I'm working on setting up openldap to be an authentication system for
user logins for my LAN. I had done it once with NIS, hated it, so
discarded the idea, but decided to give it a whirl with openldap.
I've gotten it going real nice *except* for the actual authentication,
and I'm hoping maybe someone else has done it and can provide a few
pointers.

I've setup the users and groups in openldap (I decided against using
the migration scripts to migrate everything and decided to just use it
for user accounts, not system accounts or root). I also imported the
hosts file.

I've gotten nss_ldap configured and it works well... host lookups are
done via the openldap server (the only requirement I seemed to need
was to have the IP for the openldap server in the /etc/hosts
file... everything is pulled from LDAP), and likewise with user/group
lookups... If I do "getent passwd", I see the user info that is in
LDAP as well as what's in the local files (I have nsswitch.conf setup
to use "files ldap" for resolution).

The problem I get is with pam_ldap and I'm a little confused because
all of the example files that come with pam_ldap don't use
system-auth. I tried inserting the calls to pam_ldap.so in the
/etc/pam.d/system-auth file, but it doesn't work... and this could be
due to two things, from what I can see:

a) it's not properly reading the md5 password... I created the users
locally first and then imported the passwords changing the {crypt} to
{md5} prefix because the migrate_passwd.pl seems to insist on using
{crypt} (I've got this running on mdk8.2 and it's using md5
passwords). But the md5 password string is very different from, say,
using slappasswd -h {MD5} and using the same password. Could this be
causing the problem? I'm not sure because I suspect that pam is
what's reading it, so it should be a "pamified" md5 password, so I
think it's correct, but I'm not sure.

b) my pam setup is hooped because I don't really know where to insert
pam_ldap.so into the stack (I did it before system-auth) directly
(ie. for login), and also tried with pam_ldap.so just before
pam_unix.so in the system-auth pam file also... neither worked).

The strange thing I get is at the console I put in the user's name, it
prompts for a password, I enter it, then it again prompts for the
password, I enter it, and then I get a failed login.

I'm quite sure this is a pam problem because, as I said, everything
else seems to work. Does anyone have any pointers for this? All the
tutorials I've looked at don't seem to use system-auth so I could
change the pam files to use non-system-auth"-ified" calls, but I think
that wouldn't be as nice (I mean, system-auth must be there for a
reason, right?).

Not having done too much with pam before, I'm really not sure where to
go with this.

Thanks for any ideas.

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.8-34.1mdk uptime: 4 days 9 hours 16 minutes.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE8ks4vIEPQ5f5vKv0RAuDbAJ9Imh37dGIOKajFk3cVzMe3pEg7rACfeQFR FusLh+FWYa1lrPc4c405SZ4= =8F9Q -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]