Re: Problem with ldap auth

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Problem with ldap auth
From: Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>
Date: Fri, 11 Sep 2009 18:18:48 +0200
Message-id: <[🔎] 4AAA7868.4010807@lorentz.leidenuniv.nl>
In-reply-to: <[🔎] aa184bd0909110903h3e34fabsd79f9a0caed148a5@mail.gmail.com>
References: <[🔎] aa184bd0909110745m6019b435m530e9f49cd2c4180@mail.gmail.com> <[🔎] 4AAA6421.9000408@lorentz.leidenuniv.nl> <[🔎] aa184bd0909110903h3e34fabsd79f9a0caed148a5@mail.gmail.com>

Guillaume CHARDIN schreef:

Thank for your reply
Here are some details about what you ask

2009/9/11 Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>:

Can you add the option 'debug' in /etc/pam.d/common-auth to the line of
pam_ldap? What do you see when you try to log in in /var/log/auth.log? And
when you log in as root, does changing passwords work?

Sjoerd

I activate the pam_ldap debug : the only line displayed in
/var/log/auth.log when i connect with passord is :
     *    Sep 11 15:29:30 debiandev sshd[9231]: Failed password for
gfustier from 192.168.22.6 port 10243 ssh2
So ok now I'm sure it failed :D
But why....

Yes, that's indeed what we need to find out. Looking at the/etc/pam.d/common-auth you provided, I might see a problem (see below).If that doesn't work, can you check that if you use the settings from/etc/pam_ldap.conf, ldapsearch -x -h your-ldap-server -bdc=searchbase,dc=org -D uid=yourname,ou=users,... works? It might bethat somehow encryption or sasl has been enabled on the ldap-server, andthat your debian-box is not aware.


Next when i tried to change my passord once authenticated with ssh
private key, the error displayed is:
     *    Sep 11 15:30:25 debiandev passwd[9243]:
pam_unix(passwd:chauthtok): user "gfustier " does not exist in
/etc/passwd

That's expected for a login with a key. /etc/passwd is used to look upgroup info, but not found and then retrieved from the ldap server. Asyou provide a secret key, no password is used as the key is used forauthorization

But my user is stored on the ldap server so i think it's ok maybe i have to use

And if i try to change root password it works  :
    *    Sep 11 15:48:47 debiandev passwd[9265]:
pam_unix(passwd:chauthtok): password changed for root

Yes, that's fine, but what happens if you change a user password fromthe root account?


If it can help here is the content of /etc/pam.d/common-auth & common-passwd

#common-passwd#
password   required   pam_unix.so nullok obscure md5
password    sufficient    pam_ldap.so
##

This is not used for authentication, only for changing passwords. Yet,to make that work, you should change this to

 password sufficient pam_unix.so nullok obscure md5
 password sufficient pam_ldap.so use_first_pass use_authok
 password required pam.deny.so

In your might require presence of the user in /etc/passwd and/etc/shadow. you don't want that. Also, use_first_pass uses the passwordprovided to pam_unix, which might return null instead of the providedpass (I think that's what is happening)


#common-auth#
auth    required        pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass debug
##

Again, you don't want to require users to pass pam_unix.so, so changethis to

auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass

good luck!
Sjoerd

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Problem with ldap auth
  - From: Guillaume CHARDIN <guillaume.chardin@gmail.com>

References:
- Problem with ldap auth
  - From: Guillaume CHARDIN <guillaume.chardin@gmail.com>
- Re: Problem with ldap auth
  - From: Sjoerd Hardeman <sjoerd@lorentz.leidenuniv.nl>
- Re: Problem with ldap auth
  - From: Guillaume CHARDIN <guillaume.chardin@gmail.com>

Prev by Date: Re: is there a truly offline feed reader?
Next by Date: Fw: EJABBERD INTEGRADO CON LDAP
Previous by thread: Re: Problem with ldap auth
Next by thread: Re: Problem with ldap auth
Index(es):
- Date
- Thread