I just finished an LDAP cofiguration successfully and found out, that
the configuration is tricky - I had to be very careful. I had the same
problem with double passwords - the order in the PAM config files was wrong.
Also I found out, that if PAM was not able to bind to the server
anonyously, though I configured it in the slapd.conf. So I created a
Manager with read only permission. For some reason my ldap.conf accepts
_only_ an IP in the host entry, everywhere else the domainname works.
my /etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix_passwd.so use_first_pass md5
shadow
session required /lib/security/pam_unix_session.so
/etc/pam.d/pop || imap || su
auth sufficient pam_ldap.so
auth required pam_unix_auth.so
account required pam_unix_acct.so
password required pam_unix_passwd.so
session required pam_unix_session.so
/etc/openldap/slapd.conf:
<--- snip --->
access to attr=userPassword
by self write
by dn="cn=Manager,dc=domain,dc=com" write
by dn="cn=pam,dc=domain,dc=com" read
by anonymous auth
by * none
access to *
by self write
by dn="cn=Manager,dc=domain,dc=com" write
by * read
</--- snip --->
/etc/linnss-ldap.conf:
<--- snip --->
binddn cn=pam,dc=domain,dc=com
bindpw xxxxxxxxx
<--- snip --->
This configuration works om my System:
Potato AXP, LDAP 2.0.11 (compiled)
martin
Sergio Talens-Oliag wrote:
> El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribi�:
>
>>Hey,
>>
>>I've got a slight problem, at school we run two major networks, one half is
>>Novell Netware based, and the other half is unix based. We basically one
>>centralized system of authentication, so that user don't have to remember two
>>different passwords to use either system. We been trying to get linux to use
>>ldap to authenticate with the novell ldap server, and have had no luck. We
>>know the novell ldap server is fine, however something seems fishy with the
>>linux side. The problem is that when using the PAM_LDAP modules, is that
>>when a user tries to login, they are asked for a password twice, once the
>>normal password, and the second one being the ldap based password. However,
>>even if you type in the correct passwords, LDAP says permission denied, or
>>authentication failed. What makes it really odd is how at the same time the
>>novell netware server states it has seen the authenticated user, and even
>>gives it an OK to login.
>>
>>Anyone have any clue as to how to make it work? Are there any docs about
>>getting Netware+linux+ldap to work? thanks for any info that you might pass
>>along. have a nice day.
>>
>
> I think your problem is in your pam module configuration, I use something
> like that for auth:
>
> ---
> auth required pam_nologin.so
> auth sufficient pam_unix.so
> auth required pam_ldap.so use_first_pass
> ---
>
> With this setup the user is only asked once; if 'pam_unix' succeds the user
> is authorized and if it fails 'pam_ldap' tries to authenticate using the
> same password entered.
>
> Hope this helps.
>
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
