[Fedora-directory-users] problems with pam ldap ?
Bogdan Cehan
bogdan.cehan at mediaimage.ro
Fri May 30 07:41:09 UTC 2008
Ok
so now my configuration looks like this
# Server1, Groups, pol.mediaimage.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
objectClass: top
objectClass: posixgroup
cn: Server1
gidNumber: 100
memberUid: alex
memberUid: vion
and ldap.conf :
URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group ou=People,dc=pol,dc=ro
and pam system-auth :
auth required pam_env.so
auth [success=ignore default=1] pam_localuser.so
auth [success=done new_authtok_reqd=done default=1] pam_unix.so
likeauth nullok try_first_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account required pam_access.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=2 dcredit=2
ocredit=2 retry=1
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
#Creates the home directories if they do not exist
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so
but with all this all users could login to the system with no problem
> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> > I'm using the fedora directory server for centralized
> > authentication , and i have made users with posix account and i
> > put them in ou=People like this :
>
> [snip]
>
> > # Server1, Groups, pol.ro
> > dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> > description: group for users that have access on server 1
> > objectClass: top
> > objectClass: groupofuniquenames
> > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> > cn: Server1
>
> [snip]
>
> > and my ldap.conf looks like this :
> >
> > URI ldap://lacatzel.pol.ro
> > port=389
> > BASE dc=pol,dc=ro
> > host lacatzel.pol.ro
> > TLS_CACERTDIR /etc/openldap/cacerts
> > TLS_REQCERT allow
> > scope sub
> > bind_policy soft
> > #pam_password exop
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > pam_member_attribute memberUid
> > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
>
> [snip]
>
> The combination of the pam_groupdn and pam_member_attribute
> settings you have here instructs pam_ldap to check for the user's
> DN among the values for the group object's "memberUid" attribute,
> but the user's DN is stored in the "uniqueMember" attribute. Try
> changing that (or removing it, because "pam_member_attribute
> uniquemember" is the default).
>
> But if that were the only problem, I'd expect that none of your
> users would be able to log in. You should probably double-check
> that your PAM configuration is able to deny users entry when
> pam_ldap's account management function (which is the part that
> checks group membership) returns a failure.
>
> HTH,
>
> Nalin
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the 389-users
mailing list