A Dissabte 05 Febrer 2005 16:51, Albert Sellar�s va escriure: > Primer de tot, demanar-te dsiculpes per si et faig preguntes referents a > passos q hagis pogut seguir, ja que no m'he llegit cap d'aquests > articles q has anomenat, i per tant no se molt b� quins passos has pogut > segir. trankil, no t'has de disculpar!
> M'imagino que la teva intenci� �s tenir tota l'autenticaci� > centralitzada per a tots els serveis que en requereixin.... ex�cte!!! > Viam, si dius que fent el su a la m�quina on est� el client s'et logueja > l'usuari, �s q el client obt� b� les dades dl servidor ldap, llavors lo > m�s provable seria que el password estigu�s malament, tot i q per > l'error que has dit q et donava, crec q ser� una altre cosa... > > prova de fer des de la m�quina client: > > com a root: > passwd wallas85 em diu: passwd: Authentication token manipulation error > i li poses un password ben senzill, llavors fes: per� aix� ho he fet via phpldapadmin (i a m�s he posat que no estigui encriptada) > su wallas85 m'entra a l'usuari per� em diu aix�: su: Authentication service cannot retrieve authentication info. (Ignorat) i a /var/log/auth.log em surt aix�: localhost su[XXXX]: pam_ldap: error trying to bind (Invalid credentials) localhost su[XXXX]: + pts/0 root:wallas85 localhost su[XXXX]: (pam_unix) session opened for user wallas85 by root(uid=0) > i un cop loguejat, prova de canviar-li el passowrd. Et demanar� el que > li has posat avans.... si des de dins l'usuari wallas85 faig: "$passwd wallas85" em sur aix�: Changing password for wallas85 (current) UNIX password: (aqu� jo poso la contrassenya, que �s molt sensilleta que l'acabo de canviar com he comentat) passwd: Authentication token manipulation error > Si et deixa, llavors prova d'autentificar-te amb els diferents serveis > aviam si n'hi ha algun q et deixi. > > En cas de fallar la prova, envia la seg�ent info: > > ls /etc/pam.d chfn, common-auth, common-session, passwd, ssh, chsh, imap, pop3, su, common-account, common-password, cron, login, ppp, cupsys, other, samba > cat /etc/pam.conf rest, tot el que hi ha est� comentat > cat /etc/pam.d/su # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth required pam_wheel.so # Uncomment this if you want wheel members to be able to # su without a password. # auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth required pam_wheel.so deny group=nosu # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on su usage. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session # Sets up user limits, please uncomment and read /etc/security/limits.conf # to enable this functionality. # (Replaces the use of /etc/limits in old login) # session required pam_limits.so > cat /etc/pam.d/ssh # Disallow non-root logins when /etc/nologin exists. auth required pam_nologin.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # Standard Un*x authentication. @include common-auth # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Standard Un*x password updating. @include common-password > cat /etc/pam.d/passwd @include common-password > cat /etc/pam_ldap.conf host gandalf.lothlorien # The distinguished name of the search base. base dc=lothlorien # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw 1 # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=admin,dc=lothlorien # The port. # Optional: default is 389. port 389 # The search scope. #scope sub #scope one #scope base # Search timelimit #timelimit 30 # Bind timelimit #bind_timelimit 30 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 # Filter to AND with uid=%s #pam_filter objectclass=posixAccount # The user ID attribute (defaults to uid) #pam_login_attribute uid # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password exop # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password nds # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop #pam_password local # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password. # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd ou=people,dc=gsr,dc=pt?one #nss_base_shadow ou=people,dc=gsr,dc=pt?one #nss_base_group ou=groups,dc=gsr,dc=pt?one #nss_base_hosts ou=machines,dc=gsr,dc=pt?one #nss_base_services ou=Services,dc=padl,dc=com?one #nss_base_networks ou=Networks,dc=padl,dc=com?one #nss_base_protocols ou=Protocols,dc=padl,dc=com?one #nss_base_rpc ou=Rpc,dc=padl,dc=com?one #nss_base_ethers ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute #nss_map_objectclass rfc2307objectclass mapped_objectclass # configure --enable-nds is no longer supported. # For NDS now do: #nss_map_attribute uniqueMember member # configure --enable-mssfu-schema is no longer supported. # For MSSFU now do: #nss_map_objectclass posixAccount User #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad # configure --enable-authpassword is no longer supported # For authPassword support, now do: #nss_map_attribute userPassword authPassword #pam_password nds # For IBM SecureWay support, do: #nss_map_objectclass posixAccount aixAccount #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs/cert7.db # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl off # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key > ls -l /etc/ldap_secret -rw-r--r-- 1 root root 39 2005-01-13 21:53 /etc/ldap.secret > cat /etc/nsswitch.conf passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files ldap dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: ldap nis > ps aux | grep nscd nscd 2295 0.0 1.6 48204 2632 ? Ss 22:26 0:00 /usr/sbin/nscd > ls /etc/ldap/ ldap.conf ldap.conf.bak schema slapd.conf slapd.conf.bak ssl > cat /etc/ldap/ldap.conf # See ldap.conf(5) for details # This file should be world readable but not world writable. # Your LDAP server. Must be resolvable without using LDAP. HOST gandalf.lothlorien # The distinguished name of the search base. BASE dc=lothlorien # The port. # Optional: default is 389. 636 is for ldaps PORT 389 #PORT 636 > cat /etc/ldap/sldap.conf # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/samba.schema #include /etc/ldap/schema/pykota.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_ldbm ####################################################################### # Specific Backend Directives for ldbm: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend ldbm ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type ldbm: # Database specific directives apply to this databasse until another # 'database' directive occurs database ldbm # The base of your directory in database #1 suffix "dc=lothlorien" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Requerido por OpenLDAP index objectclass eq index default sub index cn pres,sub,eq index sn pres,sub,eq # Requerido para soportar pdb_getsampwnam index uid pres,sub,eq # Requerido para soportar pdb_getsambapwrid() index displayName pres,sub,eq # Descomente las siguientes l�neas si est� almacenando entradas # posixAccount y posixGroup en el directorio index uidNumber eq index gidNumber eq index memberUid eq # Samba 3.* index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq # PyKota #index pykotaUserName pres,eq,sub #index pykotaGroupName pres,eq,sub #index pykotaPrinterName pres,eq,sub #index pykotaLastJobIdent eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attribute=userPassword by dn="cn=admin,dc=lothlorien" write by anonymous auth by self write by * none # allow the "ldap admin dn" access, but deny everyone else # (Samba related) access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=lothlorien" write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=lothlorien" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=gsr,dc=pt" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be ldbm too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" > > > Si has tocat algun altre arxiu que creguis important tb, aix� com si > algun d'aquests arxius es diuen algo diferents. gandalf:/etc/pam.d# cat common-account # /etc/pam.d/common-account - authorization settings common to all services account required pam_unix.so account sufficient pam_ldap.so gandalf:/etc/pam.d# cat common-auth # /etc/pam.d/common-auth - authentication settings common to all services auth sufficient pam_unix.so auth sufficient pam_ldap.so try_first_pass auth required pam_env.so auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so gandalf:/etc/pam.d# cat common-password # /etc/pam.d/common-password - password-related modules common to all services password required pam_cracklib.so retry=3 minlen=6 difok=4 password sufficient pam_unix.so use_authtok md5 shadow password sufficient pam_ldap.so use_authtok password required pam_warn.so password required pam_deny.so gandalf:/etc/pam.d# cat common-session # /etc/pam.d/common-session - session-related modules common to all services session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so > Sort! a veure si en tinc. gr�cies per l'ajuda! guillem
