| View previous topic :: View next topic |
| Author |
Message |
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
 Posted: Tue Apr 25, 2006 10:45 pm Post subject: passwd & OpenLDAP & pam_ldap.so |
 |
|
I am using ldap just find. Accept the passwd command wont work
Console Output
| Code: |
passwd
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
|
/etc/pam.d/passwd
| Code: |
auth include system-auth
account include system-auth
password include system-auth
|
/etc/pam.d/system-auth
| Code: |
# this is to lockout password users with many password attempt, except root
auth required pam_tally.so onerr=fail no_magic_root
# set env vars
auth required pam_env.so
# can add nodelay the following option to stop that 1 sec delay
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
# this is to lockout password users with 5 password attempt, except root
account required pam_tally.so deny=5 reset no_magic_root
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=2 ocredit=2
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
# create home dirs if they don't exist
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
/etc/ldap.conf
| Code: |
ssl start_tls
ssl on
suffix "dc=mspradling,dc=com"
uri ldap://localhost ldaps://localhost:636
pam_password smd5
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memeberuid
nss_base_passwd ou=people,dc=mspradling,dc=com
nss_base_shadow ou=people,dc=mspradling,dc=com
nss_base_group ou=groups,dc=mspradling,dc=com
scope one
|
/etc/openldap/ldap.conf
| Code: |
BASE dc=mspradling,dc=com
URI ldap://localhost ldaps://localhost
TLS_REQCERT never
|
/etc/openldap/slap.conf ACLS
| Code: |
access to *
by users read
by anonymous read
access to attrs=userPassword,description,loginShell,givenName
by anonymous auth
by self write
by * none
|
[/code]
/var/log/syslog
| Code: |
Apr 25 22:44:04 mspradling slapd[18572]: conn=34 fd=11 ACCEPT from IP=127.0.0.1:37078 (IP=0.0.0.0:389)
Apr 25 22:44:04 mspradling slapd[18572]: conn=34 fd=11 closed
Apr 25 22:44:04 mspradling slapd[18572]: conn=35 fd=11 ACCEPT from IP=127.0.0.1:45475 (IP=0.0.0.0:636)
Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=0 BIND dn="" method=128
Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=0 RESULT tag=97 err=0 text=
Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"
Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"
Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 25 22:44:04 mspradling passwd(pam_unix)[3148]: user "clendenb" does not exist in /etc/passwd
Apr 25 22:44:04 mspradling slapd[18572]: conn=36 fd=16 ACCEPT from IP=127.0.0.1:45271 (IP=0.0.0.0:389)
Apr 25 22:44:04 mspradling slapd[18572]: conn=36 fd=16 closed
Apr 25 22:44:04 mspradling slapd[18572]: conn=37 fd=16 ACCEPT from IP=127.0.0.1:47837 (IP=0.0.0.0:636)
Apr 25 22:44:04 mspradling slapd[23493]: conn=37 op=0 BIND dn="" method=128
Apr 25 22:44:04 mspradling slapd[23493]: conn=37 op=0 RESULT tag=97 err=0 text=
Apr 25 22:44:04 mspradling slapd[3609]: conn=37 op=1 SRCH base="ou=people,dc=mspradling,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"
Apr 25 22:44:04 mspradling slapd[3609]: conn=37 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" method=128
Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" mech=SIMPLE ssf=0
Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 RESULT tag=97 err=0 text=
Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 BIND anonymous mech=implicit ssf=0
Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 BIND dn="" method=128
Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 RESULT tag=97 err=0 text=
Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1002))"
Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 25 22:44:12 mspradling passwd(pam_unix)[3148]: user "clendenb" does not exist in /etc/passwd
Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" method=128
Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" mech=SIMPLE ssf=0
Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 RESULT tag=97 err=0 text=
Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 MOD dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com"
Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 MOD attr=userPassword
Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 RESULT tag=103 err=50 text=
Apr 25 22:44:12 mspradling passwd[3148]: pam_ldap: ldap_modify_s Insufficient access
Apr 25 22:44:12 mspradling slapd[18572]: conn=35 fd=11 closed
Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=6 UNBIND
Apr 25 22:44:12 mspradling slapd[3609]: conn=37 fd=16 closed
|
Thanks if anyone can help |
|
| Back to top |
|
 |
expat_iain
Guru
Joined: 09 Jan 2004
Posts: 361
Location: Malta GC
|
| Posted: Wed Apr 26, 2006 11:20 am Post subject: |
|
|
What's in /etc/nsswitch.conf?
Regs.
Iain. |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Wed Apr 26, 2006 11:44 am Post subject: Re: passwd & OpenLDAP & pam_ldap.so |
|
|
| M1Sports20 wrote: |
/etc/openldap/slap.conf ACLS
| Code: |
access to *
by users read
by anonymous read
access to attrs=userPassword,description,loginShell,givenName
by anonymous auth
by self write
by * none
|
|
Maybe you should swap those? If my memory serves me right, slapd stops searching for ACL's after the first match, so currently your setup provides a read-only access. Try to put it this way:
| Code: | access to attrs=userPassword,description,loginShell,givenName
by anonymous auth
by self write
by * none
access to *
by users read
by anonymous read |
Then restart your slapd and hope for the best.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Thu Apr 27, 2006 1:23 am Post subject: |
|
|
# /etc/nsswitch.conf:
# | Code: | $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $
#MS +diff
passwd: ldap files
shadow: ldap files
group: ldap files
#MS -diff
#passwd: compat
#shadow: compat
#group: compat
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
|
|
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Thu Apr 27, 2006 1:29 am Post subject: |
|
|
The tip in the above post worked
Thanks, didn't know thats how LDAP worked |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Thu Apr 27, 2006 3:13 am Post subject: |
|
|
sorry for the multiposts
The above solution does work for changing passwords. Although now users can't log in |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Thu Apr 27, 2006 6:08 am Post subject: |
|
|
Try this at first, so we see if previous by * none was nagging users.
| Code: | access to attrs=userPassword,description,loginShell,givenName
by anonymous auth
by self write
access to *
by users read
by anonymous read |
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Thu Apr 27, 2006 9:26 pm Post subject: |
|
|
| yep that worked |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
