Spirit
n00b
Joined: 04 Jun 2003
Posts: 28
Location: Köln, Germany
|
 Posted: Wed Oct 10, 2007 7:23 pm Post subject: openldap authentication(?) problem |
 |
|
Hi all,
I've recently set up an openldap server with samba as a PDC and pam authentication, following the guide at:
http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Basic_Setup
PDC works fine so far and I'm able to log in via ldap.
I've created a user profile via smbldap-useradd. It creates the home directory and the user can log in via ssh, no problem there.
Output of "getent passwd" shows the new user. Everything fine.
Things are going strange since I changed my acl from:
| Code: |
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by * read
|
to:
| Code: |
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by dn="uid=root,ou=Users,dc=home,dc=local" write
by * search
by users read
by anonymous auth
|
The new user cannot log in anymore, and "getent passwd" does not show the user (as it is stored in ldap).
I'm suspecting pam to be the problem here. It's like it doesn't get the information from ldap but only tries the passwd file.
Here's my /etc/pam.d/system-auth:
| Code: |
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account requisite pam_unix.so
account sufficient pam_localuser.so
account required pam_ldap.so
# This can be used only if you enabled the cracklib USE flag
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
# This can be used only if you enabled the cracklib USE flag
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
# This can be used only if you enabled the !cracklib USE flag
# password sufficient pam_unix.so try_first_pass nullok md5 shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_ldap.so
|
/etc/nsswitch.conf
| Code: |
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: files ldap
shadow: files ldap
group: files ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
|
/etc/ldap.conf
| Code: |
base dc=home,dc=local
uri ldap://127.0.0.1/
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_passwd ou=Computers,dc=home,dc=local?sub
nss_base_passwd ou=Users,dc=home,dc=local?sub
nss_base_shadow ou=Users,dc=home,dc=local?sub
nss_base_group ou=Groups,dc=home,dc=local?one
ssl no
logdir /var/log/nss_ldap
|
Did I overlook something?
_________________
Bombing for peace is like fucking for virginity! |
|
Networking & Security
