Re: Linux LDAP problem
I just finished an LDAP cofiguration successfully and found out, that the configuration is tricky - I had to be very careful. I had the same problem with double passwords - the order in the PAM config files was wrong. Also I found out, that if PAM was not able to bind to the server anonyously, though I configured it in the slapd.conf. So I created a Manager with read only permission. For some reason my ldap.conf accepts _only_ an IP in the host entry, everywhere else the domainname works. my /etc/pam.d/login: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_unix_passwd.so use_first_pass md5 shadow session required /lib/security/pam_unix_session.so /etc/pam.d/pop || imap || su auth sufficient pam_ldap.so auth required pam_unix_auth.so account required pam_unix_acct.so password required pam_unix_passwd.so session required pam_unix_session.so /etc/openldap/slapd.conf: <--- snip ---> access to attr=userPassword by self write by dn="cn=Manager,dc=domain,dc=com" write by dn="cn=pam,dc=domain,dc=com" read by anonymous auth by * none access to * by self write by dn="cn=Manager,dc=domain,dc=com" write by * read /etc/linnss-ldap.conf: <--- snip ---> binddn cn=pam,dc=domain,dc=com bindpw x <--- snip ---> This configuration works om my System: Potato AXP, LDAP 2.0.11 (compiled) martin Sergio Talens-Oliag wrote: El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps.
Re: Linux LDAP problem
I just finished an LDAP cofiguration successfully and found out, that the configuration is tricky - I had to be very careful. I had the same problem with double passwords - the order in the PAM config files was wrong. Also I found out, that if PAM was not able to bind to the server anonyously, though I configured it in the slapd.conf. So I created a Manager with read only permission. For some reason my ldap.conf accepts _only_ an IP in the host entry, everywhere else the domainname works. my /etc/pam.d/login: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_unix_passwd.so use_first_pass md5 shadow session required /lib/security/pam_unix_session.so /etc/pam.d/pop || imap || su auth sufficient pam_ldap.so auth required pam_unix_auth.so account required pam_unix_acct.so password required pam_unix_passwd.so session required pam_unix_session.so /etc/openldap/slapd.conf: <--- snip ---> access to attr=userPassword by self write by dn="cn=Manager,dc=domain,dc=com" write by dn="cn=pam,dc=domain,dc=com" read by anonymous auth by * none access to * by self write by dn="cn=Manager,dc=domain,dc=com" write by * read /etc/linnss-ldap.conf: <--- snip ---> binddn cn=pam,dc=domain,dc=com bindpw x <--- snip ---> This configuration works om my System: Potato AXP, LDAP 2.0.11 (compiled) martin Sergio Talens-Oliag wrote: > El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: > >>Hey, >> >>I've got a slight problem, at school we run two major networks, one half is >>Novell Netware based, and the other half is unix based. We basically one >>centralized system of authentication, so that user don't have to remember two >>different passwords to use either system. We been trying to get linux to use >>ldap to authenticate with the novell ldap server, and have had no luck. We >>know the novell ldap server is fine, however something seems fishy with the >>linux side. The problem is that when using the PAM_LDAP modules, is that >>when a user tries to login, they are asked for a password twice, once the >>normal password, and the second one being the ldap based password. However, >>even if you type in the correct passwords, LDAP says permission denied, or >>authentication failed. What makes it really odd is how at the same time the >>novell netware server states it has seen the authenticated user, and even >>gives it an OK to login. >> >>Anyone have any clue as to how to make it work? Are there any docs about >>getting Netware+linux+ldap to work? thanks for any info that you might pass >>along. have a nice day. >> > > I think your problem is in your pam module configuration, I use something > like that for auth: > > --- > auth required pam_nologin.so > auth sufficient pam_unix.so > auth required pam_ldap.so use_first_pass > --- > > With this setup the user is only asked once; if 'pam_unix' succeds the user > is authorized and if it fails 'pam_ldap' tries to authenticate using the > same password entered. > > Hope this helps. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Linux LDAP problem
On Tuesday, 2001-08-28 at 17:15:58 +0200, Sergio Talens-Oliag wrote: > El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: > > Anyone have any clue as to how to make it work? Are there any docs about > > getting Netware+linux+ldap to work? thanks for any info that you might > > pass > > along. have a nice day. > I think your problem is in your pam module configuration, I use something > like that for auth: > --- > auth required pam_nologin.so > auth sufficient pam_unix.so > auth required pam_ldap.so use_first_pass > --- > With this setup the user is only asked once; if 'pam_unix' succeds the user > is authorized and if it fails 'pam_ldap' tries to authenticate using the > same password entered. > Hope this helps. Probably not. The hard part is figuring out which attributes this queries. I helped set this up, but the NDS was already muddled by other applications, so it's not clear. But there's a way: RTFS! :-) HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: Linux LDAP problem
On Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey wrote: > Hey, > I've got a slight problem, at school we run two major networks, one half is > Novell Netware based, and the other half is unix based. We basically one > centralized system of authentication, so that user don't have to remember two > different passwords to use either system. We been trying to get linux to use > ldap to authenticate with the novell ldap server, and have had no luck. We > know the novell ldap server is fine, however something seems fishy with the > linux side. The problem is that when using the PAM_LDAP modules, is that > when a user tries to login, they are asked for a password twice, once the > normal password, and the second one being the ldap based password. However, > even if you type in the correct passwords, LDAP says permission denied, or > authentication failed. What makes it really odd is how at the same time the > novell netware server states it has seen the authenticated user, and even > gives it an OK to login. > Anyone have any clue as to how to make it work? Are there any docs about > getting Netware+linux+ldap to work? thanks for any info that you might pass > along. have a nice day. You might want to try asking on the PAM list, which I have the address for somewhere around here if you need it. -- Share and Enjoy.
Re: Linux LDAP problem
On Tuesday, 2001-08-28 at 17:15:58 +0200, Sergio Talens-Oliag wrote: > El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: > > Anyone have any clue as to how to make it work? Are there any docs about > > getting Netware+linux+ldap to work? thanks for any info that you might pass > > along. have a nice day. > I think your problem is in your pam module configuration, I use something > like that for auth: > --- > auth required pam_nologin.so > auth sufficient pam_unix.so > auth required pam_ldap.so use_first_pass > --- > With this setup the user is only asked once; if 'pam_unix' succeds the user > is authorized and if it fails 'pam_ldap' tries to authenticate using the > same password entered. > Hope this helps. Probably not. The hard part is figuring out which attributes this queries. I helped set this up, but the NDS was already muddled by other applications, so it's not clear. But there's a way: RTFS! :-) HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Linux LDAP problem
On Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey wrote: > Hey, > I've got a slight problem, at school we run two major networks, one half is > Novell Netware based, and the other half is unix based. We basically one > centralized system of authentication, so that user don't have to remember two > different passwords to use either system. We been trying to get linux to use > ldap to authenticate with the novell ldap server, and have had no luck. We > know the novell ldap server is fine, however something seems fishy with the > linux side. The problem is that when using the PAM_LDAP modules, is that > when a user tries to login, they are asked for a password twice, once the > normal password, and the second one being the ldap based password. However, > even if you type in the correct passwords, LDAP says permission denied, or > authentication failed. What makes it really odd is how at the same time the > novell netware server states it has seen the authenticated user, and even > gives it an OK to login. > Anyone have any clue as to how to make it work? Are there any docs about > getting Netware+linux+ldap to work? thanks for any info that you might pass > along. have a nice day. You might want to try asking on the PAM list, which I have the address for somewhere around here if you need it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Linux LDAP problem
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: > Hey, > > I've got a slight problem, at school we run two major networks, one half is > Novell Netware based, and the other half is unix based. We basically one > centralized system of authentication, so that user don't have to remember two > different passwords to use either system. We been trying to get linux to use > ldap to authenticate with the novell ldap server, and have had no luck. We > know the novell ldap server is fine, however something seems fishy with the > linux side. The problem is that when using the PAM_LDAP modules, is that > when a user tries to login, they are asked for a password twice, once the > normal password, and the second one being the ldap based password. However, > even if you type in the correct passwords, LDAP says permission denied, or > authentication failed. What makes it really odd is how at the same time the > novell netware server states it has seen the authenticated user, and even > gives it an OK to login. > > Anyone have any clue as to how to make it work? Are there any docs about > getting Netware+linux+ldap to work? thanks for any info that you might pass > along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps. -- Sergio Talens-Oliag <[EMAIL PROTECTED]> Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69
Re: Linux LDAP problem
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: > Hey, > > I've got a slight problem, at school we run two major networks, one half is > Novell Netware based, and the other half is unix based. We basically one > centralized system of authentication, so that user don't have to remember two > different passwords to use either system. We been trying to get linux to use > ldap to authenticate with the novell ldap server, and have had no luck. We > know the novell ldap server is fine, however something seems fishy with the > linux side. The problem is that when using the PAM_LDAP modules, is that > when a user tries to login, they are asked for a password twice, once the > normal password, and the second one being the ldap based password. However, > even if you type in the correct passwords, LDAP says permission denied, or > authentication failed. What makes it really odd is how at the same time the > novell netware server states it has seen the authenticated user, and even > gives it an OK to login. > > Anyone have any clue as to how to make it work? Are there any docs about > getting Netware+linux+ldap to work? thanks for any info that you might pass > along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps. -- Sergio Talens-Oliag <[EMAIL PROTECTED]> Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]