[SOLVED] PAM on Slackware 12.1 : Step by step how to attempt

Linux.tar.gz · 09-01-2009, 04:29 AM

Hi !

I did a try yesterday, and failed miserably :
http://www.linuxquestions.org/questi...ssword-751506/

Now i will restart from the very beginning, and i will indicate every step i take.

1- http://sourceforge.net/projects/cracklib/
tar zxvf cracklib-2.8.13.tar.gz
cd cracklib-2.8.13
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-shared --disable-static
make && make install
(i didn't use a dictionnary, seems useless here but i may be wrong ?)

2- http://www.kernel.org/pub/linux/libs/pam/library/
tar jxvf Linux-PAM-1.1.0.tar.bz2
cd Linux-PAM-1.1.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-shared --disable-selinux
make && make install

3- http://www.padl.com/OSS/pam_ldap.html
http://www.padl.com/OSS/nss_ldap.html
For both :
./configure --prefix=/usr && make && make install
###Edit : BIG MISTAKE HERE, DON'T USE --prefix=/usr, use only ./configure

4- Copied config files found on a working Ubuntu to /etc :
/ldap/* ldap.conf nsswitch.conf pam.conf pam.d/* pam_ldap.conf
########### May i missed something ? ###########
###Edit : Yes i missed the right ldap conf folder, see below ##
cp /etc/ldap/* /etc/openldap/

5- http://slackware.at/data/slackware-1...urce/a/shadow/
I changed the package build number, and added --with-libpam in ./configure options.
I was surprised to see a shadow.newgrp.nopam.gz patch, but i don't know it's purpose.
removepkg /var/log/packages/shadow-4.0.3-i486-15
installpkg /tmp/shadow-4.0.3-i486-16.tgz

6- I try to su :

tail -f /var/log/secure
Sep 1 07:25:45 amd64 su[21587]: PAM (su) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-auth]
Sep 1 07:25:45 amd64 su[21587]: PAM (su) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (su) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-account]
Sep 1 07:25:45 amd64 su[21587]: PAM (su) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (su) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-session]
Sep 1 07:25:45 amd64 su[21587]: PAM (su) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (other) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-auth]
Sep 1 07:25:45 amd64 su[21587]: PAM (other) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (other) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-account]
Sep 1 07:25:45 amd64 su[21587]: PAM (other) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (other) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-password]
Sep 1 07:25:45 amd64 su[21587]: PAM (other) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: PAM (other) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-session]
Sep 1 07:25:45 amd64 su[21587]: PAM (other) no module name supplied
Sep 1 07:25:45 amd64 su[21587]: pam_authenticate: Autorisation refusée
Sep 1 07:25:45 amd64 su[21587]: - pts/3 test2-root

If i su - knownldapuser :

Sep 1 07:35:16 amd64 su[21598]: nss_ldap: failed to bind to LDAP server ldaps://ldap.home.fr: Can't contact LDAP server
Sep 1 07:35:16 amd64 su[21598]: nss_ldap: failed to bind to LDAP server ldaps://ldap2.home.fr: Can't contact LDAP server
Sep 1 07:35:17 amd64 su[21598]: nss_ldap: failed to bind to LDAP server ldaps://ldap.home.fr: Can't contact LDAP server
Sep 1 07:35:17 amd64 su[21598]: nss_ldap: failed to bind to LDAP server ldaps://ldap2.home.fr: Can't contact LDAP server
Sep 1 07:35:17 amd64 su[21598]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
etc...

This command works on the client :
ldapsearch -x uid=knownuser

But getent passwd returns only local users...

...goin' to eat

Linux.tar.gz · 09-01-2009, 09:51 AM

A little progress here !!!

The ldap conf folder is /etc/ldap for Ubuntu, and /etc/openldap for the package i compiled for my Slackware !!!

So i copied the files :
cp /etc/ldap/* /etc/openldap/

Now getent passwd has access to ldap user database, and i no longer see "nss_ldap: failed to bind to LDAP server ldaps://ldap.home.fr: Can't contact LDAP server" annoying messages.

Now i have to understand these errors :
Sep 1 07:25:45 amd64 su[21587]: PAM (su) illegal module type: @include
Sep 1 07:25:45 amd64 su[21587]: PAM pam_parse: expecting return value; [...common-auth]
Sep 1 07:25:45 amd64 su[21587]: PAM (su) no module name supplied
...

Keep in touch.

Linux.tar.gz · 09-02-2009, 07:30 AM

Seems i had to change the syntax in some (all ?) /etc/pam.d/* files, ie. :

@include common-auth
must be changed to :
auth include common-auth

@include common-account
must be changed to :
account include common-account

etc. the logic is simple.

At this point, i made those changes in /etc/pam.d/su and /etc/pam.d/other , because i was already logged as user and root, with ssh.

Then i had another error :

Sep 2 10:07:04 amd64 su[7427]: PAM unable to dlopen(/lib/security/pam_ldap.so): /lib/security/pam_ldap.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou répertoire de ce type
Sep 2 10:07:04 amd64 su[7427]: PAM adding faulty module: /lib/security/pam_ldap.so
Sep 2 10:07:04 amd64 su[7427]: PAM (other) illegal module type: @include
etc...

I then realized that i built pam_ldap and nss_ldap with a wrong ./configure option : the --prefix=/usr, because pam_ldap.so was copied in /usr/lib/security/ , not /lib/security/

Edit :
Arrghhhhh !!! getent passwd no longer returns me the ldap user list TT.

Edit 2 :
I don't know exactly what i did wrong on this second machine (the first was used yesterday, on my other thread), but i came back on the first PC, and suceeded a PAM + ldap authentification !!!
I'm going to do all this stuff again, on a third machine.

Stay tuned...

Linux.tar.gz · 09-02-2009, 10:02 AM

It just WORKS !!!

I think i messed up the second machine's config files.

I did all this stuff via ssh login, and had to be careful with the custom shadow package, because i couldn't log in with the new one as the setup was not finished.
So i reverted many times to the original one. I also left more root-logged terminals than necessary. You will be warned

.

Also, when i tried to log in in front of the computer, i had to change the pam syntax (@include common-auth must be changed to : auth include common-auth, etc. etc.) in /etc/pam.d/login .

As i have to dig it a little more for my needs, i'll post any useful info, and i will certainly rewrite this for the Slackware64 13.0.

Be cool, get slack

.