Authentication Failure In pam_ldap ?

> Hello (Alex)
>
> With the chnaged  ldappasswd for the user-"jmaan",
> ldapsearch worked fine as said in an earlier mail, ssh too woked fine, execpt for the fact that tge log on was onto the root directory rather than /home/jmaan.
> With the console log in and the new password (got from ldappasswd) of the user jmaan, the following were the messages logged into the /var/log/messages file.
>
>
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): starting (version 2.18.0.1), pid 19078 user 'jmaan'
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Failed to load source "xml:readwrite:/home/jmaan/.gconf": Failed: Could not make directory `/home/jmaan/.gconf': No such file or directory
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 1
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): None of the resolved addresses are writable; saving configuration settings will not be possible
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): No writable config sources successfully resolved, may not be able to save some configuration changes
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Failed to open saved state file: Failed: Failed to open gconfd logfile; won't be able to restore listeners after gconfd shutdown (No such file or directory)
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Failed to open saved state file: Failed: Failed to open gconfd logfile; won't be able to restore listeners after gconfd shutdown (No such file or directory)
> Dec 23 16:30:09 authdns gconfd (jmaan-19078): Failed to log addition of listener gnome-session (Failed: Failed to open gconfd logfile; won't be able to restore listeners after gconfd shutdown (No such file or directory));will not be able to restore this listener on gconfd restart, resulting in unreliable notification of configuration changes.
>
> Now, what should i do, is it something with the permissions of various files like gconfd file etc to quote ?
>
>
>  
>
>
> With Thanks and Regards,
> Jyotishmaan Ray
> Moderator Of Paradise Groups
> http://yahoogroups.com/group/Spirituality-Paradise
>  
> Are You Spiritually Aware  !!! Are You Enjoying Yourself  !!!  See What All You Had Been Missing !!!!
> Please Join Immediately By Sending A Blank Mail @  
> Spirituality-Paradise-subscribe@...
>  
>  
>  
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message ----
> From: Alex Samad <alex@...>
> To: pamldap@...
> Sent: Sunday, December 23, 2007 2:05:22 AM
> Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
>
>
> On Fri, Dec 21, 2007 at 11:56:03PM -0800, Jyotishmaan Ray wrote:
> > Hi All,
> >
> > ldapsearch
> >
> > -h <servername> -p <PortNumber> -x -D
> >
> > cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in
>  '(uid=jmaan*)'
> >
> > works out fine as said before, but now the /var/log/messages is
>  showing the following errors, when i had been trying continuously to login
>  from the console in the ldap server machine using the dn of the
>  users-"jmaan" and "ldapusr":-
> >
> > Please give directions/hints so that, i can somehow resolve the
>  issues of authentication with pam_ldap ?
> >
> > It seems it could not bind with the ldsp server ? But then why?
>
> let fix one thing at a time
>
> >
> > I had been trying to reset the ldappasswd for these users (jmaan and
>  ldapusr) but again it gives me "invalid credentials" as shown below :
> >
> > [root@authdns log]# ldappasswd -h localhost -p 389 -x -D
>  uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in -WEnter LDAP Password:
> > ldap_bind: Invalid credentials (49)
>
> If you look at the command, you are trying to change the password for
>  dn
> uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in, part of the
>  process
> is providing the original users password, if you don't know it that
>  isn't going
> to work.
>
> As with your other problems a quick scan of the man pages does provide
>  the
> answer
>
> "ldappasswd sets the password of associated with the user [or an
>  optionally
> specified user]."
>
> you need to bind as the manager uid and change the password of jmaan
>
> ldappasswd -h localhost -p 389 -x -D cn=Manager,dc=nits,dc=ac,dc=in -W
> uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
>
>
> once this works, then try the ldapsearch with the -x -D
>
> then try the local login
>
> >
> > The messages from the /var/log/messages are shown below:-
> >
> > Dec 22 12:59:46 authdns gdm[2361]: pam_ldap: error trying to bind as
>  user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
>  (Invalid credentials)
> > Dec 22 12:59:49 authdns gdm[2361]: Couldn't authenticate user
> > Dec 22 13:00:39 authdns gdm[2361]: pam_ldap: error trying to bind as
>  user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
>  (Invalid credentials)
> > Dec 22 13:00:41 authdns gdm[2361]: Couldn't authenticate user
> > Dec 22 13:01:28 authdns gdm[2361]: pam_ldap: error trying to bind as
>  user "uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
>  (Invalid credentials)
> > Dec 22 13:01:32 authdns gdm[2361]: Couldn't authenticate user
> > Dec 22 13:03:04 authdns gdm[2361]: pam_ldap: error trying to bind as
>  user "uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in"
>  (Invalid credentials)
> > Dec 22 13:03:07 authdns gdm[2361]: Couldn't authenticate user
> >
>
> these is the same issue
>
> >
> > My ldap.conf file of the ldap server machine is show below:
> >
> > [root@authdns log]# egrep -v '^(^$|#)' /etc/ldap.conf
> >
> > base dc=nits,dc=ac,dc=in
> > timelimit 120
> > bind_timelimit 120
> > idle_timelimit 3600
> > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
> > uri ldap://127.0.0.1/
> > ssl no
> > tls_cacertdir /etc/openldap/cacerts
> > pam_password md5
> >
> >
> >
> > The slapd.conf file of my server machine is as shown below:
> >
> > [root@authdns log]# egrep -v '^(^$|#)' /etc/openldap/slapd.conf
> > include         /etc/openldap/schema/core.schema
> > include         /etc/openldap/schema/cosine.schema
> > include         /etc/openldap/schema/inetorgperson.schema
> > include         /etc/openldap/schema/nis.schema
> > include        /etc/openldap/schema/nit.schema
> > access to * by * read
> >  allow bind_v2
> > pidfile         /var/run/openldap/slapd.pid
> > argsfile        /var/run/openldap/slapd.args
> > database        bdb
> > suffix          "dc=nits,dc=ac,dc=in"
> > rootdn          "cn=Manager,dc=nits,dc=ac,dc=in"
> > rootpw                     {SSHA}Y3RagOP7u3FsNbHCnPVLwsxUepwIgezo
> you should have change the above password before emailing to any one
>
> > directory       /var/lib/ldap
> > index objectClass                       eq,pres index
>  ou,cn,mail,surname,givenname      eq,pres,sub
> > index uidNumber,gidNumber,loginShell    eq,pres
> > index uid,memberUid                     eq,pres,sub
> > index nisMapName,nisMapEntry            eq,pres,sub
> >    
> >                                                                      
>                                                        
> > access to attrs=userPassword
> >          by * auth
> >          by  self write
> > access to *
> >          by *  read
> > access to *
> >        by dn="cn=Manager,dc=nits,dc=ac,dc=in"  write
> >        by
>  dn="uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read
> >        by
>  dn="uid=ldapusr,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in" read
> >        by dn="uid=usr1,dc=nits,dc=ac,dc=in" read
> >        by users read
> >        by self write
> >        by * read
> >                                                                      
>                                                        
> > lastmod  on
> > access to * by users read
> > authz-regexp
> >           uid=([^,]*),dc=[^,]*,cn=auth
> >           uid=$1,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > loglevel         -1
> >
> > Thank you for taking efforts to read till this line. Now please show
>  me your expertise on this, and let me resolve this authentication ?
> >
> > Jyotishmaan
> > Moderator Of Paradise Groups
> > http://yahoogroups.com/group/Spirituality-Paradise
> >  
> > Are You Spiritually Aware  !!! Are You Enjoying Yourself  !!!  See
>  What All You Had Been Missing !!!!
> > Please Join Immediately By Sending A Blank Mail @  
> > Spirituality-Paradise-subscribe@...
> >  
> >  
> >  
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ----- Original Message ----
> > From: Alex Samad <alex@...>
> > To: pamldap@...
> > Sent: Friday, December 21, 2007 3:42:30 AM
> > Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
> >
> >
> > On Wed, Dec 19, 2007 at 10:59:17PM -0800, Jyotishmaan Ray wrote:
> > >
> > > Hello Alex,
> > >
> > > Thank you for giving me tips on ldapsearch with -x and -D.
> > >
> > > The output of a ldapsearch with -x and -D options is as shown
>  below:-
> > >
> > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
> >  cn=Manager,dc=nits,dc=ac,dc=in -W -b dc=nits,dc=ac,dc=in
>  '(uid=jmaan)'
> > > Enter LDAP Password:
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <dc=nits,dc=ac,dc=in> with scope subtree
> > > # filter: (uid=jmaan)
> > > # requesting: ALL
> > > #
> > >
> > > # jmaan, non-teach, compcen, nits.ac.in
> > > dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > > uid: jmaan
> > > cn: jmaan
> > > objectClass: account
> > > objectClass: posixAccount
> > > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> > > loginShell: /bin/bash
> > > uidNumber: 623
> > > gidNumber: 623
> > > homeDirectory: /home/jmaan
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > > [root@authdns ~]#
> > great now you know that cn=Manager,dc=nits,dc=ac,dc=in works
> >
> > >
> > > The output of ldapsearch when used with -x and -D options with dn
>  for
> >  the user "jmaan" is as shown below when the passoword for jmaan was
> >  used:-
> > >
> > >
> > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D
> >  'uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in' -W  
> > > Enter LDAP Password:
> > > ldap_bind: Invalid credentials (49)
> > > [root@authdns ~]#
> >
> > this is the test that should have been done from the begging you are
> >  simulating
> > what pamldap does (with out sasl auth), I would make sure you -h and
>  -p
> >  
> > corrospond with what you have in you pamldap.conf file
> >
> > >
> > > When the ldapsearch is used with -x and -D options and the password
> >  of the autenticating Manager was used then the ldapsearch is a
> >  successful one as shown below:-
> > >
> > > [root@authdns ~]# ldapsearch -h authdns.nits.ac.in -p 389 -x -D '
> >  cn=Manager,dc=nits,dc=ac,dc=in' -W  '(uid=jmaan)'
> > > Enter LDAP Password:
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <> with scope subtree
> > > # filter: (uid=jmaan)
> > > # requesting: ALL
> > > #
> > >
> > > # jmaan, non-teach, compcen, nits.ac.in
> > > dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
> > > uid: jmaan
> > > cn: jmaan
> > > objectClass: account
> > > objectClass: posixAccount
> > > userPassword:: JDEkOVE1ZDRQdzUkWkl1QlJjQWhLZ0xPREtTR2FrNlhNMQ==
> > > loginShell: /bin/bash
> > > uidNumber: 623
> > > gidNumber: 623
> > > homeDirectory: /home/jmaan
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > > Now please give me insights in this!!!! In both of the cases for
>  the
> >  user-"jmaan" everything matches with the imported file of the user
> >  "jmaan" except for the password (where the password was in md5
>  format,
> >  while importing). Is it because of this mismatch that i could not
>  log
> >  through  the console in the server machine using the user id-"jmaan"
>  ?
> > > Also are the reasons same for unsuccessful log on using ssh
> >  <hostname> -l <uid>
> > please forget about ssh until you get the ldap bind working.
> > and yes this is the reason it is not working. try resetting the
> >  password for
> > that user.  Once you have the ldap bind working then test login in
>  form
> >  the
> > console and then ssh.
> >
> > use the admin account to change the password for jmaan
> > >
> > > Please let me, Alex!! More to know from you, as i cannot see any
> >  other ways!!!!
> > >
> > >
> > >
> > > Thanking you,
> > >
> > > Regards,
> > >
> > > Jyotishmaan
> > >
> > >
> > >
> > >
> > > With Thanks and Regards,
> > > Jyotishmaan Ray
> > > Moderator Of Paradise Groups
> > > http://yahoogroups.com/group/Spirituality-Paradise
> > >  
> > > Are You Spiritually Aware  !!! Are You Enjoying Yourself  !!!  See
> >  What All You Had Been Missing !!!!
> > > Please Join Immediately By Sending A Blank Mail @  
> > > Spirituality-Paradise-subscribe@...
> > >  
> > >  
> > >  
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >      
> >
>   ____________________________________________________________________________________
> > > Looking for last minute shopping deals?  
> > > Find them fast with Yahoo! Search.
> >  
>  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> >
> >
> >
> >
> >
> >
> >      
>  ____________________________________________________________________________________
> > Never miss a thing.  Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

>  
>  
>  
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message ----
> From: Alex Samad <alex@...>
> To: pamldap@...
> Sent: Monday, December 24, 2007 2:09:08 AM
> Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
>
>
> Hi Jyotishmaan
>
> Can I suggest, if you are trying to administer this box on a full time
>  basis
> that you really need to reconsider that.  The error messages are being
>  very
> clear as to what the problem is and it should very simple for you to
>  check/test
> them. If this a learning exercise you need to do more study on this.
>
> Again this is a very simple problem.
>
>
>
>
> check your /home/jmaan directory make sure jmaan is the owner of that
>  directory
> and he has rwx permissions
>
> Unless a user is not created by the system administrator(here, the root), how will this /home/jmaan will be there and  owned by the user-"jmaan".

>
> So, next, now as you said i would try to log in from the text console.
>
> Thanks Alex,
>
> Jyotishmaan
>
> Alex
>
> On Sun, Dec 23, 2007 at 04:53:07AM -0800, Jyotishmaan Ray wrote:
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs

> Hello Again, (Alex)
>
> This time i could log in via the text mode and GUI mode of the console in my ldap server machine.
>
> what i did is :
>
> 1. mkdir   /home/jmaan
> 2. chmod  700   /home/jmaan
> 3. chown   jmaan  /home/jmaan
> 4. chgrp     jmaan  /home/jmaan
> then  same i did with the test  user -ldapusr
>
> But now when i tried doing with  other users (in my ldap user like say for an exmple the user-aracd, i could not the change the group owership as i could do with the users jmaan and ldapusr.
> Now the question is why did it behave like this ?
> In no ways the users -jmaan or ldapusr was a member of the group jmaan or ldapusr, then how could i change their group successfully and other users like say to cite here as an example--the user "aracd".
>
> May i know i had been wrong somewhere ?
>
> Here are the transcripts of the commands:-
>
> [root@authdns home]# chown aracd /home/aracd
> [root@authdns home]# chgrp aracd /home/aracd
> chgrp: invalid group `aracd'
> [root@authdns home]# ls -l /home/aracd
> total 0
> [root@authdns home]# ls -l aracd
> total 0
> [root@authdns home]# ls -l
> total 120
> drwx------  2 akarim      root        4096 2007-12-25 22:50 akarim
> drwx------  2 akbanik     root        4096 2007-12-25 22:51 akbanik
> drwx------  2 akdas       root        4096 2007-12-25 22:51 akdas
> drwx------  2 aracd       root        4096 2007-12-25 22:31 aracd
> drwx------  2 ceoffice    root        4096 2007-12-25 22:48 ceoffice
> drwx------  2 dean_acd    root        4096 2007-12-25 22:31 dean_acd
> drwx------ 21 jmaan       jmaan       4096 2007-12-25 23:08 jmaan
> drwx------ 21 ldapusr     ldapusr     4096 2007-12-25 22:38 ldapusr
>
> [root@authdns home]#
>
> Here are the transcripts of the commands:-
>
>
> > Unless a user is not created by the system administrator(here, the
>  root), how will this /home/jmaan will be there and  owned by the
>  user-"jmaan".
>
> true
>
> >
> > Next, if the administrator creates this /home/jmaan directory, will
>  it be owned by the the user-"jmaan". This is so cause, the user-jmaan's
>  file was migrated into the ldap server machine in LDIF format, so there
>  arises no question of having a local /home/jmaan directory in the
>  server machine.
>
> true
>
> >
>
> This is very basic linux admin stuff, change the owner of the directory
>  !
>
> read up on chown, chmod and chgrp
>
> you can try man or google
>
> >
> > So, next, now as you said i would try to log in from the text
>  console.
> >
> > Thanks Alex,
> >
> > Jyotishmaan
> >
> > Alex
> >
> >
>
>
>
>
>
>       ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

>
>
>
> Hello (Alex),
>
> No, those groups does nt exist for those users for whom i had not been able to change group ownership with the command chgrp!!
> But then how come the groups exists for the users-"jmaan" and the user-"ldapusr".
> Cause i never created these userid's explicitly using the command :-useradd.
> The users-"jmaan" and "ldapusr" 's profiles were migrated in LDIF format into the ldap server machine.
>
> Any comments, would be appreciacted!!
>
> On using getent passwd, it shows all the migrated users however on doing getent group, it shows only the "jmaan" and "ldapusr" and not other migrated users . How and why i could  change the group ownership of these directories after creating the /home/jmaan and /home/ldapusr respectively and not for other users??
>
> a few lines output of getent group:-
>
> jmaan:*:623:
> ldapusr:*:625:
>
> a few lines output of getent passwd:-
>
> ldapusr:x:625:625:ldapusr:/home/ldapusr:/bin/bash
> jmaan:x:623:623:jmaan:/home/jmaan:/bin/bash
>
>
> Jyotishmaan
>  
>  
>
>
>
>
>
>
>
>
>
>
>
> ----- Original Message ----
> From: Alex Samad <alex@...>
> To: pamldap@...
> Sent: Wednesday, December 26, 2007 1:28:12 AM
> Subject: Re: [pamldap] Authentication Failure In pam_ldap ?
>
>
> does the group exist
>
>
> use getent {passwd|groups} to see what the systems sees
>
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ