2008/3/27, Manuel García <[EMAIL PROTECTED]>: > On Fri, Mar 28, 2008 at 8:16 AM, andres sarmiento <[EMAIL PROTECTED]> wrote: > > Estimados: > > Actualmente tengo instalado un servidor con Debian Etch al cual le > > instalé openldap. El serv idor actualmente está levantado y funciona > > localmente. > > El problema radica cuando necesito autenticar a un usuario remoto. > > > > Si un usuario creado con ldap se autentica vía SSH no ocurre problema. > > el problema, ocurre cuando dicho usuario necesita autenticarse desde > > otra aplicación. Por ejemplo vía Web. > > Agradecería si me pueden orientar. Seguí el siguiente Howto: > > http://moduli.net/sysadmin/sarge-ldap-auth-howto.html > > > > Y seguí todos los pasos, pero no ocurre nada. > > Adjunto los archivos de configuración de slapd.conf, pam_ldap.com > nsswitch.conf > > > > ### Para slapd.conf #################################### > > john:/home/andres# cat /etc/ldap/slapd.conf > > # This is the main slapd configuration file. See slapd.conf(5) for more > > # info on the configuration options. > > > > ####################################################################### > > # Global Directives: > > > > # Features to permit > > #allow bind_v2 > > > > # Schema and objectClass definitions > > include /etc/ldap/schema/core.schema > > include /etc/ldap/schema/cosine.schema > > include /etc/ldap/schema/nis.schema > > include /etc/ldap/schema/inetorgperson.schema > > > > # Where the pid file is put. The init.d script > > # will not stop the server if you change this. > > pidfile /var/run/slapd/slapd.pid > > > > # List of arguments that were passed to the server > > argsfile /var/run/slapd/slapd.args > > > > # Read slapd.conf(5) for possible values > > loglevel 0 > > > > # Where the dynamically loaded modules are stored > > modulepath /usr/lib/ldap > > moduleload back_bdb > > > > # The maximum number of entries that is returned for a search operation > > sizelimit 500 > > > > # The tool-threads parameter sets the actual amount of cpu's that is used > > # for indexing. > > tool-threads 1 > > > > ####################################################################### > > # Specific Backend Directives for bdb: > > # Backend specific directives apply to this backend until another > > # 'backend' directive occurs > > backend bdb > > checkpoint 512 30 > > > > ####################################################################### > > # Specific Backend Directives for 'other': > > # Backend specific directives apply to this backend until another > > # 'backend' directive occurs > > #backend <other> > > > > ####################################################################### > > # Specific Directives for database #1, of type bdb: > > # Database specific directives apply to this databasse until another > > # 'database' directive occurs > > database bdb > > > > # The base of your directory in database #1 > > suffix "dc=ldap,dc=spcservices,dc=com" > > > > # rootdn directive for specifying a superuser on the database. This is > needed > > # for syncrepl. > > # rootdn "cn=admin,dc=ldap,dc=spcservices,dc=com" > > > > # Where the database file are physically stored for database #1 > > directory "/var/lib/ldap" > > > > # For the Debian package we use 2MB as default but be sure to update this > > # value if you have plenty of RAM > > dbconfig set_cachesize 0 2097152 0 > > > > # Sven Hartge reported that he had to set this value incredibly high > > # to get slapd running at all. See http://bugs.debian.org/303057 > > # for more information. > > > > # Number of objects that can be locked at the same time. > > dbconfig set_lk_max_objects 1500 > > # Number of locks (both requested and granted) > > dbconfig set_lk_max_locks 1500 > > # Number of lockers > > dbconfig set_lk_max_lockers 1500 > > > > # Indexing options for database #1 > > index objectClass eq > > > > # Save the time that the entry gets modified, for database #1 > > lastmod on > > > > # Where to store the replica logs for database #1 > > # replogfile /var/lib/ldap/replog > > > > # The userPassword by default can be changed > > # by the entry owning it if they are authenticated. > > # Others should not be able to see it, except the > > # admin entry below > > # These access lines apply to database #1 only > > access to attrs=userPassword,shadowLastChange,gecos > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > by self write > > by * read > > > > # Ensure read access to the base for things like > > # supportedSASLMechanisms. Without this you may > > # have problems with SASL not knowing what > > # mechanisms are available and the like. > > # Note that this is covered by the 'access to *' > > # ACL below too but if you change that as people > > # are wont to do you'll still need this if you > > # want SASL (and possible other things) to work > > # happily. > > access to dn.base="" by * read > > > > # The admin dn has full write access, everyone else > > # can read everything. > > access to * > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > by * read > > > > # For Netscape Roaming support, each user gets a roaming > > # profile for which they have write access to > > #access to dn=".*,ou=Roaming,o=morsnet" > > # by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > # by dnattr=owner write > > > > ####################################################################### > > # Specific Directives for database #2, of type 'other' (can be bdb too): > > # Database specific directives apply to this databasse until another > > # 'database' directive occurs > > #database <other> > > > > # The base of your directory for database #2 > > #suffix "dc=debian,dc=org" > > > > > ###########################################################################33 > > Para /etc/ldap/ldap.conf > > > > john:/home/andres# cat /etc/ldap/ldap.conf > > # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 > > 19:57:01 kurt Exp $ > > # > > # LDAP Defaults > > # > > > > # See ldap.conf(5) for details > > # This file should be world readable but not world writable. > > > > BASE dc=ldap,dc=spcservices,dc=com > > URI ldap://172.31.20.3 > > > > #SIZELIMIT 12 > > #TIMELIMIT 15 > > #DEREF never > > > > > ############################################################################ > > para /etc/nsswitch.conf > > > > john:/home/andres# cat /etc/nsswitch.conf > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: ldap compat > > group: ldap compat > > shadow: compat > > > > hosts: files dns > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > > > > > > > Agradezco las las respuestas, ya que no encuentro la menera de hacerlo > > funcionar. > > Saludos Cordiales > > > > > > > En /etc/nsswitch.conf deberias tener: > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > > passwd: files ldap > group: files ldap > shadow: files ldap > > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > > y en /etc/pam.d/ deberias tener un archivo de configuración para la > autenticación en apache o el servidro web que estés usando, que > contenga: > > @include common-auth > @include common-account > > eso deberia ser suficiente. > > además te recomiendo el uso de phpldapadmin para el manejo del ldap. > > > > -- > Manuel Garcia > Administrador de redes y servidores > Corporacion Lynqus > Debian GNU/Linux 4.1 > codename "Lenny" >
Muchas gracias manuel por la ayuda, modifiqué el archivo /etc/nsswitch.conf. E instalé phpldapadmin, peor no comprendo bien lo del archivo PAM Te adjunto la salida dela rchivo, quizás tengo algo mal configurado: ######## Para /etc/pam.d/common-account john:~# cat /etc/pam.d/common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # #account required pam_unix.so account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so #### Para /etc/pam.d/common-session john:~# cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so ### Para /etc/pam.d/common-auth john:~# cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # #auth required pam_unix.so nullok_secure auth sufficient pam_unix.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so Bueno esa es la configuración de PAM. Te cuento que puedo loguearme y cambiar la password de un usuario desde otro computaror mediante el comando: ldappasswd -x -D cn=admin,dc=ldap,dc=spcservices,dc=com -W -S uid=nihat,ou=people,dc=ldap,dc=spcservices,dc=com -h 172.31.20.3 Ecuentro extraño que no se pueda realizar desde otra aplicación. Quedo atento a los comentarios Saludos y Feliz día!!!