openldap-technical June 2010

openldap-technical@openldap.org

104 participants
113 discussions

Solaris 10 openldap authentication with md5 passwords
by Giannis Fotopoulos 19 Jun '10

19 Jun '10

Hello to everyone, We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails. We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html) Our openldap version is openldap-2.3.39 And all passwords are encrypted with : Base 64 encoded md5 Below is a sample password: |{md5}2FeO34RYzgb7xbt2pYxcpA==| The error messages when trying to 'su -' to the ldap user are: |Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:35:23 servername su: [ID 810491 auth.crit]'su ldapuser' failed*for* mike on /dev/pts/4 |and for ssh: |Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey*for* scponly from 10.24.4.52 port 35390 ssh2 Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed*for* ldapuser from pc7395.sa.example.int Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password*for* ldapuser from 192.168.1.25 port 41075 ssh2 | Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed). Please feel free to ask for any other configuration file: */etc/pam.conf* |login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_unix_auth.so.1 server_policy debug login auth required /usr/lib/security/pam_ldap.so.1 debug rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 use_first_pass rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth required pam_unix_auth.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 server_policy other auth sufficient /usr/lib/security/pam_ldap.so.1 debug other auth required pam_unix_auth.so.1 use_first_pass debug passwd auth sufficient pam_passwd_auth.so.1 server_policy passwd auth required /usr/lib/security/pam_ldap.so.1 debug cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account sufficient pam_unix_account.so.1 server_policy other account required /usr/lib/security/pam_ldap.so.1 debug other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy |*/etc/ldap.conf *|base ou=users,ou=Example,dc=staff,dc=example ldap_version 3 scope sub pam_groupdn cn=sysadm(a)example.int,ou=groups,ou=Example,dc=staff,dc=example pam_member_attribute memberUid nss_map_attribute uid displayName nss_map_attribute cn sn pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password. uri ldap://ldapserver01/ ssl no bind_timelimit 1 bind_policy soft timelimit 10 nss_reconnect_tries 3 host klnsds01 nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub pam_password md5 |*/etc/nsswitch.conf *|passwd: files ldap group: files ldap hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: files tnrhdb: files |* /etc/security/policy.conf* |AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User CRYPT_ALGORITHMS_DEPRECATE=__unix__ LOCK_AFTER_RETRIES=YES CRYPT_ALGORITHMS_ALLOW=1,2a,md5 ||CRYPT_DEFAULT=1| Thanks in advance for any response...!! | |

1 0

ACLs using members and groups
by Indexer 18 Jun '10

18 Jun '10

Hi, I have a question regarding ACLs and their use in an interesting circumstance. I have a group, lets call it g, and it contains users a and b. I also have users a, b, c and d. Now, I want user d to be able to have access to write to the members of group g, and unable to access non members of group g. Now lets say i add user e, and e becomes a member of g, i want d to be able to write to these 3 members (a,b,e) without needing to rewrite or insert ACLs etc. I have been looking alot at the ACL page on the openldap site, and as much as i think the group and regex rules are fantastic, I cant think of how to implement them for this situation. Any help would be greatly appreciated Thanks for your time and help, yet again. William

2 1

smbk5pwd: ldappassword hangs
by Frank Van Damme 18 Jun '10

18 Jun '10

Hi list, I installed and configured the smbk5pwd overlay as described on http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd. This succeeded, the module is loaded etc. But an unwelcome side effect is that password changes don't function anymore. With the overlay/module disabled, there is no problem; if I enable it, the "ldappasswd" command hangs. I marked where I hit Ctrl-C on the hanging ldappasswd command. This is the slapd log... daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy >>> slap_listener(ldap://127.0.0.1/) daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: listen=7, new connection on 15 daemon: added 15r (active) listener=(nil) conn=1 fd=15 ACCEPT from IP=127.0.0.1:37250 (IP=127.0.0.1:389) daemon: activity on 2 descriptors daemon: activity on: 15r daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=8 0000: 30 43 02 01 01 60 3e 02 0C...`>. ldap_read: want=61, got=61 0000: 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 74 2c 6f .../uid=tryout,o 0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 74 65 63 u=People,dc=otec 0020: 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 2c 64 63 ,dc=vub,dc=ac,dc 0030: 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a =be..MhC0GjMJ ber_get_next: tag 0x30 len 67 contents: ber_dump: buf=0x824c518 ptr=0x824c518 end=0x824c55b len=67 0000: 02 01 01 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 ...`>..../uid=tr 0010: 79 6f 75 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 yout,ou=People,d 0020: 63 3d 6f 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 c=otec,dc=vub,dc 0030: 3d 61 63 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 =ac,dc=be..MhC0G 0040: 6a 4d 4a jMJ ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x824c518 ptr=0x824c51b end=0x824c55b len=64 0000: 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 `>..../uid=tryou 0010: 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f t,ou=People,dc=o 0020: 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 tec,dc=vub,dc=ac 0030: 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a ,dc=be..MhC0GjMJ ber_scanf fmt (m}) ber: ber_dump: buf=0x824c518 ptr=0x824c551 end=0x824c55b len=10 0000: 00 08 4d 68 43 30 47 6a 4d 4a ..MhC0GjMJ >>> dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be> => ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be,0) <= ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be)=0 <<< dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be>, <uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be> daemon: activity on 1 descriptor conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128 do_bind: version=3 dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128 ==> hdb_bind: dn: uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be bdb_dn2entry("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be") => hdb_dn2id("ou=people,dc=otec,dc=vub,dc=ac,dc=be") <= hdb_dn2id: got id=0x4 => hdb_dn2id("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be") <= hdb_dn2id: got id=0x22 entry_decode: "" <= entry_decode() => access_allowed: auth access to "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=otec,dc=vub,dc=ac,dc=be <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) => access_allowed: auth access granted by auth(=xd) conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" mech=SIMPLE ssf=0 do_bind: v3 bind: "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" to "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" send_ldap_result: conn=1 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 15 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=1 op=0 RESULT tag=97 err=0 text= daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=8 0000: 30 1e 02 01 02 77 19 80 0....w.. ldap_read: want=24, got=24 0000: 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420 0010: 33 2e 31 2e 31 31 2e 31 3.1.11.1 ber_get_next: tag 0x30 len 30 contents: ber_dump: buf=0x824d060 ptr=0x824d060 end=0x824d07e len=30 0000: 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 31 .1.4203.1.11.1 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1 op=1 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x824d060 ptr=0x824d063 end=0x824d07e len=27 0000: 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 34 32 30 33 2e 31 2e 31 31 2e 31 4203.1.11.1 conn=1 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero CTRL-C daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 15 failed errno=0 (Success) connection_read(15): input error=-2 id=1, closing. connection_closing: readying conn=1 sd=15 for close connection_close: conn=1 sd=15 daemon: activity on 1 descriptor daemon: removing 15 daemon: activity on: conn=1 fd=15 closed (connection lost) daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero -- Frank Van Damme A: Because it destroys the flow of the conversation. Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mailing lists or on Usenet?

4 6

Re: Q: status of component matching?
by Lehnert, Hartmut 17 Jun '10

17 Jun '10

Hi all! I would like to post further information on this theme which is of essential interest to us. After preventing slapd to dump a core file (by preventing memory freeing) we could not perform a component match filter search, and in the meanwhile we debugged slapd to see why a component match filter search fails. The result is that the signature algorithm of our certificate (sha256WithRSA) cannot be parsed by the code contained in "contrib/slapd-modules/comp_match/certificate.c". The function BDecAlgorithmIdentifier fails in line 198 because the value of totalElmtsLen1 is 11 and the value of elmtLen0 is 13 while parsing the OID 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 and obviously not handling the trailing Null parameter of the AlgorithmIdentifier. Can anybody suggest a solution for this problem? Regards, Hartmut

3 3

Re: Q: status of component matching?
by Lehnert, Hartmut 17 Jun '10

17 Jun '10

Hi all! I have debugged a little bit more and discovered that the decoding of the ANY type of the Algorithm parameter (that in fact is the Null) fails; in the BDecComponentAny function (file "contrib/slapd-modules/comp_match/componentlib.c") the pointer result->cai is the NULL pointer, so no function to decode the parameter is defined. Can anybody help? Regards, Hartmut

2 1

Re: Pam_ldap group access
by Aaron Richton 17 Jun '10

17 Jun '10

Please keep replies on the list. On Thu, 17 Jun 2010, Indexer wrote: > On 17/06/2010, at 10:34 PM, Aaron Richton wrote: > >> On Thu, 17 Jun 2010, Indexer wrote: >> >>> membership logins a notice appears that says "You must be a memberUid >>> of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the >>> user is still able to continue and login, and it is not enforcing the >>> group >> [...] >>> account optional /usr/local/lib/pam_ldap.so >> >> Of course they're able to continue; that check is optional in a stack >> that contains other results. See pam.conf(5) man page. >> > Yes, i have been told that this is the case, and im not to concerned > about it right now. What concerns me more, is that Groups aren't being > enforced the way i would like them to be. Has anyone got a working > configuration or hints? google was not especially helpful, as its a hard > problem to "quantify". I'm totally confused. If you're not "concerned about it right now" why is it your original question, as well as causing "me more" concern in the next sentence? My hint remains that the check you want to enforce without option has been configured as optional. Read the whole pam.conf(5) man page, then reread the section regarding alternatives to "optional," and determine what you need to configure to enforce the behavior you want.

2 2

do_extended: unsupported operation
by Gianluigi Nigro 17 Jun '10

17 Jun '10

I'am writing an extended operation with slapi plugin, successfully registered through the initialization function: ... char** oids = (char**) slapi_ch_malloc( 2 * sizeof( char * ) ); oids[0] = 1.3.6.1.4.1.35746.2.11.1"; oids[1] = NULL; ... i_ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST, oids ); if( i_ret == 0 ) i_ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_FN, (void*) extop1_start ); if( i_ret != 0 ) slapi_log_error( SLAPI_LOG_PLUGIN, "extop1_init", "[ERROR] registrazione %s\n", pluginDescription.spd_description ); slapd.conf look like this: ... pluginlog /var/log/caronte/plugin.log plugin extendedop /opt/ldap/slapi/libextop1-plugin.so extop1_init ... The log file plugin.log tell me that the plugin was successfully registered: ... 06/17/10 10:43:53 plugin_pblock_new: Registered plugin my-plugin 0.1 [mycompany] (description plugin) ... After server restart, the rootDSE object contains information about my extended operation, an 'ldapsearch -x -s base -b "" "(objectclass=*)" +' output like this: ... supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.35746.2.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 But, when i perform the extended operation then i get the error code 2 and the slapd log file look like this: Jun 17 09:53:03 linux-setup slapd[11969]: conn=1000 op=1 EXT oid=1.3.6.1.4.1.35746.2.11.1 Jun 17 09:57:33 linux-setup slapd[11969]: conn=1000 op=1 do_extended: unsupported operation "1.3.6.1.4.1.35746.2.11.1" Jun 17 09:57:33 linux-setup slapd[11969]: conn=1000 op=1 RESULT tag=120 err=2 text=unsupported extended operation Is it a bug or a lack of implementation? Any helps is appreciated. Gianluigi nigro -------------------------------------------------------------------- Il contenuto di questo messaggio di posta elettronica e ogni eventuale documento a quest'ultimo allegato puo contenere informazioni la cui riservatezza e' tutelata ed e' rivolto unicamente agli effettivi destinatari i quali prendono atto del carattere non strettamente personale dei messaggi di risposta, che potranno essere noti all'organizzazione aziendale. Sono vietati la riproduzione e l'uso di questo messaggio in mancanza di autorizzazione del destinatario. Se avete ricevuto questo messaggio per errore, vogliate cortesemente chiamarci immediatamente per telefono o fax e distruggere quanto ricevuto (compresi i file allegati) senza farne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti.

1 0

Pam_ldap group access
by Indexer 17 Jun '10

17 Jun '10

I have recently been using openLDAP on a server for authentication. I have user auth working happily, but when i try and enable group_membership, it is not enforced. When a user with the correct group membership logs in, everything is happy, but when a user without the membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group membership. Many thanks, for your help (again) Here is my nss_ldap.conf (/etc/ldap.conf) base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.chocolate.lan ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub nss_base_passwd ou=Computers,dc=chocolate,dc=lan?sub nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub ssl on ssl start_tls tls_cacert /usr/local/etc/openldap/keys/cacert.crt tls_checkpeer no And my pam.d/sshd auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn use_first_pass account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so session required pam_permit.so session optional /usr/local/lib/pam_ldap.so password sufficient pam_unix.so no_warn use_first_pass

4 3

I can't login linux (console) using after configurate openldap
by Bruno Steven 16 Jun '10

16 Jun '10

HI, I have started openldap more Samba but I can't do logon via console on my linux, only access my system using ssh or telnet . When I am on console I put login and password and press "enter" , again show me screen login linux . If change /etc/nsswitch.conf fields passwd , shadow , group for files only, the login work normally , Thre is problem between openldap and pam ? I paste my /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns wins and /etc/pam.d/login n#%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix2.so nullok try_first_pass #set_secrpc account sufficient pam_ldap.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_ldap.so use_first_pass use_authtok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_env.so session optional pam_mail.so #auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so #auth include system-auth #account required pam_nologin.so #account include system-auth #password include system-auth # pam_selinux.so close should be the first session rule #session required pam_selinux.so close #session include system-auth #session required pam_loginuid.so #session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context #session required pam_selinux.so open #session optional pam_keyinit.so force revoke Thanks. -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.

2 1

Re: I can't login linux (console) using after configurate openldap
by Chris Jacobs 16 Jun '10

16 Jun '10

Compare your login and ssh pam configs (ssh works, login doesn't). They'll be under /etc/pam.d/. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ________________________________ From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org To: openldap-technical(a)openldap.org Sent: Wed Jun 16 14:26:19 2010 Subject: I can't login linux (console) using after configurate openldap HI, I have started openldap more Samba but I can't do logon via console on my linux, only access my system using ssh or telnet . When I am on console I put login and password and press "enter" , again show me screen login linux . If change /etc/nsswitch.conf fields passwd , shadow , group for files only, the login work normally , Thre is problem between openldap and pam ? I paste my /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns wins and /etc/pam.d/login n#%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix2.so nullok try_first_pass #set_secrpc account sufficient pam_ldap.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_ldap.so use_first_pass use_authtok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_env.so session optional pam_mail.so #auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so #auth include system-auth #account required pam_nologin.so #account include system-auth #password include system-auth # pam_selinux.so close should be the first session rule #session required pam_selinux.so close #session include system-auth #session required pam_loginuid.so #session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context #session required pam_selinux.so open #session optional pam_keyinit.so force revoke Thanks. -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment. ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2010