Hi,
The issue is resolved now. There was configuration problem in
/etc/sssd/sssd.conf. Thanks for the help.
I have another problem. I'm using pam_mysql for authenticating against the
user credentials in mysql database.
For that we use database credentials in /etc/pam.d/* files, like,
auth sufficient pam_mysql.so host=<hostname> user=root
passwd=root123 db=<dbname> table=users passwdcolumn=password
usercolumn=username crypt=3 use_first_pass
But these /etc/pam.d/* files are world readable. So any non root users can
see the credentials and hack into the our database.(security issue).
Is there any way to integrate this pam_mysql authentication with sssd so
that we don't have provide the ,
auth sufficient pam_mysql.so host=<hostname> user=root
passwd=root123 db=<dbname> table=users passwdcolumn=password
usercolumn=username crypt=3 use_first_pass
line in the /etc/pam.d/* files.?
I'm Using:- Centos 5.3
Is there any way to handle it like way in ldap.
Like the way we specify ldap info in the /etc/sssd/sssd.conf.
so that we no need to add the following line,
auth sufficient pam_ldap.so use_first_pass
in the /etc/pam.d/* files.
The configuration is taken from sssd.conf itself.
Thanks & Regards,
Santhosh
On Thu, Jul 14, 2011 at 1:57 AM, Bryan Smith <[email protected]> wrote:
> Santhosh buddy,
>
> You need to start slapd in debug mode also and see what dn is being queried
> with the credentials...you'll see it all in plaintext. You should also try
> to import an ldif or do an ldapmodify from the command line using the same
> dn and credentials. If those fail it could be one of 4 things:
>
> 1. you're using the wrong cn=admin/manager
> 2. your credentials are incorrect
> 3. the acl does provide you with the correct rights.
> 4. you still have the wrong dn which is a part of issue 1.
>
> Beyond you sharing your configs I cant help you any more, I hope you get it
> figured out,
>
> Bryan
> On Tue, Jul 12, 2011 at 3:32 AM, Santhosh G Nayak
> <[email protected]>wrote:
>
>> Hi,
>> I'm using PyPAM python client to connect to pam. Yes the users are
>> not in unix shadow file.
>> And also when I execute the,
>> $getent passwd command
>> I could see the all users ( user from the /etc/passwd + users from the
>> ldap)
>> I tried with ldap.conf debug 31.
>> There could see the error code 49. when trying to authenticate.
>> Im not using ssl, "ssl" in ldap.conf is marked as "no".
>>
>> I'm still not able to understand why the client is not binding to the
>> ldap server for authentication..
>> it still says,
>> "python: pam_ldap: error trying to bind (Invalid credentials)" in
>> /var/log/messages.
>>
>> Thank,
>> Santhosh
>>
>>
>>
>> On Tue, Jul 12, 2011 at 1:19 AM, Bryan Smith <[email protected]>wrote:
>>
>>> Santhosh,
>>>
>>> What python client are you trying to use? Are you sure the users aren't
>>> in files too? You didn't post your /etc/ldap.conf and that is THE pam_ldap
>>> config, so if your credentials are correct then either the client is using a
>>> bad uri or the ldap.conf improperly configured. You should enable debug in
>>> the ldap.conf and see what pam is having issues with. The next hing for you
>>> to do is start slapd in debug mode from the command line and see exactly
>>> what information is being queried by the python client. How do you even know
>>> it's reaching the server in the first place?
>>>
>>> Just because you can run ldapsearch and get gecos information doesn't
>>> mean that you can bind with credentials successfully. Do you allow anonymous
>>> binds? You can get this information anonymously depending on how your
>>> configuration is setup.
>>>
>>> Most issues are from using the wrong base dn.
>>>
>>> On Mon, Jul 11, 2011 at 4:45 AM, Santhosh G Nayak <
>>> [email protected]> wrote:
>>>
>>>> My configuration is such that I'm able to execute command "id" and get
>>>> uid and gid information of the user in the ldap. But when I try to do an
>>>> authentication its failing saying that,
>>>> "python: pam_ldap: error trying to bind (Invalid credentials). "
>>>> I'm basically using python client to authenticate against the pam.
>>>> I have set the ,
>>>> ssl no
>>>> in the /etc/ldap.conf.
>>>> and
>>>> bindpw <unencrypted password>
>>>>
>>>> And also I'm able do ldapsearch from the same machine.
>>>>
>>>> Thanks,
>>>> Santhosh
>>>>
>>>>
>>>>
>>>> On Wed, Jul 6, 2011 at 10:25 PM, Bryan Smith <[email protected]>wrote:
>>>>
>>>>> Have you changed anything in the following: /etc/nsswitch.conf and your
>>>>> /etc/slapd/ldap.conf or /etc/ldap.conf
>>>>>
>>>>> What do they look like?
>>>>>
>>>>> You might not have the right uri and or basedn specified in your
>>>>> ldap.conf. If you're nsswitch is untouched the system isn't even asking
>>>>> for
>>>>> ldap lookups via pam, it's just going to files.
>>>>>
>>>>> What is the result of running :
>>>>>
>>>>> getent username
>>>>>
>>>>> Use a username that is both in ldap and in files(/etc/passwd) and one
>>>>> that isn't. You should get s double response on the user in both files and
>>>>> ldap and a single on the one that's just in ldap. If you get nothing from
>>>>> the later then you're issue is with nss.
>>>>>
>>>>> On Wed, Jul 6, 2011 at 8:51 AM, Santhosh <[email protected]>wrote:
>>>>>
>>>>>> Hi all,
>>>>>> I have been trying to integrate pam_ldap in my CentOS machine. I
>>>>>> installed the pam_ldap package through yum.
>>>>>> /lib64/security/pam_ldap.so is present.
>>>>>> I did necessary changes in the /etc/pam.d/login, sshd, passwd files
>>>>>> to first look into the shadow file then fallback to ldap. but Im able
>>>>>> to authenticate the users whose password in the shadow file. But when
>>>>>> I try to authenticate the user whose information stored in the ldap,
>>>>>> it is failing complaining that "pam_ldap: error trying to bind
>>>>>> (Invalid credentials)".
>>>>>> I have also tried the ldapsearch command line utility of the ldap
>>>>>> there the same Dn, user, password are working and successfully able to
>>>>>> connect the ldap server.
>>>>>> I have done necessary changes in the /etc/ldap.conf.
>>>>>> # this file must be world readable (0644)
>>>>>> BASE DC=my,DC=example,DC=com
>>>>>>
>>>>>> # FQDN of the LDAP server
>>>>>> #HOST XXX.XXX.XXX.XXX
>>>>>>
>>>>>> # encryption used for storing passwords
>>>>>> #pam_crypt
>>>>>>
>>>>>> #ldap_version 3
>>>>>>
>>>>>> # bindpw is only needed if you want to allow root to change entries on
>>>>>> # this host.
>>>>>> # it's also better to keep the password in /etc/ldap.secret (0600)
>>>>>> instead
>>>>>> #bindpw {crypt}4rKJLSLewr
>>>>>> #base DC=my,DC=example,DC=com
>>>>>> uri ldap://newldap.my.example.com
>>>>>> binddn CN=santhosh,OU=Service Accounts,OU=Enterprise
>>>>>> Services,DC=my,DC=example,DC=com
>>>>>> bindpw santhosh123
>>>>>> #{md5}ea7bb3f922e875d6efc3a3fbbbada590
>>>>>> port 389
>>>>>> timelimit 120
>>>>>> bind_timelimit 30
>>>>>> bind_policy soft
>>>>>> idle_timelimit 3600
>>>>>> pam_password crypt
>>>>>> ssl no
>>>>>> scope LDAP_SCOPE_BASE
>>>>>> # this one is to allow root to change entries
>>>>>> # it will require bindpw or password in /etc/ldap.secret
>>>>>> #rootbinddn cn=root,dc=example,dc=com
>>>>>> #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise
>>>>>> Services,DC=my,DC=example,DC=com
>>>>>>
>>>>>> # this for group access
>>>>>> nss_base_passwd DC=my,DC=example,DC=com
>>>>>> nss_base_shadow DC=my,DC=example,DC=com
>>>>>> nss_base_group OU=Service Accounts,OU=Enterprise
>>>>>> Services,DC=my,DC=example,dc=com
>>>>>> nss_reconnect_tries 60
>>>>>> pam_filter objectclass=posixAccount
>>>>>> pam_login_attribute uid
>>>>>>
>>>>>> # OpenLDAP SSL options
>>>>>> # Require and verify server certificate (yes/no)
>>>>>> # TBD: where to put this certificate anyway?
>>>>>>
>>>>>>
>>>>>> Any one has expertise on it ?. Appreciate if anyone can help.
>>>>>>
>>>>>> Thanks,
>>>>>> Santhosh
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Linux
>>>>>> Users Group.
>>>>>> To post a message, send email to [email protected]
>>>>>> To unsubscribe, send email to
>>>>>> [email protected]
>>>>>> For more options, visit our group at
>>>>>> http://groups.google.com/group/linuxusersgroup
>>>>>> Please remember to abide by our list rules (
>>>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> A healthy diet includes Linux, Linux, and more Linux.
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Linux Users
>>>>> Group.
>>>>> To post a message, send email to [email protected]
>>>>> To unsubscribe, send email to
>>>>> [email protected]
>>>>> For more options, visit our group at
>>>>> http://groups.google.com/group/linuxusersgroup
>>>>> References can be found at: http://goo.gl/anqri
>>>>> Please remember to abide by our list rules (
>>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
>>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Linux Users
>>>> Group.
>>>> To post a message, send email to [email protected]
>>>> To unsubscribe, send email to
>>>> [email protected]
>>>> For more options, visit our group at
>>>> http://groups.google.com/group/linuxusersgroup
>>>> References can be found at: http://goo.gl/anqri
>>>> Please remember to abide by our list rules (
>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
>>>>
>>>
>>>
>>>
>>> --
>>> A healthy diet includes Linux, Linux, and more Linux.
>>>
>>> --
>>> You received this message because you are subscribed to the Linux Users
>>> Group.
>>> To post a message, send email to [email protected]
>>> To unsubscribe, send email to
>>> [email protected]
>>> For more options, visit our group at
>>> http://groups.google.com/group/linuxusersgroup
>>> References can be found at: http://goo.gl/anqri
>>> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor
>>> http://cdn.fsdev.net/List-Rules.pdf)
>>>
>>
>> --
>> You received this message because you are subscribed to the Linux Users
>> Group.
>> To post a message, send email to [email protected]
>> To unsubscribe, send email to
>> [email protected]
>> For more options, visit our group at
>> http://groups.google.com/group/linuxusersgroup
>> References can be found at: http://goo.gl/anqri
>> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor
>> http://cdn.fsdev.net/List-Rules.pdf)
>>
>
>
>
> --
> A healthy diet includes Linux, Linux, and more Linux.
>
> --
> You received this message because you are subscribed to the Linux Users
> Group.
> To post a message, send email to [email protected]
> To unsubscribe, send email to [email protected]
> For more options, visit our group at
> http://groups.google.com/group/linuxusersgroup
> References can be found at: http://goo.gl/anqri
> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor
> http://cdn.fsdev.net/List-Rules.pdf)
>
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to [email protected]
To unsubscribe, send email to [email protected]
For more options, visit our group at
http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or
http://cdn.fsdev.net/List-Rules.pdf)
