Re: [Fedora-directory-users] problems with pam ldap ?
Ok
so now my configuration looks like this
# Server1, Groups, pol.mediaimage.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
objectClass: top
objectClass: posixgroup
cn: Server1
gidNumber: 100
memberUid: alex
memberUid: vion
and ldap.conf :
URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group ou=People,dc=pol,dc=ro
and pam system-auth :
auth required pam_env.so
auth [success=ignore default=1] pam_localuser.so
auth [success=done new_authtok_reqd=done default=1] pam_unix.so
likeauth nullok try_first_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account required pam_access.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=2 dcredit=2
ocredit=2 retry=1
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
#Creates the home directories if they do not exist
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so
but with all this all users could login to the system with no problem
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> I'm using the fedora directory server for centralized
> authentication , and i have made users with posix account and i
> put them in ou=People like this :
[snip]
> # Server1, Groups, pol.ro
> dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> description: group for users that have access on server 1
> objectClass: top
> objectClass: groupofuniquenames
> uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> cn: Server1
[snip]
> and my ldap.conf looks like this :
>
> URI ldap://lacatzel.pol.ro
> port=389
> BASE dc=pol,dc=ro
> host lacatzel.pol.ro
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> scope sub
> bind_policy soft
> #pam_password exop
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute memberUid
> pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
[snip]
The combination of the pam_groupdn and pam_member_attribute
settings you have here instructs pam_ldap to check for the user's
DN among the values for the group object's "memberUid" attribute,
but the user's DN is stored in the "uniqueMember" attribute. Try
changing that (or removing it, because "pam_member_attribute
uniquemember" is the default).
But if that were the only problem, I'd expect that none of your
users would be able to log in. You should probably double-check
that your PAM configuration is able to deny users entry when
pam_ldap's account management function (which is the part that
checks group membership) returns a failure.
HTH,
Nalin
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users