Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

openldap probs (offical guide)
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hollowsoul
n00b
n00b


Joined: 29 Feb 2004
Posts: 31
PostPosted: Sat Apr 24, 2004 5:36 pm    Post subject: openldap probs (offical guide) Reply with quote
i can get up to

# getent passwd|grep 0:0

// You should get two entries back:
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash

but am unable to login in remotely, or at the computer :?
i think either my pam config is messed up or the acl in slapd.conf but i cant find what is wrong any help be really nice

Code:

#/etc/openldap/slapd.conf

include      /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba.schema

password-hash {crypt}

pidfile      /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args

access to *
    by dn="uid=root,ou=people,dc=server,dc=lan" write
    by users read
    by anonymous auth
access to attrs=userPassword,gecos,description,loginShell
    by self write


#######################################################################
# ldbm database definitions
#######################################################################

database   ldbm
suffix           "dc=server,dc=lan"
rootdn      "cn=Manager,dc=server,dc=lan"

rootpw          secret
directory   /var/lib/openldap-ldbm

index   objectClass   eq


Code:

#/etc/pam.d/system-auth

auth       required   /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required   /lib/security/pam_deny.so

account    required   /lib/security/pam_unix.so
account    sufficent    /lib/security/pam_ldap.so

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow
password   sufficient   /lib/security/pam_ldap.so
password   required   /lib/security/pam_deny.so

session   required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session    required   /lib/security/pam_limits.so
session    required   /lib/security/pam_unix.so
session    optional     /lib/security/pam_ldap.so


Last edited by hollowsoul on Sun Apr 25, 2004 11:31 am; edited 1 time in total
Back to top
View user's profile Send private message
Chris W
l33t
l33t


Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
PostPosted: Sat Apr 24, 2004 10:16 pm    Post subject: Reply with quote
Quote:
but am unable to login in remotely, or at the computer

So you can no longer log in to your machine at all? If that's the case I'd be concentrating on the PAM configuration because it should still be allowing access from the /etc/passwd database. I think the system-auth file should look more like:
Code:
#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_ldap.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient     /lib/security/pam_ldap.so
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
Order is important in this file. Notice that, in general, the LDAP entries precede the pam_unix entries, and the sufficient keyword means that if the user is in LDAP then it short-circuits using pam_unix.

You should also check the /etc/ldap.conf is configured correctly.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein
Back to top
View user's profile Send private message
hollowsoul
n00b
n00b


Joined: 29 Feb 2004
Posts: 31
PostPosted: Sat Apr 24, 2004 10:32 pm    Post subject: Reply with quote
nice one
i can login now it was the system-auth file :)
though i getting 2 password prompts at begining of login in

first password prompt seems to have no effect, as if u enter the correct password 2 time u allow in

and if i enter the password prompt wrong in twice it only comes up once the second time

Code:


login as: root
Password:
Password:
Access denied
root@192.168.2.10's password:



edit:

i found that by adding the following to /etc/ldap.conf i can log in with the first password prompt ( via ldap )
but not sure if sure if right method

binddn cn=Manager,dc=server,dc=lan
binddn secret

Code:

#/etc/ldap.conf

host 127.0.0.1
base dc=server,dc=lan
uri ldap://server.lan/
ldap_version 3

binddn cn=Manager,dc=server,dc=lan
bindpw secret

scope one

pam_filter                    objectclass=posixAccount
pam_login_attribute      uid
pam_member_attribute memberuid
pam_password exop

nss_base_passwd ou=People,dc=server,dc=lan
nss_base_shadow ou=People,dc=server,dc=lan
nss_base_group   ou=Group,dc=server,dc=lan
nss_base_hosts    ou=Hosts,dc=server,dc=lan

Back to top
View user's profile Send private message
Chris W
l33t
l33t


Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
PostPosted: Sun Apr 25, 2004 6:06 am    Post subject: Reply with quote
I don't think you should need the BINDDN in ldap.conf, but I haven't got a working LDAP setup to check against. During authentication the PAM will attempt to search for a user matching the login name. If it finds a DN for the user (only one) it will try to BIND as that DN using the supplied password. It seems most likely that the data in the LDAP server is not quite right in some way.

I think you need to turn on debugging in the LDAP server to see exactly what queries are being run. From that you should be able to see what is coming unstuck.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein
Back to top
View user's profile Send private message
hollowsoul
n00b
n00b


Joined: 29 Feb 2004
Posts: 31
PostPosted: Sun Apr 25, 2004 11:40 am    Post subject: Reply with quote
ok, got it to work without the added lines in slapd.conf
i changed the acl lines in slapd.conf with the ones from

https://forums.gentoo.org/viewtopic.php?t=72607&highlight=ldap+windows

it works now, though i like to read up on the acl bits as it bugs me it didnt work with orig ones above in first post

does anyone know of a good debug value for slapd as the debug messages are abit cryptic or example of a correct output from a ldap setup with offical guide :?:

also does anyone know how to setup webmin for ldap, i can add groups but not users ???

Failed to save user : Failed to add user to LDAP database : no structural object class provided
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy