pam and ldap authentication problem
Hi am trying to validate a user against a ldap directory with a small pam
enabled application. If I use "pam_unix.so" in the pam config file for the app the users authenticates fine.On the other hand if I use "pam_ldap.so" the authentication fails. The pam log file records : pam_ldap: error trying to bind as user "uid=abrb220,ou=People,dc=ldap268" (Insufficient access) I think I have set up the ldap directory correctly but are really unsure about how to put the passwords in. Here is a the entry of a user in the ldif file used to add it. ---------------------------------------------------------------- dn: uid=abrb220,ou=People,dc=ldap268 uid: abrb220 cn: Rodney sn: Rodney mail: abrb220@ldap268.com mailRoutingAddress: abrb220@ldap268.com mailHost: ldap268.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}x loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/abrb220 gecos: Rodney --------------------------------------------------------------- The other config files : /etc/ldap.conf : ------------------------------------------------------------------ # Your LDAP server. Must be resolvable without using LDAP. # The distinguished name of the search base. HOST 127.0.0.1 BASE dc=ldap268 pam_login_attribute uid ldap_version 3 rootbinddn cn=admin,dc=ldap268 ------------------------------------------------------------------ /etc/openldap/slapd.conf ------------------------------------------------------------------ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema database ldbm suffix "dc=ldap268" rootdn "cn=admin, dc=ldap268" rootpw {MD5}X03MO1qnZdYdgyfeuILPmQ== #rootpw secret directory /var/lib/ldap loglevel 296 password-hash {md5} access to * by * ------------------------------------------------------------------ The apps pam file in /etc/pam.d : ------------------------------------------------------------------ #%PAM-1.0 auth required pam_warn.so auth required pam_ldap.so ------------------------------------------------------------------ thanks |
edit your pam.d-files
Hi,
first try the following command to verify you can potentially access your server: ldapsearch -x -b "dc=ldap268" "(objectclass=*)" If you see some output, i.e. your directory-objects the client to server connection is ok. What concerns me more is you pam.conf file. Does it really look like this or are that only the first two lines? You have to edit it in any case if you want to login: * forget pam.conf, there hasn't to be anything in it * your pam_ldap.conf should at least consist of these lines: host [YOUR SERVERS IP] base dc=ldap268 uri ldap://[YOUR SERVERS IP]/ ldap_version 3 scope sub timelimit 30 pam_login_attribute uid pam_member_attribute memberUid pam_password exop sslno more information about that syntax at www.padl.com To successfully login edit the files in /etc/pam.d (example passwd) like this password sufficient pam_ldap.so obscure min=4 password required pam_unix.so nullok obscure min=4 you should now be able to login at the console. If you don't know how to create passwords by hand: perl -e 'print crypt('YOUR_PASS','TWO_CHARACTER_SALT'),"\n"' cut and paste it like {crypt}YOUR_PASS_HASH into your ldif. |
Did this fix the problem?
Just wondering, I am having the same problem authenticating with Fedora Directory Server.
|
All times are GMT -5. The time now is 07:55 AM. |