[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LDAP Authentication issue.

Hi

I'm a relative newcomer to Debian (via Xandros); but I've been using
other *nixs for many years. I'm running version 3.1

I've set up an openldap server, and installed the libnss-ldap and
libpam-ldap packages. The plan is to use LDAP as backend for about 150
hosts, running many different flavours of unix, mostly Solaris 8 and
RHAS 3.

The LDAP server is configured to allow the directory Manager to see and
change anything; other users can't look at passwords (I'll tighten that
up later, to stop users changing their own shells and the like). This
is testable on the command line using ldapsearch and works as expected.

/etc/nsswitch.conf has been reconfigured to use LDAP after files for
the password, shadow and group backends. /etc/libnss-ldap.conf has been
appropriately configured. This works and can be tested using getent
passwd another

/etc/pam_ldap.conf contains almost entirely the default settings.

My problem is that local logins for the new (ldap only) users don't
work where password authentication is required:-

[tm2yarmc@EXA10262 ~]$ sudo su - another
No directory, logging in with HOME=/
another@EXA10262:/$ id
uid=536(another) gid=136(another) groups=136(another)
another@EXA10262:/$ logout
[tm2yarmc@EXA10262 ~]$ su - another
Password: 
su: Authentication service cannot retrieve authentication info.
Sorry.
[tm2yarmc@EXA10262 ~]$ 

There is a pause between entering the password and the error message
from su. I strongly suspect my pam configuration is to blame somewhere
along the way. When running the openldap server in debug mode the
connection from the host is clear; and the searches seem to work; but
the calling service (su or whatever) complains about not being able to
retrieve authentication information.

Enclosed is the contents of some of the files:-

from slapd.conf:

pidfile         /opt/slapd/var/run/slapd.pid
argsfile        /opt/slapd/var/run/slapd.args
access to attr=userpassword
         by dn="cn=Manager,dc=example,dc=com" write
         by self write
access to *
         by self write
         by dn="dc=example,dc=com" read
         by * read
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          secret
directory       /opt/slapd/var/openldap-data
index   objectClass     eq

from  grep -v "^#" /etc/libnss-ldap.conf 

host 127.0.0.1
base dc=example,dc=com
ldap_version 3

from grep -v "^#" /etc/pam_ldap.conf

host 127.0.0.1
base dc=example,dc=com
ldap_version 3
rootbinddn cn=manager,dc=example,dc=com

from /etc/pam.d/login

@include common-auth
@include common-account
@include common-password
@include common-session

from /etc/pam.d/su

auth       sufficient pam_rootok.so
@include common-auth
@include common-account
@include common-session

from /etc/pam.d/common-auth

auth       sufficient pam_ldap.so
auth       required   pam_unix.so use_first_pass

from /etc/pam.d/common-account

account    sufficient pam_ldap.so
account    required   pam_unix.so

from /etc/pam.d/common-session

session    sufficient   pam_ldap.so
session    required     pam_unix.so

I can provide the debug from the server if required. However, I get the
feeling I've just missed something obvious on the pam side.

Thanks in anticipation.



=====
u n d e r a c h i e v e r (and proud)
<takeme2your@rocketmail.com>


	
	
		
___________________________________________________________ 
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Reply to: