dc=ldap,dc=spcservices,dc=com -h 172.31.20.3
Ecuentro extraño que no se pueda realizar desde otra aplicación.
Quedo atento a los comentarios
Saludos y Feliz día!!!
Reply to: