Ehlo,
[EMAIL PROTECTED] writes:
> Hello Adam,
>
> I really know this isnt what you asked for...but...i followed all the
> steps from
> IdealX samba howto (samba with a ldap backend).
>
> I had the exact same problem when i was trying to auth sshd onto ldap.
theres a patch for sshd with ldap... im using it... feel free to check
it at tsl.chung.li.....
>
> The solution i managed (which was no problem at all for me since i was
> allready
> using samba for our centralized auth service) was to use pam_smb.
>
> I have a pam_smb module which auths against a samba 3.x server (which
> keeps its
> database on a ldap server).
>
> Allthough the passwords are case unsensitive (because of the
> implemenation used
> by pam_smb [which auths against NT or LM hashes (err..dont quite know
> right now
> but ONE of them is case unsensitive)], i now have a centralized service
> to auth
> against.
>
> If you think about it, it is quite better then to let your local linux server
> auth DIRECTLY onto the LDAP service.
>
> Whith my configuration a hacked machine can only sniff auths / or
> backdoor a pam
> module to get passwords. With the configuration you are trying to achive, you
> have to configure a file on your system with full read access to your LDAP
> server (which means that if you get hacked, people will be able to get ALL the
> {crypt}ed passwords from your system.
>
> I hope this is some usefull information for you :o)
>
> Best regards,
> Luís Miguel Silva
> Security Advisor
> Faculty of Engineering
> Oporto's University
>
> Quoting Adam Zaleski <[EMAIL PROTECTED]>:
>
>> Hello list,
>>
>> I'm trying to setup openldap system account's authenticantion.
>> I have installed
>>
>> openssh-server-4.2p1-1tr
>> nss_ldap-220-2tr
>> pam_ldap-175-2tr
>>
>> I've used migrate_all_online script to migrate system accounts to
>> ldap. My configuration files:
>>
>> /etc/ldap.conf
>>
>> host localhost
>> base dc=bryndzel,dc=org
>> port 389
>> scope one
>> nss_base_passwd ou=People,dc=bryndzel,dc=org?one
>> nss_base_shadow ou=People,dc=bryndzel,dc=org?one
>> nss_base_group ou=Group,dc=bryndzel,dc=org?one
>> ssl no
>> pam_password md5
>>
>> /etc/nsswitch.conf
>>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>>
>>
>> /etc/pam.d/system-auth
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required /lib/security/pam_env.so
>> auth sufficient /lib/security/pam_unix.so likeauth nullok
>> auth sufficient /lib/security/pam_ldap.so debug use_first_pass
>> auth required /lib/security/pam_deny.so
>>
>> account required /lib/security/pam_unix.so
>> account [default=bad success=ok user_unknown=ignore
>> service_err=ignore system_err=ignore] /lib/security/pam_ldap.so debug
>>
>> password required /lib/security/pam_cracklib.so retry=3 type=
>> password sufficient /lib/security/pam_unix.so nullok
>> use_authtok md5 shadow
>> password sufficient /lib/security/pam_ldap.so debug use_authtok
>> password required /lib/security/pam_deny.so
>>
>> session required /lib/security/pam_limits.so
>> session required /lib/security/pam_unix.so
>> session optional /lib/security/pam_ldap.so debug
>>
>>
>> These files was created using `authconfig`.
>>
>> I have a test user stoded on ldap. Everything seems to woks fine:
>>
>> ((root::bryndzel))(~)# cat /etc/passwd |grep testuser
>> ((root::bryndzel))(~)# id testuser
>> uid=520(testuser) gid=100(users) groups=100(users)
>> ((root::bryndzel))(~)# getent passwd |grep testuser
>> testuser:x:520:100:testuser:/home/users/testuser:/bin/bash
>> ((root::bryndzel))(~)#
>>
>>
>> And the main problem is that i can't connect to host using sshd.
>> I have use pam enabled on sshd_config. ssh tell me that the
>> password is wrong for testuser.
>>
>> thanks for any help
>>
>>
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
