sslug-teknik team mailing list archive

Thread
Date

pam_ldap problemer

To: sslug-teknik@xxxxxxxx
From: Ask Holme <ask@xxxxxxxxxxxxxxxxx>
Date: Mon, 02 Apr 2007 21:55:02 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Newsgroups: sslug.teknik
Organization: SSLUG
User-agent: Thunderbird 2.0b2 (Windows/20070116)

Jeg forsøger, at sætte en maskine op til at godkende mod LDAP. (den skalbåde godkende systembrugere og samba brugere)Jeg har sat OpenLDAP op med de rigtige skemaer og har installeretldap-account-manager til at styrer bruger med.

Jeg kan oprette brugere og kan via ldapsearch/ldappasswd etc. utilsbinde med de brugere jeg har oprettet.

Men selvom auth og bind virker fint med ldappasswd, så kan jeg ikkelogge ind. Jeg får følgende i loggen

pam_ldap: error trying to bind as user"uid=ask,ou=People,ou=Users,dc=elev,dc=dk" (Invalid credentials)

Jeg har prøvet, at bruge en række forskellige krypteringsalgoritmer(inklusiv cleartext) i min ldap entry samt prøvet med en anden bruger,men det hjælper ikke.

Systemet er en debian sarge, både openldap, libpam_ldap, libnss-ldapetc. er installeret fra stable.


Min slapd.conf, pam_ldap.conf og pam.d/common-auth er nedenover

slapd.conf
--------------------------------------------
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      back_passwd
database    bdb
suffix      dc=elev,dc=dk
rootdn      cn=Manager,dc=elev,dc=dk
rootpw      <something>
directory   /var/lib/ldap

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=elev,dc=dk" write
        by dn="cn=syncuser,dc=elev,dc=dk" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=elev,dc=dk" write
        by dn="cn=syncuser,dc=elev,dc=dk" read

access to *
        by dn="cn=sambaadmin,dc=elev,dc=dk" write
        by dn="cn=syncuser,dc=elev,dc=dk" read
        by dn="cn=Manager,dc=elev,dc=dk" write
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
TLSCertificateFile      /etc/ldap/server.pem
TLSCertificateKeyFile   /etc/ldap/server.pem
TLSCACertificateFile    /etc/ldap/server.pem

pam_ldap.conf
------------------------------------------------
host 127.0.0.1
base dc=elev,dc=dk
ldap_version 3
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password exop
nss_base_passwd ou=People,ou=Users,dc=elev,dc=dk
nss_base_shadow ou=People,ou=Users,dc=elev,dc=dk
nss_base_group  ou=Groups,dc=elev,dc=dk

pam.d/common-auth
-------------------------------------------------
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass

Follow ups

Re: pam_ldap problemer
From: Ask Holme, 2007-04-02