LDAP Authentication & passwd

Message

pgb · Post by **pgb** » Wed Feb 09, 2005 9:30 pm

Hello,
I have my server configured for ldap authentication, however, as a normal user I cannot change the password.
This is the output of passwd:

Code: Select all

user@deathstar user $ passwd
Enter login(LDAP) password: 
New UNIX password: 
Retype new UNIX password: 
New password: 
Re-enter new password: 
LDAP password information update failed: Unknown error
use bind to verify old password
passwd: Permission denied

and this is my /etc/pam.d/system-auth

Code: Select all

auth       required     /lib/security/pam_env.so
# Added shadow
auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow
# Added for ldap
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   sufficient   /lib/security/pam_ldap.so  use_authok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0
session    optional     /lib/security/pam_ldap.so

any hint on how to solve this? I would like my users to be able to change their passwords freely.

slam_head · Post by **slam_head** » Wed Feb 09, 2005 11:16 pm

Is ldap listed in /etc/nsswitch.conf? If so does it come before files?

pgb · Post by **pgb** » Thu Feb 10, 2005 11:15 am

Yes, it's listed on nsswitch.conf and its before the files.
nsswitch.conf:

Code: Select all

passwd:      ldap compat
shadow:      ldap compat
group:       ldap compat

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

I had "compat ldap" before, but I changed in order to be able to use sudo and su (otherwise the users added to the group wheel in ldap wouldn't be able to sudo).

pgb · Post by **pgb** » Fri Feb 11, 2005 11:01 am

I'm bumping this topic, as I'm sure it's a common issue.

UberLord · Post by **UberLord** » Fri Feb 11, 2005 11:52 am

I'm pretty sure it's something wrong with /etc/ldap.conf - why don't you post yours?

Also I think you need to be running unstable versions of pam_ldap and nss_ldap

pgb · Post by **pgb** » Fri Feb 11, 2005 12:03 pm

Here's my /etc/ldap.conf:

Code: Select all

base dc=domain,dc=com
rootbinddn uid=root,ou=People,dc=domain,dc=com
host auth.domain.com.ar

pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=domain,dc=com
nss_base_shadow ou=People,dc=domain,dc=com
nss_base_group ou=Group,dc=domain,dc=com
nss_base_hosts ou=Hosts,dc=domain,dc=com

scope one

The versions I have installed are:
net-libs/pam_ldap-171
net-libs/nss_ldap-226

Thanks in advance.

UberLord · Post by **UberLord** » Fri Feb 11, 2005 12:24 pm

I've improved your config a bit

Code: Select all

base dc=domain,dc=com
rootbinddn uid=root,ou=People,dc=domain,dc=com
uri ldap://auth.domain.com.ar/

ldap_version 3

# PAM config
# exop causes problems sometimes
#pam_password exop
pam_password crypt 

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gidNumber


# NSS config
scope one 
nss_base_passwd ou=People,dc=domain,dc=com
nss_base_shadow ou=People,dc=domain,dc=com
nss_base_group ou=Group,dc=domain,dc=com
nss_base_hosts ou=Hosts,dc=domain,dc=com

I really wouldn't include root in LDAP - use Manager instead
I also don't have any hosts in LDAP - DNS does a much better job.

fyi I use pam_ldap-176

pgb · Post by **pgb** » Fri Feb 11, 2005 1:56 pm

Thanks a lot! This configuration works much better.
I still get the double prompt, but the password is succesfully changed.
Here's the exchange with passwd:

Code: Select all

Enter login(LDAP) password: 
New UNIX password: 
Retype new UNIX password: 
New password: 
Re-enter new password: 
LDAP password information changed for user
passwd: password updated successfully

Can I make passwd ask for the password only once?
The user I'm changing the password is only on ldap, and not on /etc/passwd, so I don't see why I have to type it twice.
I'll try using Manager instead of root, and see if it all works.
Thanks again!

Merlin8000 · Post by **Merlin8000** » Thu Feb 17, 2005 4:08 pm

pgb wrote:Thanks a lot! This configuration works much better.
I still get the double prompt, but the password is succesfully changed.
Here's the exchange with passwd:
Code: Select all
Enter login(LDAP) password: 
New UNIX password: 
Retype new UNIX password: 
New password: 
Re-enter new password: 
LDAP password information changed for user
passwd: password updated successfully
Can I make passwd ask for the password only once?
The user I'm changing the password is only on ldap, and not on /etc/passwd, so I don't see why I have to type it twice.
I'll try using Manager instead of root, and see if it all works.
Thanks again!

I'm not sure what the issue is for that specifically, but I had the exact same problem as your previous one and changing the pam_password line fixed it for me too. However, I'm not getting a duplicate new password prompt like you are, so I guess it's safe to say the problem isn't your /etc/ldap.conf

you might want to have a look at /etc/nsswitch.conf or /etc/pam.d/passwd

thanks guys! this one had been annoying me for some time now.

pgb · Post by **pgb** » Thu Feb 17, 2005 4:28 pm

Merlin8000 wrote:you might want to have a look at /etc/nsswitch.conf or /etc/pam.d/passwd

Can you post yours so I can compare them?
Mine are:
/etc/nsswitch.conf

Code: Select all

passwd:      ldap compat
shadow:      ldap compat
group:       ldap compat
hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

/etc/pam.d/passwd

Code: Select all

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

/etc/pam.d/system-auth

Code: Select all

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   sufficient   /lib/security/pam_ldap.so  use_authok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0
session    optional     /lib/security/pam_ldap.so

Thanks

Merlin8000 · Post by **Merlin8000** » Thu Feb 17, 2005 5:31 pm

/etc/nsswitch.conf

Code: Select all

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

/etc/pam.d/passwd

Code: Select all

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_stack.so service=system-auth

/etc/pam.d/system-auth

Code: Select all

auth    required    /lib/security/pam_env.so
auth    sufficient  /lib/security/pam_unix.so likeauth nullok shadow
auth    sufficient  /lib/security/pam_ldap.so use_first_pass
auth    required    /lib/security/pam_deny.so

account sufficient  /lib/security/pam_unix.so
account sufficient  /lib/security/pam_ldap.so
account required    /lib/security/pam_deny.so

password    required /lib/security/pam_cracklib.so retry=3
password    sufficient /lib/security/pam_unix.so nullok use_authtok shadow md5
password    required /lib/security/pam_ldap.so use_authtok
password    required /lib/security/pam_deny.so

session required    /lib/security/pam_limits.so
session required    /lib/security/pam_unix.so
session required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session optional    /lib/security/pam_ldap.so

I got most of these settings from the gentoo ldap howto, I followed it pretty strictly, except i'm not using ssl (just yet) and I had to change the ACLs provided in /etc/openldap/slapd.conf because the howto's ACL list seemed to disallow logins alltogether.

UberLord · Post by **UberLord** » Thu Feb 17, 2005 5:36 pm

Merlin8000 wrote: /etc/pam.d/passwd

Code: Select all

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_stack.so service=system-auth

You don't need that reference to pam_ldap in there as system-auth takes care of it afaik

Merlin8000 · Post by **Merlin8000** » Thu Feb 17, 2005 5:43 pm

UberLord wrote: You don't need that reference to pam_ldap in there as system-auth takes care of it afaik

without it i get the following passwd chat

Code: Select all

Enter login(LDAP) password:
passwd: Authentication token manipulation error

pgb · Post by **pgb** » Thu Feb 17, 2005 6:36 pm

Does anyone see anything strange with my nsswitch.conf?
The duplicate password prompt is not a big issue, but is nevertheless annoying.

Thanks.

UberLord · Post by **UberLord** » Thu Feb 17, 2005 7:12 pm

pgb wrote:Does anyone see anything strange with my nsswitch.conf?
Code: Select all
passwd:      ldap compat
shadow:      ldap compat
group:       ldap compat 

I have the word "files" instead of "compat"

Code: Select all

passwd:      ldap files
shadow:      ldap files
group:       ldap files

pgb · Post by **pgb** » Thu Feb 17, 2005 7:17 pm

UberLord wrote:
pgb wrote:Does anyone see anything strange with my nsswitch.conf?
Code: Select all
passwd:      ldap compat
shadow:      ldap compat
group:       ldap compat 
I have the word "files" instead of "compat"
Code: Select all
passwd:      ldap files
shadow:      ldap files
group:       ldap files

I get the same duplicate prompt...
Do I need to restart anything after changing nsswitch.conf?

Merlin8000 · Post by **Merlin8000** » Thu Feb 17, 2005 8:06 pm

what about your logs? does anything pop up when you try to change passwords the first time around? sounds to me like the first passwd change attempt is failing so it's reprompting with a different system.

also does the user in question exist on both your ldap server and in /etc/passwd?

not that i know this would cause that, but it's a shot in the dark

pgb · Post by **pgb** » Thu Feb 17, 2005 8:14 pm

Just found it...
I had a typo on the /etc/pam.d/system-auth file...
I had:

Code: Select all

password   sufficient   /lib/security/pam_ldap.so  use_authok

instead of:

Code: Select all

password   sufficient   /lib/security/pam_ldap.so  use_authtok

Now it works as expected... Thanks for your help.

pejcao · Post by **pejcao** » Thu May 26, 2005 4:16 am

does "passwd" changes yer ldap password AND /etc/shadow simultaneusly? (if the user exists in both)