[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jerald Sheets questy at gmail.com
Wed Jun 3 16:15:01 EDT 2009


The reason I asked was that in RedHat-land, they have the idea of this
system-config-authentication that automagically sets the various parameters
you need.

I know that both /etc/ldap.conf and /etc/openldap/ldap.conf are affected,
and both of mine read a little differently:

/etc/ldap.conf

base dc=foo,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers \
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://ldap.foo.com/
tls_cacertdir /etc/openldap/cacerts
pam_password md5


/etc/openldap/ldap.conf

URI ldap://ldap.foo.com/
BASE dc=foo,dc=com
TLS_CACERTDIR /etc/openldap/cacerts


Other files apparently affected: (only pertinent lines pasted here)

/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap
netgroup:   files ldap
automount:  files ldap


/etc/pam.d/system-auth

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

If system-config-authentication does any extra mojo not listed here, I am
unaware of it.

Gentoo's docs seem to be pretty straightorward on it as well.  Since you
emerged the ldap packages in, I won't bore you with the standard "did you
install <blah>" questions.

I have heard tale of some boxes needing windows-style reboots to get going,
but I have not experienced that in Redhat/CentOS.

Any other LDAP-ers see anything out of the ordinary here?

--j




On Wed, Jun 3, 2009 at 3:56 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com> wrote:

> Never mind; that wasn't the problem...
>
>
> On Wed, Jun 3, 2009 at 3:32 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>
>> It's Gentoo, but I think I might have found a serious problem...I think
>> the server and client ldap.conf files may be reversed; the server happens to
>> be working because as far as server directives go, the two files say the
>> same thing...
>>
>>
>> On Wed, Jun 3, 2009 at 3:12 PM, Jerald Sheets <questy at gmail.com> wrote:
>>
>>> Redhat/Debian/Ubuntu/Slack?  Which?
>>>
>>>
>>> On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>>
>>>> Just like that.
>>>>
>>>>
>>>> On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com> wrote:
>>>>
>>>>> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>>>>>
>>>>> passwd:     files ldap
>>>>> shadow:     files ldap
>>>>> group:      files ldap
>>>>>
>>>>>
>>>>> --j
>>>>>
>>>>>
>>>>> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>>>>
>>>>>> That makes it worse.  See log output with it both ways at
>>>>>> http://pastebin.com/m5fca56.
>>>>>>
>>>>>> With the pam_ldap line where it was, I'm at least able to get
>>>>>> "(Invalid credentials)" returned from pam_ldap;when moved up above the
>>>>>> pam_unix line, pam_ldap never makes a response.
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://pastebin.com/m5fca56
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com>wrote:
>>>>>>
>>>>>>> move the pam_ladp line up one. The line above it will always capture
>>>>>>> an event and the ldap line is never called. pam is a sequential
>>>>>>> process down the chain.
>>>>>>>
>>>>>>> In fact, if you want to tighten the security, put the pam_deny line
>>>>>>> before any "sufficient" lines in auth.
>>>>>>>
>>>>>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>>>>>> wrote:
>>>>>>> > Jerald -
>>>>>>> >
>>>>>>> > That line is in there...in fact, let me paste the whole system-auth
>>>>>>> file:
>>>>>>> >
>>>>>>> > #%PAM-1.0
>>>>>>> >
>>>>>>> > auth            required        pam_env.so
>>>>>>> > auth            sufficient      pam_unix.so try_first_pass likeauth
>>>>>>> nullok
>>>>>>> > auth            sufficient      pam_ldap.so use_first_pass
>>>>>>> > auth            required        pam_deny.so
>>>>>>> >
>>>>>>> > account         required        pam_unix.so
>>>>>>> > account         sufficient      pam_ldap.so
>>>>>>> >
>>>>>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>>>>>> dcredit=2
>>>>>>> > ocredit=2 try_first_pass retry=3
>>>>>>> > password        sufficient      pam_unix.so try_first_pass nullok
>>>>>>> md5 shadow
>>>>>>> > use_authtok
>>>>>>> > password        sufficient      pam_ldap.so use_authtok
>>>>>>> > password        required        pam_deny.so
>>>>>>> >
>>>>>>> > session         required        pam_limits.so
>>>>>>> > session         required        pam_unix.so
>>>>>>> > session         optional        pam_ldap.so
>>>>>>> >
>>>>>>> >
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> Also, to let pam know about ldap, look for a line like so:
>>>>>>> >>
>>>>>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>>>>>> >>
>>>>>>> >> in /etc/pam.d/system-auth
>>>>>>> >>
>>>>>>> >> Also, if you want to have home directories automagically made for
>>>>>>> >> first-time logins, you need:
>>>>>>> >>
>>>>>>> >> session     required      pam_mkhomedir.so
>>>>>>> >
>>>>>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>>>>>> >
>>>>>>> > Thanks,
>>>>>>> > Jeff
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > Ale mailing list
>>>>>>> > Ale at ale.org
>>>>>>> > http://mail.ale.org/mailman/listinfo/ale
>>>>>>> >
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> --
>>>>>>> James P. Kinney III
>>>>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ale mailing list
>>>>>>> Ale at ale.org
>>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> ---
>>>>> Jerald M. Sheets jr.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>>
>>>
>>>
>>> --
>>> ---
>>> Jerald M. Sheets jr.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>>
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>


-- 
---
Jerald M. Sheets jr.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090603/b3dffdf9/attachment-0001.html 


More information about the Ale mailing list