Hi,Santhosh How did you resolved this issue? what's wrong with /etc/sssd/sssd.conf. I also met a same error msg as you, and I'm looking the way to resolve it. Thanks.
On Friday, July 15, 2011 3:36:17 PM UTC+8, Santhosh wrote: > > Hi, > The issue is resolved now. There was configuration problem in > /etc/sssd/sssd.conf. Thanks for the help. > > I have another problem. I'm using pam_mysql for authenticating against the > user credentials in mysql database. > For that we use database credentials in /etc/pam.d/* files, like, > > auth sufficient pam_mysql.so host=<hostname> user=root > passwd=root123 db=<dbname> table=users passwdcolumn=password > usercolumn=username crypt=3 use_first_pass > > But these /etc/pam.d/* files are world readable. So any non root users can > see the credentials and hack into the our database.(security issue). > > Is there any way to integrate this pam_mysql authentication with sssd so > that we don't have provide the , > > auth sufficient pam_mysql.so host=<hostname> user=root > passwd=root123 db=<dbname> table=users passwdcolumn=password > usercolumn=username crypt=3 use_first_pass > > line in the /etc/pam.d/* files.? > > I'm Using:- Centos 5.3 > Is there any way to handle it like way in ldap. > Like the way we specify ldap info in the /etc/sssd/sssd.conf. > so that we no need to add the following line, > auth sufficient pam_ldap.so use_first_pass > in the /etc/pam.d/* files. > > The configuration is taken from sssd.conf itself. > > > Thanks & Regards, > Santhosh > > On Thu, Jul 14, 2011 at 1:57 AM, Bryan Smith <[email protected]<javascript:> > > wrote: > >> Santhosh buddy, >> >> You need to start slapd in debug mode also and see what dn is being >> queried with the credentials...you'll see it all in plaintext. You should >> also try to import an ldif or do an ldapmodify from the command line using >> the same dn and credentials. If those fail it could be one of 4 things: >> >> 1. you're using the wrong cn=admin/manager >> 2. your credentials are incorrect >> 3. the acl does provide you with the correct rights. >> 4. you still have the wrong dn which is a part of issue 1. >> >> Beyond you sharing your configs I cant help you any more, I hope you get >> it figured out, >> >> Bryan >> On Tue, Jul 12, 2011 at 3:32 AM, Santhosh G Nayak >> <[email protected]<javascript:> >> > wrote: >> >>> Hi, >>> I'm using PyPAM python client to connect to pam. Yes the users are >>> not in unix shadow file. >>> And also when I execute the, >>> $getent passwd command >>> I could see the all users ( user from the /etc/passwd + users from the >>> ldap) >>> I tried with ldap.conf debug 31. >>> There could see the error code 49. when trying to authenticate. >>> Im not using ssl, "ssl" in ldap.conf is marked as "no". >>> >>> I'm still not able to understand why the client is not binding to the >>> ldap server for authentication.. >>> it still says, >>> "python: pam_ldap: error trying to bind (Invalid credentials)" in >>> /var/log/messages. >>> >>> Thank, >>> Santhosh >>> >>> >>> >>> On Tue, Jul 12, 2011 at 1:19 AM, Bryan Smith >>> <[email protected]<javascript:> >>> > wrote: >>> >>>> Santhosh, >>>> >>>> What python client are you trying to use? Are you sure the users aren't >>>> in files too? You didn't post your /etc/ldap.conf and that is THE pam_ldap >>>> config, so if your credentials are correct then either the client is using >>>> a bad uri or the ldap.conf improperly configured. You should enable debug >>>> in the ldap.conf and see what pam is having issues with. The next hing >>>> for >>>> you to do is start slapd in debug mode from the command line and see >>>> exactly what information is being queried by the python client. How do you >>>> even know it's reaching the server in the first place? >>>> >>>> Just because you can run ldapsearch and get gecos information doesn't >>>> mean that you can bind with credentials successfully. Do you allow >>>> anonymous binds? You can get this information anonymously depending on how >>>> your configuration is setup. >>>> >>>> Most issues are from using the wrong base dn. >>>> >>>> On Mon, Jul 11, 2011 at 4:45 AM, Santhosh G Nayak >>>> <[email protected]<javascript:> >>>> > wrote: >>>> >>>>> My configuration is such that I'm able to execute command "id" and >>>>> get uid and gid information of the user in the ldap. But when I try to do >>>>> an authentication its failing saying that, >>>>> "python: pam_ldap: error trying to bind (Invalid credentials). " >>>>> I'm basically using python client to authenticate against the pam. >>>>> I have set the , >>>>> ssl no >>>>> in the /etc/ldap.conf. >>>>> and >>>>> bindpw <unencrypted password> >>>>> >>>>> And also I'm able do ldapsearch from the same machine. >>>>> >>>>> Thanks, >>>>> Santhosh >>>>> >>>>> >>>>> >>>>> On Wed, Jul 6, 2011 at 10:25 PM, Bryan Smith >>>>> <[email protected]<javascript:> >>>>> > wrote: >>>>> >>>>>> Have you changed anything in the following: /etc/nsswitch.conf and >>>>>> your /etc/slapd/ldap.conf or /etc/ldap.conf >>>>>> >>>>>> What do they look like? >>>>>> >>>>>> You might not have the right uri and or basedn specified in your >>>>>> ldap.conf. If you're nsswitch is untouched the system isn't even asking >>>>>> for >>>>>> ldap lookups via pam, it's just going to files. >>>>>> >>>>>> What is the result of running : >>>>>> >>>>>> getent username >>>>>> >>>>>> Use a username that is both in ldap and in files(/etc/passwd) and one >>>>>> that isn't. You should get s double response on the user in both files >>>>>> and >>>>>> ldap and a single on the one that's just in ldap. If you get nothing >>>>>> from >>>>>> the later then you're issue is with nss. >>>>>> >>>>>> On Wed, Jul 6, 2011 at 8:51 AM, Santhosh >>>>>> <[email protected]<javascript:> >>>>>> > wrote: >>>>>> >>>>>>> Hi all, >>>>>>> I have been trying to integrate pam_ldap in my CentOS machine. I >>>>>>> installed the pam_ldap package through yum. >>>>>>> /lib64/security/pam_ldap.so is present. >>>>>>> I did necessary changes in the /etc/pam.d/login, sshd, passwd files >>>>>>> to first look into the shadow file then fallback to ldap. but Im >>>>>>> able >>>>>>> to authenticate the users whose password in the shadow file. But when >>>>>>> I try to authenticate the user whose information stored in the ldap, >>>>>>> it is failing complaining that "pam_ldap: error trying to bind >>>>>>> (Invalid credentials)". >>>>>>> I have also tried the ldapsearch command line utility of the ldap >>>>>>> there the same Dn, user, password are working and successfully able >>>>>>> to >>>>>>> connect the ldap server. >>>>>>> I have done necessary changes in the /etc/ldap.conf. >>>>>>> # this file must be world readable (0644) >>>>>>> BASE DC=my,DC=example,DC=com >>>>>>> >>>>>>> # FQDN of the LDAP server >>>>>>> #HOST XXX.XXX.XXX.XXX >>>>>>> >>>>>>> # encryption used for storing passwords >>>>>>> #pam_crypt >>>>>>> >>>>>>> #ldap_version 3 >>>>>>> >>>>>>> # bindpw is only needed if you want to allow root to change entries >>>>>>> on >>>>>>> # this host. >>>>>>> # it's also better to keep the password in /etc/ldap.secret (0600) >>>>>>> instead >>>>>>> #bindpw {crypt}4rKJLSLewr >>>>>>> #base DC=my,DC=example,DC=com >>>>>>> uri ldap://newldap.my.example.com >>>>>>> binddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>>>>>> Services,DC=my,DC=example,DC=com >>>>>>> bindpw santhosh123 >>>>>>> #{md5}ea7bb3f922e875d6efc3a3fbbbada590 >>>>>>> port 389 >>>>>>> timelimit 120 >>>>>>> bind_timelimit 30 >>>>>>> bind_policy soft >>>>>>> idle_timelimit 3600 >>>>>>> pam_password crypt >>>>>>> ssl no >>>>>>> scope LDAP_SCOPE_BASE >>>>>>> # this one is to allow root to change entries >>>>>>> # it will require bindpw or password in /etc/ldap.secret >>>>>>> #rootbinddn cn=root,dc=example,dc=com >>>>>>> #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>>>>>> Services,DC=my,DC=example,DC=com >>>>>>> >>>>>>> # this for group access >>>>>>> nss_base_passwd DC=my,DC=example,DC=com >>>>>>> nss_base_shadow DC=my,DC=example,DC=com >>>>>>> nss_base_group OU=Service Accounts,OU=Enterprise >>>>>>> Services,DC=my,DC=example,dc=com >>>>>>> nss_reconnect_tries 60 >>>>>>> pam_filter objectclass=posixAccount >>>>>>> pam_login_attribute uid >>>>>>> >>>>>>> # OpenLDAP SSL options >>>>>>> # Require and verify server certificate (yes/no) >>>>>>> # TBD: where to put this certificate anyway? >>>>>>> >>>>>>> >>>>>>> Any one has expertise on it ?. Appreciate if anyone can help. >>>>>>> >>>>>>> Thanks, >>>>>>> Santhosh >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Linux >>>>>>> Users Group. >>>>>>> To post a message, send email to >>>>>>> [email protected]<javascript:> >>>>>>> To unsubscribe, send email to >>>>>>> [email protected]<javascript:> >>>>>>> For more options, visit our group at >>>>>>> http://groups.google.com/group/linuxusersgroup >>>>>>> Please remember to abide by our list rules ( >>>>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> A healthy diet includes Linux, Linux, and more Linux. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Linux >>>>>> Users Group. >>>>>> To post a message, send email to [email protected]<javascript:> >>>>>> To unsubscribe, send email to >>>>>> [email protected]<javascript:> >>>>>> For more options, visit our group at >>>>>> http://groups.google.com/group/linuxusersgroup >>>>>> References can be found at: http://goo.gl/anqri >>>>>> Please remember to abide by our list rules ( >>>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Linux >>>>> Users Group. >>>>> To post a message, send email to [email protected]<javascript:> >>>>> To unsubscribe, send email to >>>>> [email protected]<javascript:> >>>>> For more options, visit our group at >>>>> http://groups.google.com/group/linuxusersgroup >>>>> References can be found at: http://goo.gl/anqri >>>>> Please remember to abide by our list rules ( >>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>>> >>>> >>>> >>>> >>>> -- >>>> A healthy diet includes Linux, Linux, and more Linux. >>>> >>>> -- >>>> You received this message because you are subscribed to the Linux Users >>>> Group. >>>> To post a message, send email to [email protected]<javascript:> >>>> To unsubscribe, send email to >>>> [email protected]<javascript:> >>>> For more options, visit our group at >>>> http://groups.google.com/group/linuxusersgroup >>>> References can be found at: http://goo.gl/anqri >>>> Please remember to abide by our list rules ( >>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>> >>> >>> -- >>> You received this message because you are subscribed to the Linux Users >>> Group. >>> To post a message, send email to [email protected]<javascript:> >>> To unsubscribe, send email to [email protected]<javascript:> >>> For more options, visit our group at >>> http://groups.google.com/group/linuxusersgroup >>> References can be found at: http://goo.gl/anqri >>> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >>> http://cdn.fsdev.net/List-Rules.pdf) >>> >> >> >> >> -- >> A healthy diet includes Linux, Linux, and more Linux. >> >> -- >> You received this message because you are subscribed to the Linux Users >> Group. >> To post a message, send email to [email protected]<javascript:> >> To unsubscribe, send email to [email protected]<javascript:> >> For more options, visit our group at >> http://groups.google.com/group/linuxusersgroup >> References can be found at: http://goo.gl/anqri >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >> http://cdn.fsdev.net/List-Rules.pdf) >> > > -- -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) --- You received this message because you are subscribed to the Google Groups "Linux Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
