LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-23-2006, 04:13 PM   #1
Neruocomp
Member
 
Registered: Oct 2004
Distribution: Slackware, CentOS
Posts: 135

Rep: Reputation: 15
Ldap and pam not working!


Ok so I've been trying to setup a samba PDC using ldap as its backend and its been a bit crazy up to this point.

The machine I'm trying to login to is a RHEL v4 box. Going with the howto found on idealx website ( http://www.idealx.com/downloads/samba3-ldap-howto.pdf ), I've edited the /etc/ldap.conf and various files. Still no luck. I get an error in the /var/log/secure about pam not able to find any information about my user. I went and edited the /etc/pam.d files to include pam_ldap.so, but still not luck, though now when I try to login, it asks for two passwords.

Here is the acl from slapd.conf:

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=nssldap,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by self write
by anonymous auth
by * none

access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by * read

access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoff Time,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sa mbaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainNa me,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,s ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid, sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStrin gOption,sambaStringListoption,sambaPrivilegeList
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by self read
by * none

access to dn.base="dc=cbi,dc=utsa,dc=edu"
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by * none
# probably need "by * read" for solaris

access to dn="ou=people,dc=cbi,dc=utsa,dc=edu"
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by * none
access to dn="ou=group,dc=cbi,dc=utsa,dc=edu"
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by * none
access to dn="ou=machines,dc=cbi,dc=utsa,dc=edu"
by dn="cn=samba,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by dn="cn=smbldap-tools,ou=DSA,dc=cbi,dc=utsa,dc=edu" write
by * none
access to *
by self write
by * read

I'm at my wits end. The setup was going good at this point, but then this. Any ideas?

Thanks
 
Old 05-23-2006, 05:44 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Look for a pam configuration that looks similar to this
[/code]
#%PAM-1.0
auth required pam_unix2.so
account required pam_unix2.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
password required pam_make.so /var/yp
session required pam_unix2.so
[code]

This is from a NIS howto, so it is different, but notice the "use_first_pass". If that option was missing, you would be prompted for your password twice.

If you enter a password twice, do you get in?

One other thing to check is the log for SELinux, if you have it. Maybe the SELinux acl permissions on the config files are set properly on the pam configurations or the ldap configs. Maybe not, but its work a check.

I'll let someone else familiar with ldap scan through your ldap config. Maybe he/she will find something there. I imagine that if the line that tries to retrieve the information from ldap fails; and the next one checks for a password on the local machine (pam_unix2) but is missing the "use_first_pass" option; you would be asked to enter the password again. So you may have a problem with both ldap and pam configurations.

Last edited by jschiwal; 05-23-2006 at 06:34 PM.
 
Old 05-23-2006, 06:07 PM   #3
Neruocomp
Member
 
Registered: Oct 2004
Distribution: Slackware, CentOS
Posts: 135

Original Poster
Rep: Reputation: 15
This is so funny its not. After an exhaustive search by my coworker, we figured out what the problem was. Having "cn" in the acl was not letting me log in, it seems. Once that was out of the config, poof! It works. Thanks for the help anyways.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam + ldap client paul_mat Linux - Networking 0 10-25-2005 11:55 PM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 04:49 PM
pam.d/system-auth and LDAP? SheldonPlankton Linux - General 0 04-28-2005 02:11 PM
Locked out after activating PAM-LDAP tdubois65 Linux - Security 3 04-13-2004 03:40 AM
Samba, PAM and LDAP Linh Linux - Networking 0 05-09-2003 11:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration