Nabble - PAM LDAP

Re: openldap authentication

2008-05-02T07:27:33Z

Jyotishmaan Ray wrote:
> Hello List,
>
> Recently I had been exploring the authentication types- Weak and
> Strong type of authentication mainly!!
>
> Can you plz give some pointers in that direction as such to classify
> the openldap authentication-weak or strong. Please justify??

Weak authentication is single- factor, e.g. password only. Strong
authentication incorporates more than one factor, e.g. knowledge of a
PIN and possession of the ATM card. Typically, strong authentication is
not handled by the ldap store, but rather a dedicated authentication
system often via SASL.

HTH,

Nick

--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

openldap authentication

2008-04-30T07:51:48Z

Hello List,

Recently I had been exploring the authentication types- Weak and Strong type of authentication mainly!!

Can you plz give some pointers in that direction as such to classify the openldap authentication-weak or strong. Please justify??

Thanks,
Jyotishmaan Ray

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Re: pam_check_host_attr + PAM configuration

2008-04-19T17:29:39Z

zf wrote:

I'm struggling for the past few days to setup host-based authentication on a CentOS 5 system using pam_check_host_attr directive but i really cannot understand how to make it work. I lack expertise in PAM so i'm trying many configurations found on the net about that subject but still none of these works either.

Damn, sometimes you miss the most obvious thing! Anyway, host-based authentication works as expected, my bad, i was changing a different sshd_config file so ssh didn't cooperate with PAM at all.

Sorry for that!

pam_check_host_attr + PAM configuration

2008-04-19T04:11:22Z

Hi all,

I'm struggling for the past few days to setup host-based authentication on a CentOS 5 system using pam_check_host_attr directive but i really cannot understand how to make it work. I lack expertise in PAM so i'm trying many configurations found on the net about that subject but still none of these works either.

My /etc/ldap.conf is pretty simple and straightforward:
-------------------------
host 127.0.0.1
base dc=people,dc=domain
scope sub
ssl no
pam_check_host_attr yes
-------------------------

partial /etc/nsswitch.conf :

-------------------
passwd: files ldap
shadow: files ldap
group: files ldap
-------------------

partial /etc/ssh/sshd_config:

--------------
UsePAM yes
--------------

If anyone could guide me to setup PAM to support and respect this attribute, would be really appreciated.

TIA

Changing password after it has expired

2008-04-17T10:18:55Z

Somebody on this list will know the definitive answer(s) to this question. I have been knocking holes in the wall with my head all day and cannot get an answer that makes sense.

In active directory you can set a password as expired and when the user logs in they get to type their old password to prove they are who they say they are and then new passwords to get the change to happen.

I want to achieve this via the LDAP interface but cannot find any references that say if it is possible. I suspect that what really happens under the cover is that the 'LDAP' code checks that the hash of the presented old password matches the value in the AD and then uses a privileged account rather than the user to do the actual change (I am thinking of the IISADMPWD application here!) What I had hoped I could find would be an options that would allow a bind to succeed using the users credentials (old password/username) that could only change the password. But I have not.

Am I right in that this is done by knowing that the HASH matches or is there a hidden control to the AD LDAP interface I am missing?

--
Signature

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard@...

Disbling and Eanbling an openldap ACCOUNT

2008-04-16T22:40:25Z

Hello List

Though i can disable a user (with the addition of the attribute- shadowExpire) from successful authentication and hence log on- i am not in a position to enable the same user ?

Can any one suggest a way to delete this attribute ? I see no ways to delete an attribute from the GUI or the command line ?

But then if there is are any other wayz using ACLS , ppolicy etc disable a user account at will and enable it again at a later time whenevr they want.

Please let me tell you that my set up is that of openldap in linux fedora 8.

I am trying since yesterday night.

Please give some pointers!!!

Thanks,

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Re: How to make it unsuccessful authentication ??

2008-04-15T22:19:03Z

Hello Prakash,

That is fine. Thanks, it serves the purpose. But the thing is that-once i add this attribue to a uid and set its value say 0 (anyinteger) it disables the account and the user gets the message ofexpiry of his password.

But then if there is any way again to enable the same account by deleting this attribute etc.

I am trying since yesterday night.

Please give some pointers!!!

Thanks,

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

----- Original Message ----
From: Prakash Velayutham <prakash.velayutham@...>
To: Andrew Morgan <morgan@...>
Cc: pamldap@...
Sent: Monday, April 14, 2008 10:22:19 PM
Subject: Re: [pamldap] How to make it unsuccessful authentication ??

If you use the shadowAccount ObjectClass, I think you can use the
attribute shadowExpire to control this in OpenLDAP.

Prakash

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

pam_ldap dynamic groups

2008-04-15T17:45:59Z

Pam LDAP List,

Does pam_ldap support dynamic groups, that is groups that return in the form memberUrl: instead of the memberUid: form?

If so how do I set it up to use dynamic groups?

Thanks

Joel

does pam_ldap support dynamic groups

2008-04-15T17:24:10Z

Pam LDAP List,

Does pam_ldap support dynamic groups, that is groups that return in the form memberUrl: instead of the memberUid: form?

If so how do I set it up to use dynamic groups?

Thanks

Joel

The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files.

Re: How to make it unsuccessful authentication ??

2008-04-14T12:49:25Z

<quote who="Prakash Velayutham">
> If you use the shadowAccount ObjectClass, I think you can use the
> attribute shadowExpire to control this in OpenLDAP.

Also if you use the Password Policy Overlay, I'm sure this is what SunOne
does with it's own account/policy module.

>
> Prakash
>
>
> On Apr 14, 2008, at 12:28 PM, Andrew Morgan wrote:
>
>> On Sat, 12 Apr 2008, Jyotishmaan Ray wrote:
>>
>>> Please see below for your reply,
>>>
>>> Yes, that is what i exactly meant. Suspend, means not allowing the
>>> user to have successful authentication, without hampering his
>>> password, for some time !!
>>
>> I'm not familiar with OpenLDAP, but the Sun Directory Server offers
>> a way to "disable" accounts. A disabled account will always fail to
>> authenticate to the LDAP server, but the stored password is not
>> modified. The account can be un-disabled anytime without setting a
>> new password.
>>
>> Does OpenLDAP offer a similar feature?
>>
>> Andy
>
> Prakash Velayutham
> Programmer / Analyst
> Cincinnati Children's Hospital Medical Center
>
>

Re: How to make it unsuccessful authentication ??

2008-04-14T09:52:19Z

If you use the shadowAccount ObjectClass, I think you can use the
attribute shadowExpire to control this in OpenLDAP.

Prakash

On Apr 14, 2008, at 12:28 PM, Andrew Morgan wrote:

> On Sat, 12 Apr 2008, Jyotishmaan Ray wrote:
>
>> Please see below for your reply,
>>
>> Yes, that is what i exactly meant. Suspend, means not allowing the
>> user to have successful authentication, without hampering his
>> password, for some time !!
>
> I'm not familiar with OpenLDAP, but the Sun Directory Server offers
> a way to "disable" accounts. A disabled account will always fail to
> authenticate to the LDAP server, but the stored password is not
> modified. The account can be un-disabled anytime without setting a
> new password.
>
> Does OpenLDAP offer a similar feature?
>
> Andy

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

Re: How to make it unsuccessful authentication ??

2008-04-14T09:28:17Z

On Sat, 12 Apr 2008, Jyotishmaan Ray wrote:

> Please see below for your reply,
>
> Yes, that is what i exactly meant. Suspend, means not allowing the user
> to have successful authentication, without hampering his password, for
> some time !!

I'm not familiar with OpenLDAP, but the Sun Directory Server offers a way
to "disable" accounts. A disabled account will always fail to
authenticate to the LDAP server, but the stored password is not modified.
The account can be un-disabled anytime without setting a new password.

Does OpenLDAP offer a similar feature?

Andy

Re: How to make it unsuccessful authentication ??

2008-04-14T05:43:19Z

So let me rephrase you're request just to make sure I understand what you're
asking for:

A user sucessfully logs into a server. Then their account is immediately locked
out so they cannot log in again for a period of time. Perhaps you're doing this
because you don't want a user to log into a server more than once is a 5 minute
period, for example ?

I'm not sure that pamLDAP is the proper place to look for the solution.
The way I see it you need one of these solutions:

1) The LDAP Directory locks an account after a successful (or even unsuccessful)
log in.

2) Your application, which is using pamLDAP to speak the the Directory, needs to
cache the user's name and temporarily block them from re-connecting for a period
of time.

If you're the developer for a particular application then I'd suggest going with
solution #2. If you're the administrator of the Directory then perhaps you can
find a solution there.

Thanks!
Jason Morrill
IT Manager
Child & Family Agency of Southeastern Connecticut
(860) 443-2896 x1422

Quoting Jyotishmaan <jyotishmaan@...>:

>
>
>
> Yes, I agree with you.
>
> My question remains unasnwered as it could not be understood!!!!
>
> Here it goes once again:-
>
> A user x logs onto his system say-"x" which then is being checked with the
> stored entry in the openldap database, and if it only matches that, the
> authentication process is said to be successful and the user is said to have
> successful authentication from his system "x" to the server say "y".
>
> Well after this phase of authentication, comes authirization, as such to
> check -"who has been granted what" ?
>
> My question, was it is possible to suspend a user to successfully log onto
> the server system, without affectinng his password etc for a short period of
> time something called "quarantine" , plz correct me if i am wrong. This i
> need to set up in my kind of adminitration where the users has been given
> limited access privleges and downloading capacities etc.
>
> Plz Give me some pointers !!!
>
>
>
> Jason Morrill wrote:
> >
> > Perhaps I'm as confused as everyone else on this list.
> >
> > Security is typical two-fold:
> > 1) Authentication = the username exists in the system and the password
> > matches
> > 2) Authorization = the username is allows to do what is being asked
> >
> > In many systems Authentication is all that is needed to get in the 'front
> > door'.
> > Authorization is left for more detailed security measures.
> >
> > For example:
> > Let's say we have a basic Webmail application. Bob, enters his information
> > into
> > a 'login' screen. That information is then **Authenticated** against the
> > Directory using LDAP. Let's say he entered the correct info. So now he's
> > part
> > way into the Webmail system. Now Webmail checks Bobs **Authorization** to
> > see
> > if it should show him links to things like 'Admin' and 'Edit Global
> > Addresbook'. Since Bob is not Authorizated for that level he doesn't see
> > those
> > options.
> >
> > For a further elaboration on authentication vs. authorization:
> > http://en.wikipedia.org/wiki/Authorization
> >
> > I know this doesn't answer your question but I don't think anyone here
> > understands your question. Perhaps the information I've outlined above
> > will
> > help you to rephrase it so we can understand what you're asking for.
> >
> > Jason
> >
> >
> > Quoting Jyotishmaan <jyotishmaan@...>:
> >
> >>
> >> Yes, i am sure you are wrong, as per my knowledge and experience with
> >> openldap.
> >>
> >> Please give some pointers on this-In what wayz can i make my request DN
> >> and
> >> not match with the entry stored in the database ?
> >>
> >>
> >>
> >> vsp_123 wrote:
> >> >
> >> > Hi,
> >> >
> >> > I always thought authorization came after authentication. But I guess
> >> > I could be wrong :)
> >> >
> >> > Prakash
> >> >
> >> >
> >> > On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
> >> >
> >> >>
> >> >> Hello List,
> >> >>
> >> >> Can anybody let me know if there are anywayz that, after
> >> >> authorization, authentication can be stopped ??
> >> >> In other words when a user logs on and he is being authorized and
> >> >> his entry is checked in the database but after that, is it possible
> >> >> to make it a unsuccessful authentication manually for a sepcific
> >> >> user ?
> >> >>
> >> >> This I want to do, in order to suspend the user to log on for some
> >> >> time, temporarily.
> >> >>
> >> >> Please throw some pointers in this direction !!!!
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Jyotishmaan Ray
> >> >
> >> > Prakash Velayutham
> >> > Programmer / Analyst
> >> > Cincinnati Children's Hospital Medical Center
> >> >
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> >
>

http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16627298.html

> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >
>
> --
> View this message in context:
>

http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16646393.html
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: How to make it unsuccessful authentication ??

2008-04-12T06:41:02Z

Please see below for your reply,

Yes, that is what i exactly meant. Suspend, means not allowing the user to have successful authentication, without hampering his password, for some time !!

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

----- Original Message ----
From: Prakash Velayutham <prakash.velayutham@...>
To: Jyotishmaan <jyotishmaan@...>
Cc: pamldap@...
Sent: Saturday, April 12, 2008 6:02:53 PM
Subject: Re: [pamldap] How to make it unsuccessful authentication ??

Hi,

* Do you want the user to be not allowed to login even if his
credential is correct and hence is properly authenticated by PAM?

* What does suspend in this case mean?

Prakash

On Apr 12, 2008, at 3:54 AM, Jyotishmaan wrote:

>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Re: How to make it unsuccessful authentication ??

2008-04-12T05:32:53Z

Hi,

* Do you want the user to be not allowed to login even if his
credential is correct and hence is properly authenticated by PAM?

* What does suspend in this case mean?

Prakash

On Apr 12, 2008, at 3:54 AM, Jyotishmaan wrote:

>
>
>
> Yes, I agree with you.
>
> My question remains unasnwered as it could not be understood!!!!
>
> Here it goes once again:-
>
> A user x logs onto his system say-"x" which then is being checked
> with the
> stored entry in the openldap database, and if it only matches that,
> the
> authentication process is said to be successful and the user is said
> to have
> successful authentication from his system "x" to the server say "y".
>
> Well after this phase of authentication, comes authirization, as
> such to
> check -"who has been granted what" ?
>
> My question, was it is possible to suspend a user to successfully
> log onto
> the server system, without affectinng his password etc for a short
> period of
> time something called "quarantine" , plz correct me if i am wrong.
> This i
> need to set up in my kind of adminitration where the users has been
> given
> limited access privleges and downloading capacities etc.
>
> Plz Give me some pointers !!!
>
>
>
> Jason Morrill wrote:
>>
>> Perhaps I'm as confused as everyone else on this list.
>>
>> Security is typical two-fold:
>> 1) Authentication = the username exists in the system and the
>> password
>> matches
>> 2) Authorization = the username is allows to do what is being asked
>>
>> In many systems Authentication is all that is needed to get in the
>> 'front
>> door'.
>> Authorization is left for more detailed security measures.
>>
>> For example:
>> Let's say we have a basic Webmail application. Bob, enters his
>> information
>> into
>> a 'login' screen. That information is then **Authenticated**
>> against the
>> Directory using LDAP. Let's say he entered the correct info. So now
>> he's
>> part
>> way into the Webmail system. Now Webmail checks Bobs
>> **Authorization** to
>> see
>> if it should show him links to things like 'Admin' and 'Edit Global
>> Addresbook'. Since Bob is not Authorizated for that level he
>> doesn't see
>> those
>> options.
>>
>> For a further elaboration on authentication vs. authorization:
>> http://en.wikipedia.org/wiki/Authorization
>>
>> I know this doesn't answer your question but I don't think anyone
>> here
>> understands your question. Perhaps the information I've outlined
>> above
>> will
>> help you to rephrase it so we can understand what you're asking for.
>>
>> Jason
>>
>>
>> Quoting Jyotishmaan <jyotishmaan@...>:
>>
>>>
>>> Yes, i am sure you are wrong, as per my knowledge and experience
>>> with
>>> openldap.
>>>
>>> Please give some pointers on this-In what wayz can i make my
>>> request DN
>>> and
>>> not match with the entry stored in the database ?
>>>
>>>
>>>
>>> vsp_123 wrote:
>>>>
>>>> Hi,
>>>>
>>>> I always thought authorization came after authentication. But I
>>>> guess
>>>> I could be wrong :)
>>>>
>>>> Prakash
>>>>
>>>>
>>>> On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
>>>>
>>>>>
>>>>> Hello List,
>>>>>
>>>>> Can anybody let me know if there are anywayz that, after
>>>>> authorization, authentication can be stopped ??
>>>>> In other words when a user logs on and he is being authorized and
>>>>> his entry is checked in the database but after that, is it
>>>>> possible
>>>>> to make it a unsuccessful authentication manually for a sepcific
>>>>> user ?
>>>>>
>>>>> This I want to do, in order to suspend the user to log on for some
>>>>> time, temporarily.
>>>>>
>>>>> Please throw some pointers in this direction !!!!
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Jyotishmaan Ray
>>>>
>>>> Prakash Velayutham
>>>> Programmer / Analyst
>>>> Cincinnati Children's Hospital Medical Center
>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>>
>> http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16627298.html
>>> Sent from the PAM LDAP mailing list archive at Nabble.com.
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16646393.html
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

Re: How to make it unsuccessful authentication ??

2008-04-12T00:54:54Z

Yes, I agree with you.

My question remains unasnwered as it could not be understood!!!!

Here it goes once again:-

A user x logs onto his system say-"x" which then is being checked with the stored entry in the openldap database, and if it only matches that, the authentication process is said to be successful and the user is said to have successful authentication from his system "x" to the server say "y".

Well after this phase of authentication, comes authirization, as such to check -"who has been granted what" ?

My question, was it is possible to suspend a user to successfully log onto the server system, without affectinng his password etc for a short period of time something called "quarantine" , plz correct me if i am wrong. This i need to set up in my kind of adminitration where the users has been given limited access privleges and downloading capacities etc.

Plz Give me some pointers !!!

Jason Morrill wrote:

Perhaps I'm as confused as everyone else on this list.

Security is typical two-fold:
1) Authentication = the username exists in the system and the password matches
2) Authorization = the username is allows to do what is being asked

In many systems Authentication is all that is needed to get in the 'front door'.
Authorization is left for more detailed security measures.

For example:
Let's say we have a basic Webmail application. Bob, enters his information into
a 'login' screen. That information is then **Authenticated** against the
Directory using LDAP. Let's say he entered the correct info. So now he's part
way into the Webmail system. Now Webmail checks Bobs **Authorization** to see
if it should show him links to things like 'Admin' and 'Edit Global
Addresbook'. Since Bob is not Authorizated for that level he doesn't see those
options.

For a further elaboration on authentication vs. authorization:
http://en.wikipedia.org/wiki/Authorization

I know this doesn't answer your question but I don't think anyone here
understands your question. Perhaps the information I've outlined above will
help you to rephrase it so we can understand what you're asking for.

Jason

Quoting Jyotishmaan <jyotishmaan@yahoo.com>:

>
> Yes, i am sure you are wrong, as per my knowledge and experience with
> openldap.
>
> Please give some pointers on this-In what wayz can i make my request DN and
> not match with the entry stored in the database ?
>
>
>
> vsp_123 wrote:
> >
> > Hi,
> >
> > I always thought authorization came after authentication. But I guess
> > I could be wrong :)
> >
> > Prakash
> >
> >
> > On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
> >
> >>
> >> Hello List,
> >>
> >> Can anybody let me know if there are anywayz that, after
> >> authorization, authentication can be stopped ??
> >> In other words when a user logs on and he is being authorized and
> >> his entry is checked in the database but after that, is it possible
> >> to make it a unsuccessful authentication manually for a sepcific
> >> user ?
> >>
> >> This I want to do, in order to suspend the user to log on for some
> >> time, temporarily.
> >>
> >> Please throw some pointers in this direction !!!!
> >>
> >>
> >> Thanks,
> >> Jyotishmaan Ray
> >
> > Prakash Velayutham
> > Programmer / Analyst
> > Cincinnati Children's Hospital Medical Center
> >
> >
> >
>
> --
> View this message in context:
>
http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16627298.html
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: How to make it unsuccessful authentication ??

2008-04-11T05:51:12Z

Perhaps I'm as confused as everyone else on this list.

Security is typical two-fold:
1) Authentication = the username exists in the system and the password matches
2) Authorization = the username is allows to do what is being asked

In many systems Authentication is all that is needed to get in the 'front door'.
Authorization is left for more detailed security measures.

For example:
Let's say we have a basic Webmail application. Bob, enters his information into
a 'login' screen. That information is then **Authenticated** against the
Directory using LDAP. Let's say he entered the correct info. So now he's part
way into the Webmail system. Now Webmail checks Bobs **Authorization** to see
if it should show him links to things like 'Admin' and 'Edit Global
Addresbook'. Since Bob is not Authorizated for that level he doesn't see those
options.

For a further elaboration on authentication vs. authorization:
http://en.wikipedia.org/wiki/Authorization

I know this doesn't answer your question but I don't think anyone here
understands your question. Perhaps the information I've outlined above will
help you to rephrase it so we can understand what you're asking for.

Jason

Quoting Jyotishmaan <jyotishmaan@...>:

>
> Yes, i am sure you are wrong, as per my knowledge and experience with
> openldap.
>
> Please give some pointers on this-In what wayz can i make my request DN and
> not match with the entry stored in the database ?
>
>
>
> vsp_123 wrote:
> >
> > Hi,
> >
> > I always thought authorization came after authentication. But I guess
> > I could be wrong :)
> >
> > Prakash
> >
> >
> > On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
> >
> >>
> >> Hello List,
> >>
> >> Can anybody let me know if there are anywayz that, after
> >> authorization, authentication can be stopped ??
> >> In other words when a user logs on and he is being authorized and
> >> his entry is checked in the database but after that, is it possible
> >> to make it a unsuccessful authentication manually for a sepcific
> >> user ?
> >>
> >> This I want to do, in order to suspend the user to log on for some
> >> time, temporarily.
> >>
> >> Please throw some pointers in this direction !!!!
> >>
> >>
> >> Thanks,
> >> Jyotishmaan Ray
> >
> > Prakash Velayutham
> > Programmer / Analyst
> > Cincinnati Children's Hospital Medical Center
> >
> >
> >
>
> --
> View this message in context:
>

http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16627298.html
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: How to make it unsuccessful authentication ??

2008-04-11T02:45:06Z

Yes, i am sure you are wrong, as per my knowledge and experience with openldap.

Please give some pointers on this-In what wayz can i make my request DN and not match with the entry stored in the database ?

vsp_123 wrote:

Hi,

I always thought authorization came after authentication. But I guess
I could be wrong :)

Prakash

On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:

>
> Hello List,
>
> Can anybody let me know if there are anywayz that, after
> authorization, authentication can be stopped ??
> In other words when a user logs on and he is being authorized and
> his entry is checked in the database but after that, is it possible
> to make it a unsuccessful authentication manually for a sepcific
> user ?
>
> This I want to do, in order to suspend the user to log on for some
> time, temporarily.
>
> Please throw some pointers in this direction !!!!
>
>
> Thanks,
> Jyotishmaan Ray

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

Re: How to make it unsuccessful authentication ??

2008-04-10T09:32:10Z

Hi,

I always thought authorization came after authentication. But I guess
I could be wrong :)

Prakash

On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:

>
> Hello List,
>
> Can anybody let me know if there are anywayz that, after
> authorization, authentication can be stopped ??
> In other words when a user logs on and he is being authorized and
> his entry is checked in the database but after that, is it possible
> to make it a unsuccessful authentication manually for a sepcific
> user ?
>
> This I want to do, in order to suspend the user to log on for some
> time, temporarily.
>
> Please throw some pointers in this direction !!!!
>
>
> Thanks,
> Jyotishmaan Ray

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

How to make it unsuccessful authentication ??

2008-04-10T00:08:49Z

Hello List,

Can anybody let me know if there are anywayz that, after authorization, authentication can be stopped ??
In other words when a user logs on and he is being authorized and his entry is checked in the database but after that, is it possible to make it a unsuccessful authentication manually for a sepcific user ?

This I want to do, in order to suspend the user to log on for some time, temporarily.

Please throw some pointers in this direction !!!!

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Re: Problem setting up OpenLDAP for user authentication

2008-03-05T02:05:45Z

On Wed, 5 Mar 2008, Jokke Heikkila wrote:

> On 4.3.2008, at 12.45, Guennadi Liakhovetski wrote:
>
> > I'm new to LDAP, and I must say it took me a LONG time to set it up under
> > Debian etch on both server and client at all to do anything useful.
>
> Sorry, this is not an answer to your question, but I was interested if you
> could tell does ssh login work for you (for ldap accounts) with this setup?
> I've got this same setup but I'm failing to ssh in (as in this thread
> http://marc.info/?l=pamldap&m=120220811015423&w=2 ).

Yes, it works for me. And sorry, I have no idea what your problem can be.
I think ssh might be trying some other kind of authentication - not
simple, but SASL? And it is not configured on your server?

Thanks
Guennadi
---
Guennadi Liakhovetski

Problem setting up OpenLDAP for user authentication

2008-03-04T02:45:18Z

Hi all

I'm new to LDAP, and I must say it took me a LONG time to set it up under
Debian etch on both server and client at all to do anything useful.

Now I can do "ldapsearch -x -v -L" type requests from remote a host and
locally. I then tried switching the remote host to using LDAP for user
authentication. I'd like users not registered locally to be able to login
using ldap, and for locally-known users nothing should change.

I did manage to get logins to use ldap by configuring all
/etc/pam.d/common-* files to first try pam_unix and then, if that fails to
use ldap:

* sufficient pam_unix
* sufficient pam_ldap (should this be "required?)

where * is "account", "auth", "password" and "session". In "auth" and
"password" I also had to put

* required pam_deny

after ldap, because otherwise wrong passwords were accepted. In
nsswitch.conf I put

*: files ldap

for "passwd", "group", "shadow". Now I would expect that with sequences
("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally
known users wouldn't be authenticated using ldap. Unfortunately, this
doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP
server. Including calls from udevd, avahi-daemon, and others, which causes
them to fail in various ways.

What am I doing wrong?

I know SASL is not configured in my setup, but that shouldn't be a
problem? At least not for the cases when LDAP shouldn't be attempted at
all.

Thanks
Guennadi
---
Guennadi Liakhovetski

login problem after LDAP server change

2008-02-26T08:55:31Z

Hello

Since we change the machine supporting our LDAP server we get the following
when normal user attempt to log in from a Linux station , below is the transcript
of a su session but the same message appears if we attempt from the KDM login panel.

Feb 26 17:07:27 acme11 su[893]: (pam_unix) expired password for user exam40 (password aged)

We didn't any change on clients

The server software has been re-compiled from the same sources (2.0.27) as on the preceding machine
and the base has been exported and re-imported from a LDIF file ...

Thanks for any help/infos

Frank

Re: Need help determining cause of login problem

2008-02-17T15:11:16Z

Tony Earnshaw wrote:
> Howard Chu skrev, on 17-02-2008 19:07:
>> I've often thought that these tags should be logged in hex instead of
>> decimal. Perhaps it's worth an ITS.
>
> Thanks a lot for all of this, Howard - much appreciated. I trust that OP
> also feels the same.

Sure. Just remember, we're not making any of this stuff up, it's all standard
values defined by the RFC. As we've said many times before - it's not the
OpenLDAP Project's job to teach you the basics of LDAP; you're supposed to
know them already. You're supposed to know what's in the RFCs. We won't
duplicate the RFC content in our documentation, that's a waste of effort. Our
documentation's purpose is only to tell you how we've mapped LDAP into our code.

--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Re: Need help determining cause of login problem

2008-02-17T11:14:30Z

Howard Chu skrev, on 17-02-2008 19:07:

[...]

>> Ah. Well, this gives a subset (granted including 32) ... it's debatable
>> whether 97, 101, 103 are status codes or error codes - where are they?
>
> "tag=97" is not an error code or a status code. It is a message type
> tag. Look in ldap.h for an overview of tag bits and definitions of all
> the tags used in LDAP. They're defined in hex in ldap.h, which is why
> grepping for 97 won't show it to you. 97 = 0x61, which is a Bind
> response. You won't find "97" in the RFC either, instead you find the
> ASN.1:
>
> BindResponse ::= [APPLICATION 1] SEQUENCE {
> COMPONENTS OF LDAPResult,
> serverSaslCreds [7] OCTET STRING OPTIONAL }
>
> To really understand the correspondence you need to understand how ASN.1
> is encoded in BER. The "APPLICATION" corresponds to a specific bit
> (0x40). The value "1" is simply OR'd in, yielding 0x41. The entity is a
> structure, not a simple value, so it gets the Constructed bit, yielding
> 0x61.
>
> I've often thought that these tags should be logged in hex instead of
> decimal. Perhaps it's worth an ITS.

Thanks a lot for all of this, Howard - much appreciated. I trust that OP
also feels the same.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Re: Need help determining cause of login problem

2008-02-17T10:07:44Z

Tony Earnshaw wrote:
> Howard Chu skrev, on 17-02-2008 02:06:
>
>>>> Is there a list available anywhere that gives possible reasons for error
>>>> messages?
>>> Apparently not, as far as OpenLDAP is concerned.
>> Not quite. LDAP error codes are already documented in RFC4511.
>
> Ah. Well, this gives a subset (granted including 32) ... it's debatable
> whether 97, 101, 103 are status codes or error codes - where are they?

"tag=97" is not an error code or a status code. It is a message type tag. Look
in ldap.h for an overview of tag bits and definitions of all the tags used in
LDAP. They're defined in hex in ldap.h, which is why grepping for 97 won't
show it to you. 97 = 0x61, which is a Bind response. You won't find "97" in
the RFC either, instead you find the ASN.1:

BindResponse ::= [APPLICATION 1] SEQUENCE {
COMPONENTS OF LDAPResult,
serverSaslCreds [7] OCTET STRING OPTIONAL }

To really understand the correspondence you need to understand how ASN.1 is
encoded in BER. The "APPLICATION" corresponds to a specific bit (0x40). The
value "1" is simply OR'd in, yielding 0x41. The entity is a structure, not a
simple value, so it gets the Constructed bit, yielding 0x61.

I've often thought that these tags should be logged in hex instead of decimal.
Perhaps it's worth an ITS.

> 1027 [tonni:tru.leerlingen] /usr/share/doc/openldap2.4-doc-2.4.7/rfc $
> grep 103 *<

--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

FreeBSD Auth Wierdness

2008-02-17T08:53:33Z

Hey all,

I've been pounding my head against a screen for a few weeks trying to figure

this one out- and pounding on Google like a madman.

I'm running a few FreeBSD 6.2 servers, one with OpenLDAP 2.2. I have the

PADL nss_ldap and pam_ldap modules installed, and I have configured PAM.

I've been using the LDAP directory for many things- groupware, forums, wiki,

etc, running on the web server, which is separate from the LDAP host, so I

know that I can connect.

I can do an "ldapsearch -D -W -x" on all the servers. I can do "getent

passwd" and see the LDAP users there.

I can su to an LDAP user. I see the ldap users/groups when doing an "ls -l"

(mostly, more on that later).

But I can not SSH into the servers as an LDAP user. Here's what happens: if

I "ssh avishai@login" I get a normal password prompt. If I enter the wrong

password for that user, I get another prompt, with the message:

"Jan 27 10:47:12 login sshd[4497]: pam_ldap: error trying to bind as user

"uid=avishai,ou=Users,dc=cwssoftware,dc=com" (Invalid credentials)"

"Jan 27 11:04:40 login sshd[4570]: error: PAM: authentication error for

avishai from cool-device.cws.local"

in /var/log/messages.

If I enter the correct password, I get this prompt:

Old Password:

I have tried every possible password here- empty, correct, wrong- to no

avail. /var/log/messages shows this:

"Jan 27 11:05:11 login sshd[4570]: error: PAM: permission denied for avishai

from cool-device.cws.local"

Again, I can authenticate as this user on the LDAP server (through

phpldapadmin and all others), and the different messages and behavior makes

me know that I am talking to the LDAP server-and authenticating to some

degree! My ldap.conf is linked to nss_ldap.conf, both in /usr/local/etc. TLS

makes no difference, I've tried it on and off.

As to the nss, I get a bit of strangeness. As root, I see all the LDAP users

and groups. As a normal user, I see only the ID numbers. /etc/nsswitch.conf

has 644 permissions, so the normal user should be able to read the file.

Last, and maybe helpful, is that I periodically get a message:

"Jan 27 10:35:00 login cron[4404]: nss_ldap: could not search LDAP server -

Server is unavailable"

when I know the server IS available. Especially as NSS is working with LDAP

more or less, this has me baffled. I'm an amateur sysadmin, so I'm not sure

where to look for this particular cron job, but the message is wrong, if not

just misleading.

My pam.d/sshd file is below:

# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $

# PAM configuration for the "sshd" service

# auth

auth required pam_nologin.so no_warn

auth sufficient pam_opie.so no_warn

no_fake_prompts

auth requisite pam_opieaccess.so no_warn allow_local

#auth sufficient pam_krb5.so no_warn

try_first_pass

#auth sufficient pam_ssh.so no_warn

try_first_pass

auth sufficient /usr/local/lib/pam_ldap.so try_first_pass

auth required pam_unix.so no_warn

try_first_pass

#auth required pam_deny.so try_first_pass

# account

#account required pam_krb5.so

#account required pam_login_access.so

account required pam_unix.so

#account required /usr/local/lib/pam_ldap.so

# session

#session optional pam_ssh.so

session sufficient /usr/local/lib/pam_mkhomedir.so

session required pam_permit.so

# password

#password sufficient pam_krb5.so no_warn

try_first_pass

#password sufficient /usr/local/lib/pam_ldap.so debug

password required pam_unix.so no_warn

try_first_pass

Any help is much appreciated!

Charlie Sibbach

CWS Software

Re: Need help determining cause of login problem

2008-02-16T23:54:57Z

Howard Chu skrev, on 17-02-2008 02:06:

>>> Is there a list available anywhere that gives possible reasons for error
>>> messages?
>>
>> Apparently not, as far as OpenLDAP is concerned.
>
> Not quite. LDAP error codes are already documented in RFC4511.

Ah. Well, this gives a subset (granted including 32) ... it's debatable
whether 97, 101, 103 are status codes or error codes - where are they?

1027 [tonni:tru.leerlingen] /usr/share/doc/openldap2.4-doc-2.4.7/rfc $
grep 103 * <
rfc2247.txt: STD 13, RFC 1034, November 1987.
rfc3088.txt: LDAP directory services to leverage the existing DNS
[RFC1034]
rfc3088.txt: [RFC1034] Mockapetris, P., "Domain Names - Concepts and
Facilities",
rfc3088.txt: STD 13, RFC 1034, November 1987.
rfc4517.txt: 199412161032Z
rfc4518.txt: 0F99-0FBC 0FC6 102C-1032 1036-1039 1056-1059 1712-1714
rfc4519.txt: [RFC1034][RFC2181] naming a host [RFC1123]. That is, a
value of this
rfc4519.txt: [RFC1034] Mockapetris, P., "Domain names - concepts and
facilities",
rfc4519.txt: STD 13, RFC 1034, November 1987.
rfc4524.txt: The 'associatedDomain' attribute specifies DNS
[RFC1034][RFC2181]
rfc4524.txt: organizational DIT associated with a DNS domain
[RFC1034][RFC2181].
rfc4524.txt: [RFC1034] Mockapetris, P., "Domain names - concepts and
rfc4524.txt: facilities", STD 13, RFC 1034, November 1987.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Re: Need help determining cause of login problem

2008-02-16T17:06:25Z

Tony Earnshaw wrote:
> Jürgen Starek skrev, on 16-02-2008 18:04:
>
>> Is there a list available anywhere that gives possible reasons for error
>> messages?
>
> Apparently not, as far as OpenLDAP is concerned.

Not quite. LDAP error codes are already documented in RFC4511.

> This was "up" as late
> as today in one of the 2/4 official OpenLDAP lists, with Pier-Angelo
> Masarati asking Gavin Henry if he couldn't do anything about it.

The question Pierangelo and Gavin were addressing was whether the specific
format of OpenLDAP log messages was explicitly documented anywhere. The answer
to that is no, and we occasionally reformat the log messages to make them more
uniform and perform other cleanups over time.
>
> As far as I'm concerned, recognizing these error numbers at OL log level
> Stats level has been an ever-increasingly important factor as LDAP
> continues to mean more and more to my sites. No where to go to get
> values, just recognize.

That is far overstating the situation. All of the relevant codes are already
documented in the LDAP RFCs.

> The importance has been highlighted by Red Hat
> itself, who permits itself to charge US$ 15.000 per annum support for
> each OL or RHDS master server installation and about the half for each
> slave. If I charged the half for both, I'd long have had more money than
> I do have.

Red Hat's practices are far from exemplary.

>> Without your mail, I would not have guessed that sending pam_ldap
>> to look in a non-existing search base might lead to "No such object", "No
>> such search base" might have been more appropriate as the object /is/ in the
>> directory, albeit with a different dn...
>
> That's what error 32 is about. Invariably it comes from people trying to
> do things to a database/directory suffix that hasn't itself yet been
> initiated.
>
>>> Again Googling, here's how Michael Hammer does it:
>>>
>>> http://tugll.tugraz.at/88684/weblog/3682.html
>> Well, I'm truly grateful for each tutorial or howto anyone puts on the web.
>
> Watch out. People stuff the word HOWTO into everything, most often don't
> date what they write and, most importantly, most of what they write is
> trash anyway. I wouldn't have passed Michael Hammer's writeup to you if
> I hadn't vetted it myself first and found it kosher.
>
>> I
>> just wish they'd explain the meaning of options used and some alternatives...
>> (Yes, I'll go and improve the howto on the Debian wiki once this is done.
>> Promise.)
>
> *NEVER, NEVER* attempt to write any "HOWTO" about anything. A good
> example is sexual seduction. *DO NOT*. Simply explain what worked for
> you, and *ALWAYS* write the date and all software versions. *ALWAYS* the
> best source of information is the software vendor's documentation and if
> this doesn't suffice, your quarrel is with the vendor himself, not the
> end user.

--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Re: Need help determining cause of login problem

2008-02-16T14:19:59Z

Jürgen Starek skrev, on 16-02-2008 18:04:

> Is there a list available anywhere that gives possible reasons for error
> messages?

Apparently not, as far as OpenLDAP is concerned. This was "up" as late
as today in one of the 2/4 official OpenLDAP lists, with Pier-Angelo
Masarati asking Gavin Henry if he couldn't do anything about it.

As far as I'm concerned, recognizing these error numbers at OL log level
Stats level has been an ever-increasingly important factor as LDAP
continues to mean more and more to my sites. No where to go to get
values, just recognize. The importance has been highlighted by Red Hat
itself, who permits itself to charge US$ 15.000 per annum support for
each OL or RHDS master server installation and about the half for each
slave. If I charged the half for both, I'd long have had more money than
I do have.

> Without your mail, I would not have guessed that sending pam_ldap
> to look in a non-existing search base might lead to "No such object", "No
> such search base" might have been more appropriate as the object /is/ in the
> directory, albeit with a different dn...

That's what error 32 is about. Invariably it comes from people trying to
do things to a database/directory suffix that hasn't itself yet been
initiated.

>> Again Googling, here's how Michael Hammer does it:
>>
>> http://tugll.tugraz.at/88684/weblog/3682.html
>
> Well, I'm truly grateful for each tutorial or howto anyone puts on the web.

Watch out. People stuff the word HOWTO into everything, most often don't
date what they write and, most importantly, most of what they write is
trash anyway. I wouldn't have passed Michael Hammer's writeup to you if
I hadn't vetted it myself first and found it kosher.

> I
> just wish they'd explain the meaning of options used and some alternatives...
> (Yes, I'll go and improve the howto on the Debian wiki once this is done.
> Promise.)

*NEVER, NEVER* attempt to write any "HOWTO" about anything. A good
example is sexual seduction. *DO NOT*. Simply explain what worked for
you, and *ALWAYS* write the date and all software versions. *ALWAYS* the
best source of information is the software vendor's documentation and if
this doesn't suffice, your quarrel is with the vendor himself, not the
end user.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Re: Need help determining cause of login problem

2008-02-16T09:04:51Z

Am Samstag, 16. Februar 2008 14:17:37 schrieb Tony Earnshaw:

> This in your log: "ldap_search_s No such object" (aka error 32) means it
> can't find the directory suffix c.q. search base, which should be
> configured (with a lot more things) in said pam_ldap.conf.

Thanks for the hint! That pointed me to a typing error in /etc/pam_ldap.conf
which caused pam_ldap to check a wrong search base...

Is there a list available anywhere that gives possible reasons for error
messages? Without your mail, I would not have guessed that sending pam_ldap
to look in a non-existing search base might lead to "No such object", "No
such search base" might have been more appropriate as the object /is/ in the
directory, albeit with a different dn...

> Again Googling, here's how Michael Hammer does it:
>
> http://tugll.tugraz.at/88684/weblog/3682.html

Well, I'm truly grateful for each tutorial or howto anyone puts on the web. I
just wish they'd explain the meaning of options used and some alternatives...
(Yes, I'll go and improve the howto on the Debian wiki once this is done.
Promise.)

Regards,

Jürgen

signature.asc (196 bytes) Download Attachment

Re: Need help determining cause of login problem

2008-02-16T05:17:37Z

Jürgen Starek skrev, on 16-02-2008 10:25:

> I am having trouble with authenticating users listed in an LDAP directory.
>
> On my network, I set up an LDAP server and a client that tries to
> authenticate using the server. Both machines run Debian Etch.
>
> Client and Server setup are done according to tutorials on the net, and
> where they contradicted themselves, O'Reilly's "LDAP System
> Administration".
>
> I have populated the database with a "users" group and a sample
> posixAccount. The server works fine: I can connect to it from the client
> using GQ and a simple bind for the rootdn. Also, calling ldapsearch -x
> on the
> client gives me the complete list of entries in the server's database.
>
> A "getent passwd" on the client shows my sample account on the LDAP
> directory
> as if it were in the local passwd file, just as it's supposed to do.
>
> However, I can't log in. My nsswitch.conf uses LDAP as a password data
> source, and I see network traffic at each login attempt. Passwords are
> stored as an MD5 hash in the LDAP database, but trying CRYPT or PLAIN
> did not change anything. As mentioned above, binding to the server using
> rootdn works fine. Only binding as a user does not seem to work...
>
> Here's a log extract from /var/log/auth.log:
>
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: (pam_unix) authentication failure; logname= uid=0
> euid=0
> tty=pts/0 ruser= rhost= user=testuser
> testbox login[3850]: FAILED LOGIN (1) auf "pts/0" FOR `testuser',
> Authentication failure
>
>
> Can anyone help me diagnose this problem further? Any help would be
> appreciated.

From what you describe above it'd seem you've got most simple bind
stuff working ok for OpenLDAP, as well as name service switch stuff for
nss_ldap. I'm a Red Hat person, not Debian; be that as it may, you need
a configuration file for pam_ldap. Googling tells me that for Debian
this should be /etc/pam_ldap.conf.

This in your log: "ldap_search_s No such object" (aka error 32) means it
can't find the directory suffix c.q. search base, which should be
configured (with a lot more things) in said pam_ldap.conf.

Again Googling, here's how Michael Hammer does it:

http://tugll.tugraz.at/88684/weblog/3682.html

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Need help determining cause of login problem

2008-02-16T01:25:12Z

Hello everyone,

I am having trouble with authenticating users listed in an LDAP directory.

On my network, I set up an LDAP server and a client that tries to
authenticate using the server. Both machines run Debian Etch.

Client and Server setup are done according to tutorials on the net, and
where they contradicted themselves, O'Reilly's "LDAP System
Administration".

I have populated the database with a "users" group and a sample
posixAccount. The server works fine: I can connect to it from the client
using GQ and a simple bind for the rootdn. Also, calling ldapsearch -x
on the
client gives me the complete list of entries in the server's database.

A "getent passwd" on the client shows my sample account on the LDAP
directory
as if it were in the local passwd file, just as it's supposed to do.

However, I can't log in. My nsswitch.conf uses LDAP as a password data
source, and I see network traffic at each login attempt. Passwords are
stored as an MD5 hash in the LDAP database, but trying CRYPT or PLAIN
did not change anything. As mentioned above, binding to the server using
rootdn works fine. Only binding as a user does not seem to work...

Here's a log extract from /var/log/auth.log:

testbox login[3850]: pam_ldap: ldap_search_s No such object
testbox login[3850]: pam_ldap: ldap_search_s No such object
testbox login[3850]: (pam_unix) authentication failure; logname= uid=0
euid=0
tty=pts/0 ruser= rhost= user=testuser
testbox login[3850]: FAILED LOGIN (1) auf "pts/0" FOR `testuser',
Authentication failure

Can anyone help me diagnose this problem further? Any help would be
appreciated.

Regards,

Jürgen

signature.asc (194 bytes) Download Attachment

Re: local authentication problems (tls, nscd, nss_ldap)

2008-02-08T10:25:56Z

Hi Tony;

Thanks for the feedback. We use a proxy user because user password
changes are done only through a web portal. I'm not entirely certain
that the TLS negotiation problem can be attributed only to networking
problems. As I mentioned, we have two servers and the consumers use
the closest server to them. In other words, the consumers are always
on the same subnet as their "primary" OpenLDAP server.

I have read a lot of people having problems using nscd, yet as I
mentioned, I can get TLS to work without it! How have you been bitten
badly?

I will try again on RHEL5 to see if we can enable TLS successfully.

Can someone explain the workflow of communications for pam_ldap,
nss_ldap and how they interface with the other system libs/daemons?

Thanks,

Rafael

On Feb 6, 2008, at 12:04 AM, Tony Earnshaw wrote:

> Rafael A Barrero skrev, on 06-02-2008 04:53:
>
>> In my environment, we have about 20 servers (rhel4+rhel5)
>> connecting as clients for local authentication to an OpenLDAP
>> server (openldap2.3-2.3.39-3.rhel4, Buchan's RPMs) with slurpd
>> replicating to a slave server. Half of the servers primarily use
>> the master, while the other half primarily use the slave.
>> The OpenLDAP implemenation is working well, however we're having a
>> few issues with the nss_ldap client:
>> 1. TLS negotiation errors - doesn't seem to occur for all rhel4
>> clients, or all the time... Doesn't work on RHEL5. Has anyone seen
>> this? Why does it occur?
>> 2. If nscd is not running and TLS is configured, authentication
>> doesn't work (su - user), but lookups do work (id user). nss_ldap
>> complains about binding to the ldap server.
>> 3. If nscd is not running and TLS is *not* configured, everything
>> works (including failover to slave).
>> I should say that in our /etc/ldap.conf file, we have a specific
>> 'binddn' user that has read-only privileges to the ldap database
>> for querying (works)...
>> I'm wondering why TLS doesn't work on RHEL5, and why TLS doesn't
>> work when nscd is not running. Also, any explanations or references
>> on how nss_ldap and nscd work would be great.
>
> Hi, the following is not going to help you solve your problem, but
> it will make you take a fresh look.
>
> We swapped out our 4 RHAS4 servers with RHEL5 last summer. Delta
> syncrepl master is an i386 machine, the 3 consumer slaves are x86_64
> all running Buchan's stuff but built on the appropriate platform
> from a single srpm. Master is running OL 2.3.33, consumers 2.3.38.
> One of the consumers is a Samba PDC that insists on Red Hat's
> clients but all the others are running Buchan's clients.
>
> In connection with the introduction of a password policy regime
> shortly before Christmas we cut out the use of a proxy user for
> ldap.conf because users have to be able to change their own
> passwords (write access) using pam_exop. Users on all 4 consumers
> must be able to change passwords and use utilities on all consumers.
>
> We are using the standard Red Hat pam_ldap/nss_ldap libraries. pam
> is going directly to the master from all of them for password
> modification and authentication and I'm using TLS (starttls) for all
> of this. Local stuff that uses OL's own libraries goes directly to
> the machine's slave LDAP.
>
> I've been bitten badly in the past by nscd and would never touch it
> again with a bargepole. Besides which it would be impossible in our
> ppolicy situation with people constantly changing passwords.
>
> I could only guess that you could have a network problem; in our
> case the three slaves are on one segment, the master on another over
> a 2Gb switch and firewall (master is in the DMZ).
>
> Sorry, but there it is. pam starttls works as designed with RHEL5 at
> our site.
>
> Best,
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl