[Fedora-directory-users] problems with pam ldap ?

Bogdan Cehan bogdan.cehan at mediaimage.ro
Fri May 30 07:41:09 UTC 2008


Ok
so now my configuration looks like this 

# Server1, Groups, pol.mediaimage.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
objectClass: top
objectClass: posixgroup
cn: Server1
gidNumber: 100
memberUid: alex
memberUid: vion

and ldap.conf :

URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group  ou=People,dc=pol,dc=ro

and pam system-auth :

auth    required     pam_env.so
auth    [success=ignore default=1] pam_localuser.so
auth    [success=done new_authtok_reqd=done default=1]  pam_unix.so 
likeauth nullok try_first_pass
auth    sufficient pam_ldap.so try_first_pass
auth    required     pam_deny.so

account    sufficient   pam_unix.so
account    required     pam_access.so
account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=2 dcredit=2 
ocredit=2 retry=1
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
#Creates the home directories if they do not exist
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_ldap.so


but with all this all users could login to the system with no problem 






> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> > I'm using the fedora directory server for centralized
> > authentication , and i have made users with posix account and i
> > put them in ou=People like this :
>
> [snip]
>
> > # Server1, Groups, pol.ro
> > dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> > description: group for users that have access on server 1
> > objectClass: top
> > objectClass: groupofuniquenames
> > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> > cn: Server1
>
> [snip]
>
> > and my ldap.conf looks like this :
> >
> > URI ldap://lacatzel.pol.ro
> > port=389
> > BASE dc=pol,dc=ro
> > host lacatzel.pol.ro
> > TLS_CACERTDIR /etc/openldap/cacerts
> > TLS_REQCERT allow
> > scope sub
> > bind_policy soft
> > #pam_password exop
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > pam_member_attribute memberUid
> > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
>
> [snip]
>
> The combination of the pam_groupdn and pam_member_attribute
> settings you have here instructs pam_ldap to check for the user's
> DN among the values for the group object's "memberUid" attribute,
> but the user's DN is stored in the "uniqueMember" attribute.  Try
> changing that (or removing it, because "pam_member_attribute
> uniquemember" is the default).
>
> But if that were the only problem, I'd expect that none of your
> users would be able to log in.  You should probably double-check
> that your PAM configuration is able to deny users entry when
> pam_ldap's account management function (which is the part that
> checks group membership) returns a failure.
>
> HTH,
>
> Nalin
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users





More information about the 389-users mailing list