|
»
»
»
Working configuration files
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
|
|
|
Re: Working configuration files
by Michal Kurowski-4
::
Rate this Message:
Daniel Cabral [daniel.cabral@...] wrote:
> Hello there, > > Can somebody with a working openldap/pam environment send me the > configuration files? > I want to use it as a guideline. Debian has got some brain dead defaults for pam which do not work for ldap. They package policy seems to exclude them from using newer padl software versions. > I'm trying to make it work on Debian 3.0r2 but without sucess :-( > Everyday I have a new issue. > > Actually I can do the queries with the following command: > > ldapsearch -x -b ou=people,dc=oldap-cis,dc=net -W > > But when I try to login with ssh I have the following issue: > > pam_ldap: error trying to bind as user > "uid=czdw64,ou=People,dc=oldap-cis,dc=net" (Invalid credentials) > > Also I notice that the password hashes are different from those > contained in the ldiff file that I had use to create the base but I'm > not sure if it is normal or not. Not sure about that. If you use openldap you could go with "ldappasswd". I think - besides pam - your setup might be just ok. I can point you there: ftp://genesilico.pl/michal/pam_config_for_debian.tar for what I've done to make it work. Please note debian stable "password" (and "chsh" for example) binaries won't work, period. You'll have to replace them with something else. (Idealx software for samba migth be just ok). Cheers, -- Michal Kurowski perl -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#; y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print' |
|
|
Re: Re: Working configuration files
by Marcin Giedz-3
::
Rate this Message:
Michal Kurowski napisał(a):
> Daniel Cabral [daniel.cabral@...] wrote: > >> Hello there, >> >> Can somebody with a working openldap/pam environment send me the >> configuration files? >> I want to use it as a guideline. >> > > Debian has got some brain dead defaults for pam which do not work for > ldap. They package policy seems to exclude them from using newer padl > software versions. > ONLY packages from Debian. > > >> I'm trying to make it work on Debian 3.0r2 but without sucess :-( >> Everyday I have a new issue. >> Let me prepare everything in "shorter style" and I will provide you EVERYTHING you need to run Debian and LDAP. >> Actually I can do the queries with the following command: >> >> ldapsearch -x -b ou=people,dc=oldap-cis,dc=net -W >> >> But when I try to login with ssh I have the following issue: >> >> pam_ldap: error trying to bind as user >> "uid=czdw64,ou=People,dc=oldap-cis,dc=net" (Invalid credentials) >> >> Also I notice that the password hashes are different from those >> contained in the ldiff file that I had use to create the base but I'm >> not sure if it is normal or not. >> Regards, Marcin P.S. Now we have in Poland so called "long weekend" more then 4 days off....I'm writing this email from VERY "strange" place without stable internet connection that's why this "time to prepare" ;) [marcin.giedz.vcf] begin:vcard fn:Marcin Giedz n:Giedz;Marcin org:AltVision Group;Network & New Technologies adr:;;Polna 11;Warszawa;;00-633;Polska email;internet:marcin.giedz@... title:Application Engineer url:http://www.altvision.pl version:2.1 end:vcard |
|
|
Re: Re: Working configuration files
by Daniel Cabral
::
Rate this Message:
Thank you guys, but I'm still unable to make it work...
Can you please send me the configuration files like ldap.conf, pam_ldap.conf and slapd.conf just as a guideline? Marcin, are you using the openldap from the debian package? I notice that it isn't compiled with sasl suport... is it right? Maybe it's the cause of the problem, as the pam_ldap should be trying to make a sasl style query... Thanks in advance! ;-) On 6/14/06, Marcin Giedz <marcin.giedz@...> wrote: Michal Kurowski napisał(a): |
|
|
Re: Re: Working configuration files
by Marcin Giedz-3
::
Rate this Message:
Daniel Cabral napisał(a):
> Thank you guys, but I'm still unable to make it work... Hello again! > > Can you please send me the configuration files like ldap.conf, > pam_ldap.conf and slapd.conf just as a guideline? Only OpenLDAP I always compile from sources. Everything else is taken as it is - packages. Let's try: 1) I assume that your LDAP is working fine and it seems according to the previous information you provided that you are able to "ldapsearch" 2) What type of "hash" did you use for userPassword in your LDAP? For this example I will take {MD5} 3) OpenLDAP configuration - slapd.conf database bdb suffix "dc=altvision,dc=com" rootdn "cn=ldapadmin,dc=altvision,dc=com" rootpw xxxxx directory /opt/openldap-2.4.0/var/openldap-data index cn,sn,uid pres,eq,approx,sub index objectClass eq access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by self write by * read 4) I hope you have libnss-ldap libpam-ldap nscd installed on your system 5) My LDAP is organized in the following schema: top: dc=altvision,dc=com first ou: ou=pl,dc=altvision,dc=com in ou=pl,dc=altvision,dc=com there are ou=People,ou=Groups 6)/etc/libnss-ldap.conf host ldap.avg base ou=pl,dc=altvision,dc=com ldap_version 3 scope sub timelimit 30 bind_timelimit 30 pam_password md5 nss_base_passwd ou=people,ou=pl,dc=altvision,dc=com?one nss_base_shadow ou=people,ou=pl,dc=altvision,dc=com?one nss_base_group ou=groups,ou=pl,dc=altvision,dc=com?one 7)/etc/pam-ldap.conf - almost the same like libnss-ldap.conf but I also add pam_filter and pam_login - but should also work without these switches. host ldap.avg base ou=pl,dc=altvision,dc=pl ldap_version 3 scope sub timelimit 30 bind_timelimit 30 pam_filter objectclass=posixAccount pam_login_attribute uid pam_password md5 nss_base_passwd ou=people,ou=pl,dc=altvision,dc=com?one nss_base_shadow ou=people,ou=pl,dc=altvision,dc=com?one nss_base_group ou=groups,ou=pl,dc=altvision,dc=com?one 8) /etc/nsswitch.conf passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis And that almost ALL!!! Your Debian + LDAP now should work However without changing some things in the files in /etc/pam.d/ directory you probably will not be able to change passwords with : passwd. But first let's make it work without this. After that we will bring to this point. Hope this helps, Regards, Marcin > > Marcin, are you using the openldap from the debian package? I notice > that it isn't compiled with sasl suport... is it right? Maybe it's the > cause of the problem, as the pam_ldap should be trying to make a sasl > style query... > > Thanks in advance! ;-) > > On 6/14/06, *Marcin Giedz* <marcin.giedz@... > <mailto:marcin.giedz@...>> wrote: > > Michal Kurowski napisał(a): > > Daniel Cabral [daniel.cabral@... > <mailto:daniel.cabral@...>] wrote: > > > >> Hello there, > >> > >> Can somebody with a working openldap/pam environment send me the > >> configuration files? > >> I want to use it as a guideline. > >> > > > > Debian has got some brain dead defaults for pam which do not > work for > > ldap. They package policy seems to exclude them from using newer > padl > > software versions. > > > Hmmm.... seems strange since all my servers (more then 40) based on > Debian work with LDAP great! I don't see any problems although I use > ONLY packages from Debian. > > > > > > >> I'm trying to make it work on Debian 3.0r2 but without sucess :-( > >> Everyday I have a new issue. > >> > Let me prepare everything in "shorter style" and I will provide you > EVERYTHING you need to run Debian and LDAP. > >> Actually I can do the queries with the following command: > >> > >> ldapsearch -x -b ou=people,dc=oldap-cis,dc=net -W > >> > >> But when I try to login with ssh I have the following issue: > >> > >> pam_ldap: error trying to bind as user > >> "uid=czdw64,ou=People,dc=oldap-cis,dc=net" (Invalid credentials) > >> > >> Also I notice that the password hashes are different from those > >> contained in the ldiff file that I had use to create the base > but I'm > >> not sure if it is normal or not. > >> > Happens ..... but it's only matter of time ;) > > Regards, > Marcin > > P.S. Now we have in Poland so called "long weekend" more then 4 days > off....I'm writing this email from VERY "strange" place > without stable > internet connection that's why this "time to prepare" ;) > > > [marcin.giedz.vcf] begin:vcard fn:Marcin Giedz n:Giedz;Marcin org:AltVision Group;Network and New Technologies adr:;;Polna 11;Warszawa;;00-633;Polska email;internet:marcin.giedz@... title:Application Engineer tel;work:+48 22 825 85 08 url:http://www.altvision.pl version:2.1 end:vcard |
|
|
Re: Re: Working configuration files
by Daniel Cabral
::
Rate this Message:
Marcin, I really like to tank you for the help... I solved the issue, the whole problem was in the hash value, I generated a wrong value and hence I was unable to authenticate.
Also I discovered that the hash that ldapsearch shows isnt exactly the hash used at the moment of the creation of the value.... then I used ethereal to see wich hash was really been exchanged. Now that things are working fine I'll try to use TLS/SSL :-) Thanks you guys :-) Best regards Daniel Cabral On 6/27/06, Marcin Giedz
<marcin.giedz@...> wrote: Daniel Cabral napisał(a): |
|
|
Re: Re: Working configuration files
by Marcin Giedz-3
::
Rate this Message:
Daniel Cabral napisał(a):
> Marcin, I really like to tank you for the help... I solved the issue, > the whole problem was in the hash value, I generated a wrong value and > hence I was unable to authenticate. > Also I discovered that the hash that ldapsearch shows isnt exactly the > hash used at the moment of the creation of the value.... then I used > ethereal to see wich hash was really been exchanged. > > Now that things are working fine I'll try to use TLS/SSL :-) Great!!! > > Thanks you guys :-) > BR, Marcin > Best regards > Daniel Cabral [marcin.giedz.vcf] begin:vcard fn:Marcin Giedz n:Giedz;Marcin org:AltVision Group;Network and New Technologies adr:;;Polna 11;Warszawa;;00-633;Polska email;internet:marcin.giedz@... title:Application Engineer tel;work:+48 22 825 85 08 url:http://www.altvision.pl version:2.1 end:vcard |
|
|
Re: Re: Working configuration files
by jana
::
Rate this Message:
HI,
I am having similar issue. I have configured openldap 2.2.13 on redhat linux enterprise 4. With default access policy ( * auth) i am able to login and change the password. But when i try with access list access to attr=userPassword by self write by dn.base= " cn=Manager,dc=example,dc=com" write by * none Am getting similar error message as " sshd[7768]: pam_ldap: error trying to bind as user (Invalid credentials) . Please help me out this. I am struggling to make it work. Thanks for your response Regards avj
|
| Free Forum Powered by Nabble | Forum Help |
