Another note here...<br><br>The ldap-based products that I have installed on a client (that's all it does... client) are the following:<br><br>openldap-clients-2.3.27-8.el5_1.3<br>openldap-devel-2.3.27-8.el5_1.3<br>nss_ldap-253-12.el5<br>
openldap-2.3.27-8.el5_1.3<br><br>That's what RedHat installed by default when I told Kickstart "I want whatever I need to auth against LDAP."<br><br>I'm not saying there's more than I need there, and I'm not saying that's all required, it's just what RedHat installed.<br>
<br>I know that if you don't have *clients and *nss_ldap, the auth won't work, but I don't know (what with RedHat's packaging practices) whether the rest of those are needed, or just their whimsy.<br><br>Hope that helps.<br>
<br>--jms<br><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 4:15 PM, Jerald Sheets <span dir="ltr"><<a href="mailto:questy@gmail.com">questy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The reason I asked was that in RedHat-land, they have the idea of this system-config-authentication that automagically sets the various parameters you need.<br><br>I know that both /etc/ldap.conf and /etc/openldap/ldap.conf are affected, and both of mine read a little differently:<br>
<br>/etc/ldap.conf<br><br>base dc=foo,dc=com<br>timelimit 120<br>bind_timelimit 120<br>idle_timelimit 3600<br>nss_initgroups_ignoreusers \<br>root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman<br>uri ldap://<a href="http://ldap.foo.com/" target="_blank">ldap.foo.com/</a><br>
tls_cacertdir /etc/openldap/cacerts<br>pam_password md5<br><br><br>/etc/openldap/ldap.conf<br><br>URI ldap://<a href="http://ldap.foo.com/" target="_blank">ldap.foo.com/</a><br>BASE dc=foo,dc=com<br>TLS_CACERTDIR /etc/openldap/cacerts<br>
<br><br>Other files apparently affected: (only pertinent lines pasted here)<br><br>/etc/nsswitch.conf<div class="im"><br><br>passwd: files ldap<br>shadow: files ldap<br>group: files ldap<br></div>netgroup: files ldap<br>
automount: files ldap<div class="im"><br>
<br><br>/etc/pam.d/system-auth<br><br></div><div class="im">auth sufficient pam_ldap.so use_first_pass<br></div>account [default=bad success=ok user_unknown=ignore] pam_ldap.so<div class="im"><br>password sufficient pam_ldap.so use_authtok<br>
</div><div class="im">session optional pam_ldap.so<br>
<br></div>If system-config-authentication does any extra mojo not listed here, I am unaware of it. <br><br>Gentoo's docs seem to be pretty straightorward on it as well. Since you emerged the ldap packages in, I won't bore you with the standard "did you install <blah>" questions.<br>
<br>I have heard tale of some boxes needing windows-style reboots to get going, but I have not experienced that in Redhat/CentOS.<br><br>Any other LDAP-ers see anything out of the ordinary here?<br><font color="#888888"><br>
--j</font><div><div></div><div class="h5"><br><br><br><br>
<br><div class="gmail_quote">On Wed, Jun 3, 2009 at 3:56 PM, Jeff Hubbs <span dir="ltr"><<a href="mailto:jeffrey.hubbs@gmail.com" target="_blank">jeffrey.hubbs@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Never mind; that wasn't the problem...<div><div></div><div><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 3:32 PM, Jeff Hubbs <span dir="ltr"><<a href="mailto:jeffrey.hubbs@gmail.com" target="_blank">jeffrey.hubbs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">It's Gentoo, but I think I might have found a serious problem...I think the server and client ldap.conf files may be reversed; the server happens to be working because as far as server directives go, the two files say the same thing...<div>
<div></div><div><br>
<br><div class="gmail_quote">On Wed, Jun 3, 2009 at 3:12 PM, Jerald Sheets <span dir="ltr"><<a href="mailto:questy@gmail.com" target="_blank">questy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Redhat/Debian/Ubuntu/Slack? Which?<div><div></div><div><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <span dir="ltr"><<a href="mailto:jeffrey.hubbs@gmail.com" target="_blank">jeffrey.hubbs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Just like that.<div><div></div><div><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <span dir="ltr"><<a href="mailto:questy@gmail.com" target="_blank">questy@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
What does your /etc/nsswitch.conf look like for passwd/shadow/group?<br><br>passwd: files ldap<br>shadow: files ldap<br>group: files ldap<br><br><br>--j<div><div></div><div><br><br><div class="gmail_quote">
On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <span dir="ltr"><<a href="mailto:jeffrey.hubbs@gmail.com" target="_blank">jeffrey.hubbs@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">That makes it worse. See log output with it both ways at <a href="http://pastebin.com/m5fca56" target="_blank">http://pastebin.com/m5fca56</a>.<br>
<br>With the pam_ldap line where it was, I'm at least able to get "(Invalid credentials)" returned from pam_ldap;when moved up above the pam_unix line, pam_ldap never makes a response.<br>
<br><br><br><a href="http://pastebin.com/m5fca56" target="_blank">http://pastebin.com/m5fca56</a><div><div></div><div><br><br><div class="gmail_quote">On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">move the pam_ladp line up one. The line above it will always capture<br>
an event and the ldap line is never called. pam is a sequential<br>
process down the chain.<br>
<br>
In fact, if you want to tighten the security, put the pam_deny line<br>
before any "sufficient" lines in auth.<br>
<div><div></div><div><br>
On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<<a href="mailto:jeffrey.hubbs@gmail.com" target="_blank">jeffrey.hubbs@gmail.com</a>> wrote:<br>
> Jerald -<br>
><br>
> That line is in there...in fact, let me paste the whole system-auth file:<br>
><br>
> #%PAM-1.0<br>
><br>
> auth required pam_env.so<br>
> auth sufficient pam_unix.so try_first_pass likeauth nullok<br>
> auth sufficient pam_ldap.so use_first_pass<br>
> auth required pam_deny.so<br>
><br>
> account required pam_unix.so<br>
> account sufficient pam_ldap.so<br>
><br>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2<br>
> ocredit=2 try_first_pass retry=3<br>
> password sufficient pam_unix.so try_first_pass nullok md5 shadow<br>
> use_authtok<br>
> password sufficient pam_ldap.so use_authtok<br>
> password required pam_deny.so<br>
><br>
> session required pam_limits.so<br>
> session required pam_unix.so<br>
> session optional pam_ldap.so<br>
><br>
><br>
>><br>
>><br>
>> Also, to let pam know about ldap, look for a line like so:<br>
>><br>
>> auth sufficient pam_ldap.so use_first_pass<br>
>><br>
>> in /etc/pam.d/system-auth<br>
>><br>
>> Also, if you want to have home directories automagically made for<br>
>> first-time logins, you need:<br>
>><br>
>> session required pam_mkhomedir.so<br>
><br>
> Cool trick - dunno if I'll use that now but it's good to know.<br>
><br>
> Thanks,<br>
> Jeff<br>
><br>
</div></div>> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
><br>
><br>
<br>
<br>
<br>
--<br>
<font color="#888888">--<br>
James P. Kinney III<br>
Actively in pursuit of Life, Liberty and Happiness<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</font></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br></div></div>---<br>Jerald M. Sheets jr.<br><br>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>---<br>Jerald M. Sheets jr.<br><br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br>
</div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>---<br>Jerald M. Sheets jr.<br><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>---<br>Jerald M. Sheets jr.<br><br>