[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] login not working
From: KSmith () barton ! ca
Date: 2004-01-30 16:38:32
Message-ID: OF2520CA88.69F28E75-ON88256E2B.005973C7-88256E2B.005B6BF9 () bartoninsurance ! com
[Download RAW message or body]
Wade,
Try changing
"other auth required /opt/pam_ldap/lib/security/pam_ldap.so.1 debug"
to
"other auth sufficient /opt/pam_ldap/lib/security/pam_ldap.so.1
use_first_pass"
since the first steps already obtain the password.
Also, change
"other password required /opt/pam_ldap/lib/security/pam_ldap.so.1 debug"
to
"other password sufficient /opt/pam_ldap/lib/security/pam_ldap.so.1
use_authtok"
this should provide updates to your LDAP password when you update system
passwords.
These should take care of the double password requirement.
Also, since this is your "OTHER" section, the final statements in the auth
and passwd sections should be:
"other auth required /opt/pam_ldap/lib/security/pam_deny.so"
"other password required /opt/pam_ldap/lib/security/pam_deny.so"
This denys logon if the previous rules fail.
Ken Smith
"Yesterday it worked. Today it is not working. Windows is like that."
\
Wade Turland \
<w.turland@uws.ed To: Mhess <MHess@telekom.de> \
u.au> cc: <pamldap@padl.com> \
Sent by: Subject: Re: [pamldap] login not \
working
owner-pamldap@pad \
l.com \
\
\
01/29/2004 08:07 \
PM \
\
\
On Thu, 29 Jan 2004, Mhess wrote:
> Hi list,
>
> I got pam_ldap compiled on my Solaris 8 (thanks to D. Seifert! ;-)), but
> after some configuration issues I got stuck again.
>
> Hereīs my current situation:
>
> Following the steps at http://netmojo.ca/howto/solaris-openldap.html Iīve
> setup OpenLDAP with the necessary schemes, and created a testuser.
> Ldapsearch works with the testuser as binddn. Therefore I think the setup
> on the openldap part seems to be ok. I have changed /etc/pam.conf to use
> pam_ldap.so.1. When I try to login via telnet I am asked for a LDAP Login
> as well (commented out try_first_pass, just to be sure), but the login
> fails.
> ---------------------------
> #
> # Authentication management
> #
> other auth requisite pam_authtok_get.so.1 debug
> other auth required pam_dhkeys.so.1 debug
> other auth sufficient pam_unix_auth.so.1 debug
> other auth required /opt/pam_ldap/lib/security/pam_ldap.so.1
debug
>
> #
> # Account management
> #
> #other account requisite pam_roles.so.1 debug
> #other account required pam_projects.so.1 debug
> other account sufficient pam_unix_account.so.1 debug
> other account sufficient
/opt/pam_ldap/lib/security/pam_ldap.so.1 debug
>
> #
> # Session management
> #
> other session sufficient pam_unix_session.so.1 debug
> other session required
/opt/pam_ldap/lib/security/pam_ldap.so.1 debug
>
> #
> # Password management
> #
> other password required pam_dhkeys.so.1 debug
> other password requisite pam_authtok_get.so.1 debug
> other password requisite pam_authtok_check.so.1 debug
> other password required pam_authtok_store.so.1 debug
> other password sufficient pam_unix.so.1 debug
> other password required
/opt/pam_ldap/lib/security/pam_ldap.so.1 debug
> -----------------------------
>
Try taking out the 'account' and 'session' sections - we need to work out
which service is failing, then which part of the stack. Also, the
pam_sm_open_session() call does nothing functional anyway so you don't
really need a 'session' for pam_ldap.
> When I try to login, slapd also shows some output, i.e. granting access
> to the fields in the posix and shadowaccount objects. Since itīs a lot,
> and I donīt want to spam the list Iīd like to keep this short for now.
> But interesting might be, that one of the last steps is:
>
> conn=36 op=2 BIND dn="uid=mhe,ou=People,dc=whatever,dc=de" mech=simple
ssf=0
> conn=36 op=2 RESULT tag=97 err=0 text=
>
> Does err=0 mean that I successfully completed the bind with the given
> credentials? If so, why does the telnet login still not work, though?
Yes. Try taking out 'account'. Does `getent passwd mhe` work? Have you
installed nss_ldap if you don't want to keep stuff in /etc/passwd?
> Donīt know if itīs important, but my /etc/ldap.conf states 'pam_password
> exop', but I also tried 'clear' and 'crypt' already - neither did work.
> slapd.conf states 'password-hash {SHA}', but there I also tried 'crypt'
> and 'clear' already.
You want pam_password exop.
> Any suggestions where I should look? Is there any way to get more
> information from pam, so I know WHY the authentication fails? Sitting in
> front of this pam_ldap/PAM Blackbox is really frustrating. :-((( Help!
Add to your /etc/syslog.conf:
auth.debug {tab} /var/log/authlog
and pkill -HUP syslogd
Wade.
--
/==============================================================\
> Wade Turland | Locked Bag 1797 |
> Unix Administrator | Penrith South DC NSW 1797 |
> University of Western Sydney | Phone: +61 2 4736 0806 |
> Room V126 (Kingswood) | Fax: +61 2 4736 0010 |
\==============================================================/
Continuous effort - not strength or intelligence - is the key to
unlocking our potential.
-- Sir Winston Churchill
1874-1965, Former British Prime Minister
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic