|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
pam_ldap works, but login fails
From: Nathan Yocom (nate
yocom.org)
Date: Wed Dec 03 2003 - 14:26:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Okay - I am hoping somewhere here can see what I may have missed, as I
have a feeling its something trivial but I seem to be blind. Please
forgive the long post, but I know that more information than "it doesnt
work" can be helpful ;) If you dont want all the config files etc, skip
to #5 where i describe the problem itself.
1. I am running Gentoo, and have installed both pam_ldap and nss_ldap
2. I have an ldap server running OpenLDAP, the user I want to
authenticate looks like this in ldap (note that a local /etc/passwd user
with the same username does *not* exist):
dn: cn=Test U One, o=Test-Org
cn: Test U One
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: person
objectClass: top
objectClass: shadowAccount
login: test1
givenName: Test
initials: U
sn: One
mail: test1
display-name: Test User One
userPassword: [encrypted password]
gidNumber: 100
homeDirectory: /home/test1
uid: test1
uidNumber: 505
loginShell: /bin/bash
3. I setup /etc/ldap.conf and pointed passwd and shadow to ldap in
nsswitch.conf with "files ldap". My /etc/ldap.conf is as follows
host [my host ip]
uri ldap://[my host ip]/
ldap_version 3
suffix ""
pam_filter objectclass=posixAccount
pam_login_attribute uid
4. I added the last 5 lines to this to make my /etc/pam.d/system-auth
file (which the other /etc/pam.d/* files use):
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
nodelay
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session optional /lib/security/pam_unix.so
auth sufficient /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_ldap.so use_authtok
session required /lib/security/pam_mkhomedir.so
skel=/etc/skel/ umask=0
session optional /lib/security/pam_ldap.so
5. So, onto the testing and description of the problem.
- The command "getent passwd | grep test1" shows:
test1:x:505:100:Test U One:/home/test1:/bin/bash - GOOD
- The command "getent shadow | grep test1" shows: test1:x:::::::0 GOOD?
- If i attempt to login (at the console) with username: test1 and a
*bad* password I get the following in my logs:
Dec 3 08:09:43 [login(pam_unix)] check pass; user unknown
Dec 3 08:09:43 [login(pam_unix)] authentication failure; logname= uid=0
euid=0 tty=/dev/vc/1 ruser= rhost=
Dec 3 08:09:43 [login] pam_ldap: error trying to bind as user "cn=Test
U One, o=Test-Org" (Invalid credentials)
Dec 3 08:09:43 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR test1,
Authentication failure
- If i attempt to login again but with the correct password I get
the following:
Dec 3 08:11:25 [login(pam_unix)] check pass; user unknown
Dec 3 08:11:25 [login(pam_unix)] authentication failure; logname= uid=0
euid=0 tty=/dev/vc/1 ruser= rhost=
Dec 3 08:11:25 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR test1,
Authentication failure
This tells me that the pam_ldap module is getting called, and is binding
correctly/successfully (as the error when given a bad password does not
occur when using the correct password). So the question is.. why am I
still failing authentication? I have tried moving things around in
/etc/pam.d/system-auth with no luck. Have I missed an attribute that is
necessary in ldap, maybe one of the shadow* attributes? something in the
PAM stack itself?
Thank you for your time, and for looking over things..
Nate Yocom
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]