Re: [CentOS] OpenLDAP authentication, account expired when it's not.
On Mon, Jul 26, 2010, Scott Robbins wrote: On Mon, Jul 26, 2010 at 03:44:48PM -0700, Bill Campbell wrote: I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 9). Well, I'm just going to spam my own page. Give it a gander, and see if following it from the get go works. Note the link to the forum thread in it--it's possible, though not proven, that CentOS (probably RH) *might* have broken ldap. http://home.roadrunner.com/~computertaijutsu/ldap.html All I can say is that it works for me, but--and it's probably an important but--I haven't set it up from scratch on CentOS 5.5 yet. Thanks. I have to go to a client site this afternoon to do some fire-stomping, and will take a look at this when I get back. A quick scan, and looks like it covers all the bases. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 There never was a democracy that did not commit suicide. -- Samual Adams ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] OpenLDAP authentication, account expired when it's not.
I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 9). The last time I did this seriously for authentication was using Apple iMacs authentication against a SuSE Linux machine so it's entirely possible I'm not doing the right thing today. Most of the sites where we're using ldap and nss are not authentication, but simply going to user's $HOME directories to deliver e-mail to Maildir stores which doesn't require authentication. FWIW, I just checked an old SLES9 system authenticating against another SuSE system by telnet'ing to its POP3 server and that works as expected so it's something different in the way SuSE's PAM and CentOS' works (using MD5 passwords). I have done a fair amount of google/RTFM as well as reading the pam documentation on the CentOS client machine, and don't find anything that helps me figure out is causing it to think the account has expired. The LDAP attributes that I think are relevant on a test account are below. I don't see anything here that looks hinky, but then I am fairly ignorant on PAM authentication. shadowExpire 0 shadowFlag 0 shadowInactive 0 shadowLastChange 14816 shadowMax 9 shadowMin 0 shadowWarning 7 Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them.-- George Mason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OpenLDAP authentication, account expired when it's not.
On Mon, Jul 26, 2010 at 03:44:48PM -0700, Bill Campbell wrote: I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 9). Well, I'm just going to spam my own page. Give it a gander, and see if following it from the get go works. Note the link to the forum thread in it--it's possible, though not proven, that CentOS (probably RH) *might* have broken ldap. http://home.roadrunner.com/~computertaijutsu/ldap.html All I can say is that it works for me, but--and it's probably an important but--I haven't set it up from scratch on CentOS 5.5 yet. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Anya: For a thousand years I wielded the powers of the Wish. I brought ruin to the heads of unfaithful men. I brought forth destruction and chaos for the pleasure of the lower beings. I was feared and worshipped across the mortal globe. And now I'm stuck at Sunnydale High. Mortal. Child. And I'm flunking Math. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
