Re: [gentoo-user] openldap: taking too much of time to authenticate
bijayant kumar schrieb: Hi, I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2 [...] access to * by dn=uid=root,ou=people,dc=kavach,dc=blr write by users read by anonymous auth access to attrs=userPassword,gecos,description,loginShell by self write Your first access rule makes your second one obsolete, because * is for everything. Therefore your second rule will never jump in. Take always the rule with * as your last access rule. My /etc/pam.d/system-auth :-- authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok authsufficient/lib/security/pam_ldap.so use_first_pass authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient/lib/security/pam_ldap.so passwordrequired /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/pam_ldap.so use_authtok passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so I'm no expert at all with pam rules, but your rules always have the unix rule before ldap rule. If you try login with a local account (not in passwd), than perhaps you run in timeouts? I have set up ldap on debian with the following pam rules: auth [success=1 default=ignore] pam_unix.so nullok_secure authrequiredpam_ldap.so use_first_pass authrequiredpam_permit.so account [success=1 default=ignore] pam_unix.so account requiredpam_ldap.so account requiredpam_permit.so passwordsufficient pam_ldap.so use_first_pass use_authtok passwordrequiredpam_unix.so nullok obscure min=4 max=8 md5 session optionalpam_ldap.so session requiredpam_unix.so The first rule of auth and account allows you to login even if ldap is down: the rules check, if a local account exists; if yes jump to third rule; if no jump to second rule. Perhaps this can help you. Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also. Hm, this sounds a little bit wrong. Even if your LDAP server runs on another system, the accounts saved in it are part of your system, if you configure it that way (which you did with /etc/nsswitch.conf and /etc/ldap.conf). They are not automatically in it, if you do not set these files properly (which I think you did), local ldap or not. Regards, Marc -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openldap: taking too much of time to authenticate
bijayant kumar schrieb: Hi Marc, First of all i want to thank you for your response. I tried everything which you have suggested to me, but unfortunately it didnot worked for me. It still taking 15 to 20 seconds to authenticate. Does it takes too much time or i am doing something wrong. Please help me. I am doing this from last 8 days. And one more thing i want to know, how would i know that user is authenticated via the ldap not the system. 15-20 seconds is to long. I only authentificate ldap-users via Samba-login with windows machines, and this works fast without any delay. For the authentification issue: if your user is in the local user data base, it is authentificated against it (depending on your nsswitch and pam settings), if he is in ldap, he is authentificated against ldap. You should't have users in both, local and ldap. I looked again at your access rules in slapd.conf: try out these rules: - access to attrs=userPassword,gecos,description,loginShell by dn=uid=root,ou=people,dc=kavach,dc=blr write by anonymous auth by self write by * none access to * by dn=uid=root,ou=people,dc=kavach,dc=blr write by users read - The first rule allows root to and self to change the attributes userPassword,gecos,description,loginShell, anonymous to authentificate (=login!) and * nothing. The second rule allows root to change all other attributes and authentificated users to read all other attributes. Regards, Marc -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] openldap: taking too much of time to authenticate
Marc, I tried it also, but no luck this time also. Also i want to show you my /var/log/syslog also, which may be useful to rectify my problem :-Aug 28 16:18:01 bijayant slapd[8302]: conn=145 fd=16 ACCEPT from IP=127.0.0.1:49850 (IP=0.0.0.0:389)Aug 28 16:18:01 bijayant slapd[8302]: conn=145 op=0 BIND dn="cn=Manager,dc=kavach,dc=blr" method=128Aug 28 16:18:01 bijayant slapd[8302]: conn=145 op=0 RESULT tag=97 err=49 text=Aug 28 16:18:01 bijayant slapd[8302]: conn=146 fd=17 ACCEPT from IP=127.0.0.1:49851 (IP=0.0.0.0:389)Aug 28 16:18:01 bijayant slapd[8302]: conn=145 op=1 UNBINDAug 28 16:18:01 bijayant slapd[8302]: conn=145 fd=16 closedAug 28 16:18:01 bijayant slapd[8302]: conn=146 op=0 BIND dn="cn=Manager,dc=kavach,dc=blr" method=128Aug 28 16:18:01 bijayant slapd[8302]: conn=146 op=0 RESULT tag=97 err=49 text=Aug 28 16:18:01 bijayant slapd[8302]: conn=147 fd=16 ACCEPT from IP=127.0.0.1:49852 (IP=0.0.0.0:389)Aug 28 16:18:01 bijayant slapd[8302]: conn=146 op=1 UNBINDAug 28 16:18:01 bijayant slapd[8302]: conn=146 fd=17 closedAug 28 16:18:01 bijayant slapd[8302]: conn=147 op=0 BIND dn="cn=Manager,dc=kavach,dc=blr" method=128Aug 28 16:18:01 bijayant slapd[8302]: conn=147 op=0 RESULT tag=97 err=49 text=Aug 28 16:18:01 bijayant slapd[8302]: conn=147 op=1 UNBINDAug 28 16:18:01 bijayant slapd[8302]: conn=147 fd=16 closedAug 28 16:18:05 bijayant slapd[8302]: conn=148 fd=16 ACCEPT from IP=127.0.0.1:49853 (IP=0.0.0.0:389)Aug 28 16:18:05 bijayant slapd[8302]: conn=148 op=0 BIND dn="cn=Manager,dc=kavach,dc=blr" method=128Aug 28 16:18:05 bijayant slapd[8302]: conn=148 op=0 RESULT tag=97 err=49 text=Aug 28 16:18:05 bijayant slapd[8302]: conn=149 fd=17 ACCEPT from IP=127.0.0.1:49854 (IP=0.0.0.0:389)Aug 28 16:18:05 bijayant slapd[8302]: conn=148 op=1 UNBINDAug 28 16:18:05 bijayant slapd[8302]: conn=148 fd=16 closedMarc Blumentritt [EMAIL PROTECTED] wrote:15-20 seconds is to long. I only authentificate ldap-users viaSamba-login with windows machines, and this works fast without any delay.For the authentification issue: if your user is in the local user database, it is authentificated against it (depending on your nsswitch andpam settings), if he is in ldap, he is authentificated against ldap. Youshould't have users in both, local and ldap.I looked again at your access rules in slapd.conf: try out these rules:-access to attrs=userPassword,gecos,description,loginShellby dn="uid=root,ou=people,dc=kavach,dc=blr" writeby anonymous authby self writeby * noneaccess to *by dn="uid=root,ou=people,dc=kavach,dc=blr" writeby users read-The first rule allows root to and self to change the attributes"userPassword,gecos,description,loginShell", anonymous to authentificate(=login!) and * nothing.The second rule allows root to change all other attributes andauthentificated users to read all other attributes.Regards,Marc-- gentoo-user@gentoo.org mailing list Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com
Re: [gentoo-user] openldap: taking too much of time to authenticate
bijayant kumar schrieb: Marc, I tried it also, but no luck this time also. Also i want to show you my /var/log/syslog also, which may be useful to rectify my problem :- Aug 28 16:18:01 bijayant slapd[8302]: conn=145 fd=16 ACCEPT from IP=127.0.0.1:49850 (IP=0.0.0.0:389) Aug 28 16:18:01 bijayant slapd[8302]: conn=145 op=0 BIND dn=cn=Manager,dc=kavach,dc=blr method=128 What is it exactly, you are trying to do with dn=cn=Manager,dc=kavach,dc=blr ? This is your ldap rootdn. It is not a unix-user. Marc Blumentritt [EMAIL PROTECTED] wrote: I looked again at your access rules in slapd.conf: try out these rules: - access to attrs=userPassword,gecos,description,loginShell by dn=uid=root,ou=people,dc=kavach,dc=blr write by anonymous auth by self write by * none access to * by dn=uid=root,ou=people,dc=kavach,dc=blr write by users read - Next thing I just realized: in your /etc/ldap.conf you set nss_base_passwd to ou=People,dc=kavach,dc=blr?one, while above people is not starting with a capital letter! Correct this and while you are at it, change the access rules to this: --- access to attrs=userPassword,gecos,description,loginShell by dn=uid=root,ou=people,dc=kavach,dc=blr write by dn=cn=Manager,dc=kavach,dc=blr write by anonymous auth by self write by * none access to * by dn=uid=root,ou=people,dc=kavach,dc=blr write by dn=cn=Manager,dc=kavach,dc=blr write by users read --- Since manager is your rootdn, he should have access to everything. In fact, do you really want a root account in your ldap? I think you do not need, so if you aggree, delete the root lines in your access rules. How to you plan to add users to ldap? I mean, which tools you use? Regards, Marc -- gentoo-user@gentoo.org mailing list
[gentoo-user] openldap: taking too much of time to authenticate
Hi, I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2My /etc/openldap/slapd.conf :-include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemapidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.argsdatabase ldbmsuffix "dc=kavach,dc=blr"checkpoint 32 30rootdn "cn=Manager,dc=kavach,dc=blr"rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==directory /var/lib/openldap-dataindex uid,cn,gidNumber,uidNumber,memberUid eqindex uniqueMember presindex objectClass pres,eqaccess to *by dn="uid=root,ou=people,dc=kavach,dc=blr" writeby users readby anonymous authaccess to attrs=userPassword,gecos,description,loginShellby self writeMy /etc/openldap/ldap.confHOST 127.0.0.1 198.168.99.183 bijayant.kavach.blrBASE dc=kavach,dc=blrURI ldap://127.0.0.1:389/TIMELIMIT 15SIZELIMIT 12DEREF nevernss_reconnect_tries 0nss_reconnect_sleeptime 1nss_reconnect_maxconntries 4My /etc/nsswitch.conf file :--passwd: files ldapshadow: files ldapgroup: files ldaphosts: files dnsMy /etc/pam.d/system-auth :--auth required /lib/security/pam_env.soauth sufficient /lib/security/pam_unix.so likeauth nullokauth sufficient /lib/security/pam_ldap.so use_first_passauth required /lib/security/pam_deny.soaccount required /lib/security/pam_unix.soaccount sufficient /lib/security/pam_ldap.sopassword required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadowpassword sufficient /lib/security/pam_ldap.so use_authtokpassword required /lib/security/pam_deny.sosession required /lib/security/pam_limits.sosession required /lib/security/pam_unix.sosession optional /lib/security/pam_ldap.soMy /etc/ldap.conf :--host 127.0.0.1base dc=kavach,dc=blrrootbinddn cn=Manager,dc=kavach,dc=blrport 389bind_policy harduri ldap://127.0.0.1:389/pam_password cryptldap_version 3pam_filter objectclass=posixAccountpam_login_attribute uidpam_member_attribute gidnss_base_passwd ou=People,dc=kavach,dc=blr?onenss_base_shadow ou=People,dc=kavach,dc=blr?onenss_base_group ou=Group,dc=kavach,dc=blr?onenss_base_hosts ou=Hosts,dc=kavach,dc=blr?onescope onenss_initgroups_ignoreusers root,ldapnss_reconnect_tries 3nss_reconnect_sleeptime 1nss_reconnect_maxconntries 4Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also. Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com