[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jeff Hubbs jeffrey.hubbs at gmail.com
Wed Jun 3 15:56:28 EDT 2009


Never mind; that wasn't the problem...

On Wed, Jun 3, 2009 at 3:32 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com> wrote:

> It's Gentoo, but I think I might have found a serious problem...I think the
> server and client ldap.conf files may be reversed; the server happens to be
> working because as far as server directives go, the two files say the same
> thing...
>
>
> On Wed, Jun 3, 2009 at 3:12 PM, Jerald Sheets <questy at gmail.com> wrote:
>
>> Redhat/Debian/Ubuntu/Slack?  Which?
>>
>>
>> On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>
>>> Just like that.
>>>
>>>
>>> On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com> wrote:
>>>
>>>> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>>>>
>>>> passwd:     files ldap
>>>> shadow:     files ldap
>>>> group:      files ldap
>>>>
>>>>
>>>> --j
>>>>
>>>>
>>>> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>>>
>>>>> That makes it worse.  See log output with it both ways at
>>>>> http://pastebin.com/m5fca56.
>>>>>
>>>>> With the pam_ldap line where it was, I'm at least able to get "(Invalid
>>>>> credentials)" returned from pam_ldap;when moved up above the pam_unix line,
>>>>> pam_ldap never makes a response.
>>>>>
>>>>>
>>>>>
>>>>> http://pastebin.com/m5fca56
>>>>>
>>>>>
>>>>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com>wrote:
>>>>>
>>>>>> move the pam_ladp line up one. The line above it will always capture
>>>>>> an event and the ldap line is never called. pam is a sequential
>>>>>> process down the chain.
>>>>>>
>>>>>> In fact, if you want to tighten the security, put the pam_deny line
>>>>>> before any "sufficient" lines in auth.
>>>>>>
>>>>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>>>>> wrote:
>>>>>> > Jerald -
>>>>>> >
>>>>>> > That line is in there...in fact, let me paste the whole system-auth
>>>>>> file:
>>>>>> >
>>>>>> > #%PAM-1.0
>>>>>> >
>>>>>> > auth            required        pam_env.so
>>>>>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>>>>>> nullok
>>>>>> > auth            sufficient      pam_ldap.so use_first_pass
>>>>>> > auth            required        pam_deny.so
>>>>>> >
>>>>>> > account         required        pam_unix.so
>>>>>> > account         sufficient      pam_ldap.so
>>>>>> >
>>>>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>>>>> dcredit=2
>>>>>> > ocredit=2 try_first_pass retry=3
>>>>>> > password        sufficient      pam_unix.so try_first_pass nullok
>>>>>> md5 shadow
>>>>>> > use_authtok
>>>>>> > password        sufficient      pam_ldap.so use_authtok
>>>>>> > password        required        pam_deny.so
>>>>>> >
>>>>>> > session         required        pam_limits.so
>>>>>> > session         required        pam_unix.so
>>>>>> > session         optional        pam_ldap.so
>>>>>> >
>>>>>> >
>>>>>> >>
>>>>>> >>
>>>>>> >> Also, to let pam know about ldap, look for a line like so:
>>>>>> >>
>>>>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>>>>> >>
>>>>>> >> in /etc/pam.d/system-auth
>>>>>> >>
>>>>>> >> Also, if you want to have home directories automagically made for
>>>>>> >> first-time logins, you need:
>>>>>> >>
>>>>>> >> session     required      pam_mkhomedir.so
>>>>>> >
>>>>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>>>>> >
>>>>>> > Thanks,
>>>>>> > Jeff
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > Ale mailing list
>>>>>> > Ale at ale.org
>>>>>> > http://mail.ale.org/mailman/listinfo/ale
>>>>>> >
>>>>>> >
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> --
>>>>>> James P. Kinney III
>>>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> ---
>>>> Jerald M. Sheets jr.
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>>
>>
>>
>> --
>> ---
>> Jerald M. Sheets jr.
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/f3139d24/attachment.html 


More information about the Ale mailing list