[ale] [Fwd: Re: OpenLDAP: So close and yet so far]

Jerald Sheets questy at gmail.com
Thu Jun 4 10:08:27 EDT 2009


Another note here...

The ldap-based products that I have installed on a client (that's all it
does... client) are the following:

openldap-clients-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
nss_ldap-253-12.el5
openldap-2.3.27-8.el5_1.3

That's what RedHat installed by default when I told Kickstart "I want
whatever I need to auth against LDAP."

I'm not saying there's more than I need there, and I'm not saying that's all
required, it's just what RedHat installed.

I know that if you don't have *clients and *nss_ldap, the auth won't work,
but I don't know (what with RedHat's packaging practices) whether the rest
of those are needed, or just their whimsy.

Hope that helps.

--jms


On Wed, Jun 3, 2009 at 4:15 PM, Jerald Sheets <questy at gmail.com> wrote:

> The reason I asked was that in RedHat-land, they have the idea of this
> system-config-authentication that automagically sets the various parameters
> you need.
>
> I know that both /etc/ldap.conf and /etc/openldap/ldap.conf are affected,
> and both of mine read a little differently:
>
> /etc/ldap.conf
>
> base dc=foo,dc=com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers \
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> uri ldap://ldap.foo.com/
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
>
> /etc/openldap/ldap.conf
>
> URI ldap://ldap.foo.com/
> BASE dc=foo,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
>
> Other files apparently affected: (only pertinent lines pasted here)
>
> /etc/nsswitch.conf
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> netgroup:   files ldap
> automount:  files ldap
>
>
> /etc/pam.d/system-auth
>
> auth        sufficient    pam_ldap.so use_first_pass
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> password    sufficient    pam_ldap.so use_authtok
> session     optional      pam_ldap.so
>
> If system-config-authentication does any extra mojo not listed here, I am
> unaware of it.
>
> Gentoo's docs seem to be pretty straightorward on it as well.  Since you
> emerged the ldap packages in, I won't bore you with the standard "did you
> install <blah>" questions.
>
> I have heard tale of some boxes needing windows-style reboots to get going,
> but I have not experienced that in Redhat/CentOS.
>
> Any other LDAP-ers see anything out of the ordinary here?
>
> --j
>
>
>
>
>
> On Wed, Jun 3, 2009 at 3:56 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>
>> Never mind; that wasn't the problem...
>>
>>
>> On Wed, Jun 3, 2009 at 3:32 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>
>>> It's Gentoo, but I think I might have found a serious problem...I think
>>> the server and client ldap.conf files may be reversed; the server happens to
>>> be working because as far as server directives go, the two files say the
>>> same thing...
>>>
>>>
>>> On Wed, Jun 3, 2009 at 3:12 PM, Jerald Sheets <questy at gmail.com> wrote:
>>>
>>>> Redhat/Debian/Ubuntu/Slack?  Which?
>>>>
>>>>
>>>> On Wed, Jun 3, 2009 at 2:33 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>>>
>>>>> Just like that.
>>>>>
>>>>>
>>>>> On Wed, Jun 3, 2009 at 2:20 PM, Jerald Sheets <questy at gmail.com>wrote:
>>>>>
>>>>>> What does your /etc/nsswitch.conf look like for passwd/shadow/group?
>>>>>>
>>>>>> passwd:     files ldap
>>>>>> shadow:     files ldap
>>>>>> group:      files ldap
>>>>>>
>>>>>>
>>>>>> --j
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 3, 2009 at 1:45 PM, Jeff Hubbs <jeffrey.hubbs at gmail.com>wrote:
>>>>>>
>>>>>>> That makes it worse.  See log output with it both ways at
>>>>>>> http://pastebin.com/m5fca56.
>>>>>>>
>>>>>>> With the pam_ldap line where it was, I'm at least able to get
>>>>>>> "(Invalid credentials)" returned from pam_ldap;when moved up above the
>>>>>>> pam_unix line, pam_ldap never makes a response.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://pastebin.com/m5fca56
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Jun 3, 2009 at 12:50 PM, Jim Kinney <jim.kinney at gmail.com>wrote:
>>>>>>>
>>>>>>>> move the pam_ladp line up one. The line above it will always capture
>>>>>>>> an event and the ldap line is never called. pam is a sequential
>>>>>>>> process down the chain.
>>>>>>>>
>>>>>>>> In fact, if you want to tighten the security, put the pam_deny line
>>>>>>>> before any "sufficient" lines in auth.
>>>>>>>>
>>>>>>>> On Wed, Jun 3, 2009 at 12:36 PM, Jeff Hubbs<jeffrey.hubbs at gmail.com>
>>>>>>>> wrote:
>>>>>>>> > Jerald -
>>>>>>>> >
>>>>>>>> > That line is in there...in fact, let me paste the whole
>>>>>>>> system-auth file:
>>>>>>>> >
>>>>>>>> > #%PAM-1.0
>>>>>>>> >
>>>>>>>> > auth            required        pam_env.so
>>>>>>>> > auth            sufficient      pam_unix.so try_first_pass
>>>>>>>> likeauth nullok
>>>>>>>> > auth            sufficient      pam_ldap.so use_first_pass
>>>>>>>> > auth            required        pam_deny.so
>>>>>>>> >
>>>>>>>> > account         required        pam_unix.so
>>>>>>>> > account         sufficient      pam_ldap.so
>>>>>>>> >
>>>>>>>> > password        required        pam_cracklib.so difok=2 minlen=8
>>>>>>>> dcredit=2
>>>>>>>> > ocredit=2 try_first_pass retry=3
>>>>>>>> > password        sufficient      pam_unix.so try_first_pass nullok
>>>>>>>> md5 shadow
>>>>>>>> > use_authtok
>>>>>>>> > password        sufficient      pam_ldap.so use_authtok
>>>>>>>> > password        required        pam_deny.so
>>>>>>>> >
>>>>>>>> > session         required        pam_limits.so
>>>>>>>> > session         required        pam_unix.so
>>>>>>>> > session         optional        pam_ldap.so
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> Also, to let pam know about ldap, look for a line like so:
>>>>>>>> >>
>>>>>>>> >> auth        sufficient    pam_ldap.so use_first_pass
>>>>>>>> >>
>>>>>>>> >> in /etc/pam.d/system-auth
>>>>>>>> >>
>>>>>>>> >> Also, if you want to have home directories automagically made for
>>>>>>>> >> first-time logins, you need:
>>>>>>>> >>
>>>>>>>> >> session     required      pam_mkhomedir.so
>>>>>>>> >
>>>>>>>> > Cool trick - dunno if I'll use that now but it's good to know.
>>>>>>>> >
>>>>>>>> > Thanks,
>>>>>>>> > Jeff
>>>>>>>> >
>>>>>>>> > _______________________________________________
>>>>>>>> > Ale mailing list
>>>>>>>> > Ale at ale.org
>>>>>>>> > http://mail.ale.org/mailman/listinfo/ale
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> --
>>>>>>>> James P. Kinney III
>>>>>>>> Actively in pursuit of Life, Liberty and Happiness
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Ale mailing list
>>>>>>>> Ale at ale.org
>>>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ale mailing list
>>>>>>> Ale at ale.org
>>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> ---
>>>>>> Jerald M. Sheets jr.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> ---
>>>> Jerald M. Sheets jr.
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>
>
> --
> ---
> Jerald M. Sheets jr.
>
>


-- 
---
Jerald M. Sheets jr.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090604/3fa79bd6/attachment-0001.html 


More information about the Ale mailing list