2008/3/27, Manuel García <mannyto@gmail.com>: > On Fri, Mar 28, 2008 at 10:51 AM, andres sarmiento <coolpixgnu@gmail.com> wrote: > > > > 2008/3/27, Manuel García <mannyto@gmail.com>: > > > On Fri, Mar 28, 2008 at 8:16 AM, andres sarmiento <coolpixgnu@gmail.com> wrote: > > > > Estimados: > > > > Actualmente tengo instalado un servidor con Debian Etch al cual le > > > > instalé openldap. El serv idor actualmente está levantado y funciona > > > > localmente. > > > > El problema radica cuando necesito autenticar a un usuario remoto. > > > > > > > > Si un usuario creado con ldap se autentica vía SSH no ocurre problema. > > > > el problema, ocurre cuando dicho usuario necesita autenticarse desde > > > > otra aplicación. Por ejemplo vía Web. > > > > Agradecería si me pueden orientar. Seguí el siguiente Howto: > > > > http://moduli.net/sysadmin/sarge-ldap-auth-howto.html > > > > > > > > Y seguí todos los pasos, pero no ocurre nada. > > > > Adjunto los archivos de configuración de slapd.conf, pam_ldap.com nsswitch.conf > > > > > > > > ### Para slapd.conf #################################### > > > > john:/home/andres# cat /etc/ldap/slapd.conf > > > > # This is the main slapd configuration file. See slapd.conf(5) for more > > > > # info on the configuration options. > > > > > > > > ####################################################################### > > > > # Global Directives: > > > > > > > > # Features to permit > > > > #allow bind_v2 > > > > > > > > # Schema and objectClass definitions > > > > include /etc/ldap/schema/core.schema > > > > include /etc/ldap/schema/cosine.schema > > > > include /etc/ldap/schema/nis.schema > > > > include /etc/ldap/schema/inetorgperson.schema > > > > > > > > # Where the pid file is put. The init.d script > > > > # will not stop the server if you change this. > > > > pidfile /var/run/slapd/slapd.pid > > > > > > > > # List of arguments that were passed to the server > > > > argsfile /var/run/slapd/slapd.args > > > > > > > > # Read slapd.conf(5) for possible values > > > > loglevel 0 > > > > > > > > # Where the dynamically loaded modules are stored > > > > modulepath /usr/lib/ldap > > > > moduleload back_bdb > > > > > > > > # The maximum number of entries that is returned for a search operation > > > > sizelimit 500 > > > > > > > > # The tool-threads parameter sets the actual amount of cpu's that is used > > > > # for indexing. > > > > tool-threads 1 > > > > > > > > ####################################################################### > > > > # Specific Backend Directives for bdb: > > > > # Backend specific directives apply to this backend until another > > > > # 'backend' directive occurs > > > > backend bdb > > > > checkpoint 512 30 > > > > > > > > ####################################################################### > > > > # Specific Backend Directives for 'other': > > > > # Backend specific directives apply to this backend until another > > > > # 'backend' directive occurs > > > > #backend <other> > > > > > > > > ####################################################################### > > > > # Specific Directives for database #1, of type bdb: > > > > # Database specific directives apply to this databasse until another > > > > # 'database' directive occurs > > > > database bdb > > > > > > > > # The base of your directory in database #1 > > > > suffix "dc=ldap,dc=spcservices,dc=com" > > > > > > > > # rootdn directive for specifying a superuser on the database. This is needed > > > > # for syncrepl. > > > > # rootdn "cn=admin,dc=ldap,dc=spcservices,dc=com" > > > > > > > > # Where the database file are physically stored for database #1 > > > > directory "/var/lib/ldap" > > > > > > > > # For the Debian package we use 2MB as default but be sure to update this > > > > # value if you have plenty of RAM > > > > dbconfig set_cachesize 0 2097152 0 > > > > > > > > # Sven Hartge reported that he had to set this value incredibly high > > > > # to get slapd running at all. See http://bugs.debian.org/303057 > > > > # for more information. > > > > > > > > # Number of objects that can be locked at the same time. > > > > dbconfig set_lk_max_objects 1500 > > > > # Number of locks (both requested and granted) > > > > dbconfig set_lk_max_locks 1500 > > > > # Number of lockers > > > > dbconfig set_lk_max_lockers 1500 > > > > > > > > # Indexing options for database #1 > > > > index objectClass eq > > > > > > > > # Save the time that the entry gets modified, for database #1 > > > > lastmod on > > > > > > > > # Where to store the replica logs for database #1 > > > > # replogfile /var/lib/ldap/replog > > > > > > > > # The userPassword by default can be changed > > > > # by the entry owning it if they are authenticated. > > > > # Others should not be able to see it, except the > > > > # admin entry below > > > > # These access lines apply to database #1 only > > > > access to attrs=userPassword,shadowLastChange,gecos > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > by self write > > > > by * read > > > > > > > > # Ensure read access to the base for things like > > > > # supportedSASLMechanisms. Without this you may > > > > # have problems with SASL not knowing what > > > > # mechanisms are available and the like. > > > > # Note that this is covered by the 'access to *' > > > > # ACL below too but if you change that as people > > > > # are wont to do you'll still need this if you > > > > # want SASL (and possible other things) to work > > > > # happily. > > > > access to dn.base="" by * read > > > > > > > > # The admin dn has full write access, everyone else > > > > # can read everything. > > > > access to * > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > by * read > > > > > > > > # For Netscape Roaming support, each user gets a roaming > > > > # profile for which they have write access to > > > > #access to dn=".*,ou=Roaming,o=morsnet" > > > > # by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > # by dnattr=owner write > > > > > > > > ####################################################################### > > > > # Specific Directives for database #2, of type 'other' (can be bdb too): > > > > # Database specific directives apply to this databasse until another > > > > # 'database' directive occurs > > > > #database <other> > > > > > > > > # The base of your directory for database #2 > > > > #suffix "dc=debian,dc=org" > > > > > > > > ###########################################################################33 > > > > Para /etc/ldap/ldap.conf > > > > > > > > john:/home/andres# cat /etc/ldap/ldap.conf > > > > # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 > > > > 19:57:01 kurt Exp $ > > > > # > > > > # LDAP Defaults > > > > # > > > > > > > > # See ldap.conf(5) for details > > > > # This file should be world readable but not world writable. > > > > > > > > BASE dc=ldap,dc=spcservices,dc=com > > > > URI ldap://172.31.20.3 > > > > > > > > #SIZELIMIT 12 > > > > #TIMELIMIT 15 > > > > #DEREF never > > > > > > > > ############################################################################ > > > > para /etc/nsswitch.conf > > > > > > > > john:/home/andres# cat /etc/nsswitch.conf > > > > # /etc/nsswitch.conf > > > > # > > > > # Example configuration of GNU Name Service Switch functionality. > > > > # If you have the `glibc-doc-reference' and `info' packages installed, try: > > > > # `info libc "Name Service Switch"' for information about this file. > > > > > > > > passwd: ldap compat > > > > group: ldap compat > > > > shadow: compat > > > > > > > > hosts: files dns > > > > networks: files > > > > > > > > protocols: db files > > > > services: db files > > > > ethers: db files > > > > rpc: db files > > > > > > > > netgroup: nis > > > > > > > > > > > > > > > > Agradezco las las respuestas, ya que no encuentro la menera de hacerlo > > > > funcionar. > > > > Saludos Cordiales > > > > > > > > > > > > > > > > > En /etc/nsswitch.conf deberias tener: > > > > > > > > > # /etc/nsswitch.conf > > > # > > > # Example configuration of GNU Name Service Switch functionality. > > > # If you have the `glibc-doc-reference' and `info' packages installed, try: > > > # `info libc "Name Service Switch"' for information about this file. > > > > > > > > > passwd: files ldap > > > group: files ldap > > > shadow: files ldap > > > > > > > > > hosts: files dns > > > networks: files > > > > > > protocols: db files > > > services: db files > > > ethers: db files > > > rpc: db files > > > > > > netgroup: nis > > > > > > > > > > > > y en /etc/pam.d/ deberias tener un archivo de configuración para la > > > autenticación en apache o el servidro web que estés usando, que > > > contenga: > > > > > > @include common-auth > > > @include common-account > > > > > > eso deberia ser suficiente. > > > > > > además te recomiendo el uso de phpldapadmin para el manejo del ldap. > > > > > > > > > > > > -- > > > Manuel Garcia > > > Administrador de redes y servidores > > > Corporacion Lynqus > > > Debian GNU/Linux 4.1 > > > codename "Lenny" > > > > > > > Muchas gracias manuel por la ayuda, modifiqué el archivo > > /etc/nsswitch.conf. E instalé phpldapadmin, peor no comprendo bien lo > > del archivo PAM > > > > Te adjunto la salida dela rchivo, quizás tengo algo mal configurado: > > > > ######## Para /etc/pam.d/common-account > > > > john:~# cat /etc/pam.d/common-account > > # > > # /etc/pam.d/common-account - authorization settings common to all services > > # > > # This file is included from other service-specific PAM config files, > > # and should contain a list of the authorization modules that define > > # the central access policy for use on the system. The default is to > > # only deny service to users whose accounts are expired in /etc/shadow. > > # > > #account required pam_unix.so > > account sufficient pam_unix.so > > account sufficient pam_ldap.so > > account required pam_deny.so > > > > #### Para /etc/pam.d/common-session > > > > john:~# cat /etc/pam.d/common-session > > # > > # /etc/pam.d/common-session - session-related modules common to all services > > # > > # This file is included from other service-specific PAM config files, > > # and should contain a list of modules that define tasks to be performed > > # at the start and end of sessions of *any* kind (both interactive and > > # non-interactive). The default is pam_unix. > > # > > session required pam_unix.so > > > > ### Para /etc/pam.d/common-auth > > > > john:~# cat /etc/pam.d/common-auth > > # > > # /etc/pam.d/common-auth - authentication settings common to all services > > # > > # This file is included from other service-specific PAM config files, > > # and should contain a list of the authentication modules that define > > # the central authentication scheme for use on the system > > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the > > # traditional Unix authentication mechanisms. > > # > > #auth required pam_unix.so nullok_secure > > auth sufficient pam_unix.so > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > > > > > Bueno esa es la configuración de PAM. Te cuento que puedo loguearme y > > cambiar la password de un usuario desde otro computaror mediante el > > comando: > > > > ldappasswd -x -D cn=admin,dc=ldap,dc=spcservices,dc=com -W -S > > uid=nihat,ou=people,dc=ldap,dc=spcservices,dc=com -h 172.31.20.3 > > > > > > Ecuentro extraño que no se pueda realizar desde otra aplicación. > > > > Quedo atento a los comentarios > > Saludos y Feliz día!!! > > > > > > > en /etc/pam.d/ debes tener un archivo para cada aplicación, samba, > apache, ssh, etc > > > -- > > Manuel Garcia > Administrador de redes y servidores > Corporacion Lynqus > Debian GNU/Linux 4.1 > codename "Lenny" > Ok, pero el apache en este caso es remoto, es decir que noe esta instalado en la máquina con LDAP. Mira, te explico: Gateway con Astaro (firewall de seguridad, etc,etc) Servidor Debian (Ldap) Entonces necesito cominicar a gateway astaro con servidor Debian. Entonces no comprendo configurar un archivo para astaro dentro de /etc/pam.d/ en servidor Debian Adjunto una imagen de la configuración de LDAP desde Astaro Saludos y muchas gracias
Attachment:
ldap.PNG
Description: PNG image