2008/3/27, Manuel García <[EMAIL PROTECTED]>: > On Fri, Mar 28, 2008 at 11:09 AM, andres sarmiento <[EMAIL PROTECTED]> wrote: > > > > 2008/3/27, Manuel García <[EMAIL PROTECTED]>: > > > On Fri, Mar 28, 2008 at 10:51 AM, andres sarmiento <[EMAIL PROTECTED]> > wrote: > > > > > > > > 2008/3/27, Manuel García <[EMAIL PROTECTED]>: > > > > > On Fri, Mar 28, 2008 at 8:16 AM, andres sarmiento <[EMAIL > PROTECTED]> wrote: > > > > > > Estimados: > > > > > > Actualmente tengo instalado un servidor con Debian Etch al > cual le > > > > > > instalé openldap. El serv idor actualmente está levantado y > funciona > > > > > > localmente. > > > > > > El problema radica cuando necesito autenticar a un usuario > remoto. > > > > > > > > > > > > Si un usuario creado con ldap se autentica vía SSH no ocurre > problema. > > > > > > el problema, ocurre cuando dicho usuario necesita > autenticarse desde > > > > > > otra aplicación. Por ejemplo vía Web. > > > > > > Agradecería si me pueden orientar. Seguí el siguiente Howto: > > > > > > http://moduli.net/sysadmin/sarge-ldap-auth-howto.html > > > > > > > > > > > > Y seguí todos los pasos, pero no ocurre nada. > > > > > > Adjunto los archivos de configuración de slapd.conf, > pam_ldap.com nsswitch.conf > > > > > > > > > > > > ### Para slapd.conf #################################### > > > > > > john:/home/andres# cat /etc/ldap/slapd.conf > > > > > > # This is the main slapd configuration file. See > slapd.conf(5) for more > > > > > > # info on the configuration options. > > > > > > > > > > > > > ####################################################################### > > > > > > # Global Directives: > > > > > > > > > > > > # Features to permit > > > > > > #allow bind_v2 > > > > > > > > > > > > # Schema and objectClass definitions > > > > > > include /etc/ldap/schema/core.schema > > > > > > include /etc/ldap/schema/cosine.schema > > > > > > include /etc/ldap/schema/nis.schema > > > > > > include /etc/ldap/schema/inetorgperson.schema > > > > > > > > > > > > # Where the pid file is put. The init.d script > > > > > > # will not stop the server if you change this. > > > > > > pidfile /var/run/slapd/slapd.pid > > > > > > > > > > > > # List of arguments that were passed to the server > > > > > > argsfile /var/run/slapd/slapd.args > > > > > > > > > > > > # Read slapd.conf(5) for possible values > > > > > > loglevel 0 > > > > > > > > > > > > # Where the dynamically loaded modules are stored > > > > > > modulepath /usr/lib/ldap > > > > > > moduleload back_bdb > > > > > > > > > > > > # The maximum number of entries that is returned for a search > operation > > > > > > sizelimit 500 > > > > > > > > > > > > # The tool-threads parameter sets the actual amount of cpu's > that is used > > > > > > # for indexing. > > > > > > tool-threads 1 > > > > > > > > > > > > > ####################################################################### > > > > > > # Specific Backend Directives for bdb: > > > > > > # Backend specific directives apply to this backend until > another > > > > > > # 'backend' directive occurs > > > > > > backend bdb > > > > > > checkpoint 512 30 > > > > > > > > > > > > > ####################################################################### > > > > > > # Specific Backend Directives for 'other': > > > > > > # Backend specific directives apply to this backend until > another > > > > > > # 'backend' directive occurs > > > > > > #backend <other> > > > > > > > > > > > > > ####################################################################### > > > > > > # Specific Directives for database #1, of type bdb: > > > > > > # Database specific directives apply to this databasse until > another > > > > > > # 'database' directive occurs > > > > > > database bdb > > > > > > > > > > > > # The base of your directory in database #1 > > > > > > suffix "dc=ldap,dc=spcservices,dc=com" > > > > > > > > > > > > # rootdn directive for specifying a superuser on the > database. This is needed > > > > > > # for syncrepl. > > > > > > # rootdn "cn=admin,dc=ldap,dc=spcservices,dc=com" > > > > > > > > > > > > # Where the database file are physically stored for database > #1 > > > > > > directory "/var/lib/ldap" > > > > > > > > > > > > # For the Debian package we use 2MB as default but be sure to > update this > > > > > > # value if you have plenty of RAM > > > > > > dbconfig set_cachesize 0 2097152 0 > > > > > > > > > > > > # Sven Hartge reported that he had to set this value > incredibly high > > > > > > # to get slapd running at all. See > http://bugs.debian.org/303057 > > > > > > # for more information. > > > > > > > > > > > > # Number of objects that can be locked at the same time. > > > > > > dbconfig set_lk_max_objects 1500 > > > > > > # Number of locks (both requested and granted) > > > > > > dbconfig set_lk_max_locks 1500 > > > > > > # Number of lockers > > > > > > dbconfig set_lk_max_lockers 1500 > > > > > > > > > > > > # Indexing options for database #1 > > > > > > index objectClass eq > > > > > > > > > > > > # Save the time that the entry gets modified, for database #1 > > > > > > lastmod on > > > > > > > > > > > > # Where to store the replica logs for database #1 > > > > > > # replogfile /var/lib/ldap/replog > > > > > > > > > > > > # The userPassword by default can be changed > > > > > > # by the entry owning it if they are authenticated. > > > > > > # Others should not be able to see it, except the > > > > > > # admin entry below > > > > > > # These access lines apply to database #1 only > > > > > > access to attrs=userPassword,shadowLastChange,gecos > > > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > > > by self write > > > > > > by * read > > > > > > > > > > > > # Ensure read access to the base for things like > > > > > > # supportedSASLMechanisms. Without this you may > > > > > > # have problems with SASL not knowing what > > > > > > # mechanisms are available and the like. > > > > > > # Note that this is covered by the 'access to *' > > > > > > # ACL below too but if you change that as people > > > > > > # are wont to do you'll still need this if you > > > > > > # want SASL (and possible other things) to work > > > > > > # happily. > > > > > > access to dn.base="" by * read > > > > > > > > > > > > # The admin dn has full write access, everyone else > > > > > > # can read everything. > > > > > > access to * > > > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > > > by * read > > > > > > > > > > > > # For Netscape Roaming support, each user gets a roaming > > > > > > # profile for which they have write access to > > > > > > #access to dn=".*,ou=Roaming,o=morsnet" > > > > > > # by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write > > > > > > # by dnattr=owner write > > > > > > > > > > > > > ####################################################################### > > > > > > # Specific Directives for database #2, of type 'other' (can > be bdb too): > > > > > > # Database specific directives apply to this databasse until > another > > > > > > # 'database' directive occurs > > > > > > #database <other> > > > > > > > > > > > > # The base of your directory for database #2 > > > > > > #suffix "dc=debian,dc=org" > > > > > > > > > > > > > ###########################################################################33 > > > > > > Para /etc/ldap/ldap.conf > > > > > > > > > > > > john:/home/andres# cat /etc/ldap/ldap.conf > > > > > > # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 > 2000/09/04 > > > > > > 19:57:01 kurt Exp $ > > > > > > # > > > > > > # LDAP Defaults > > > > > > # > > > > > > > > > > > > # See ldap.conf(5) for details > > > > > > # This file should be world readable but not world writable. > > > > > > > > > > > > BASE dc=ldap,dc=spcservices,dc=com > > > > > > URI ldap://172.31.20.3 > > > > > > > > > > > > #SIZELIMIT 12 > > > > > > #TIMELIMIT 15 > > > > > > #DEREF never > > > > > > > > > > > > > ############################################################################ > > > > > > para /etc/nsswitch.conf > > > > > > > > > > > > john:/home/andres# cat /etc/nsswitch.conf > > > > > > # /etc/nsswitch.conf > > > > > > # > > > > > > # Example configuration of GNU Name Service Switch > functionality. > > > > > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > > > > > # `info libc "Name Service Switch"' for information about > this file. > > > > > > > > > > > > passwd: ldap compat > > > > > > group: ldap compat > > > > > > shadow: compat > > > > > > > > > > > > hosts: files dns > > > > > > networks: files > > > > > > > > > > > > protocols: db files > > > > > > services: db files > > > > > > ethers: db files > > > > > > rpc: db files > > > > > > > > > > > > netgroup: nis > > > > > > > > > > > > > > > > > > > > > > > > Agradezco las las respuestas, ya que no encuentro la menera > de hacerlo > > > > > > funcionar. > > > > > > Saludos Cordiales > > > > > > > > > > > > > > > > > > > > > > > > > > > En /etc/nsswitch.conf deberias tener: > > > > > > > > > > > > > > > # /etc/nsswitch.conf > > > > > # > > > > > # Example configuration of GNU Name Service Switch functionality. > > > > > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > > > > > # `info libc "Name Service Switch"' for information about this > file. > > > > > > > > > > > > > > > passwd: files ldap > > > > > group: files ldap > > > > > shadow: files ldap > > > > > > > > > > > > > > > hosts: files dns > > > > > networks: files > > > > > > > > > > protocols: db files > > > > > services: db files > > > > > ethers: db files > > > > > rpc: db files > > > > > > > > > > netgroup: nis > > > > > > > > > > > > > > > > > > > > y en /etc/pam.d/ deberias tener un archivo de configuración para > la > > > > > autenticación en apache o el servidro web que estés usando, que > > > > > contenga: > > > > > > > > > > @include common-auth > > > > > @include common-account > > > > > > > > > > eso deberia ser suficiente. > > > > > > > > > > además te recomiendo el uso de phpldapadmin para el manejo del > ldap. > > > > > > > > > > > > > > > > > > > > -- > > > > > Manuel Garcia > > > > > Administrador de redes y servidores > > > > > Corporacion Lynqus > > > > > Debian GNU/Linux 4.1 > > > > > codename "Lenny" > > > > > > > > > > > > > Muchas gracias manuel por la ayuda, modifiqué el archivo > > > > /etc/nsswitch.conf. E instalé phpldapadmin, peor no comprendo bien > lo > > > > del archivo PAM > > > > > > > > Te adjunto la salida dela rchivo, quizás tengo algo mal configurado: > > > > > > > > ######## Para /etc/pam.d/common-account > > > > > > > > john:~# cat /etc/pam.d/common-account > > > > # > > > > # /etc/pam.d/common-account - authorization settings common to all > services > > > > # > > > > # This file is included from other service-specific PAM config > files, > > > > # and should contain a list of the authorization modules that define > > > > # the central access policy for use on the system. The default is > to > > > > # only deny service to users whose accounts are expired in > /etc/shadow. > > > > # > > > > #account required pam_unix.so > > > > account sufficient pam_unix.so > > > > account sufficient pam_ldap.so > > > > account required pam_deny.so > > > > > > > > #### Para /etc/pam.d/common-session > > > > > > > > john:~# cat /etc/pam.d/common-session > > > > # > > > > # /etc/pam.d/common-session - session-related modules common to all > services > > > > # > > > > # This file is included from other service-specific PAM config > files, > > > > # and should contain a list of modules that define tasks to be > performed > > > > # at the start and end of sessions of *any* kind (both interactive > and > > > > # non-interactive). The default is pam_unix. > > > > # > > > > session required pam_unix.so > > > > > > > > ### Para /etc/pam.d/common-auth > > > > > > > > john:~# cat /etc/pam.d/common-auth > > > > # > > > > # /etc/pam.d/common-auth - authentication settings common to all > services > > > > # > > > > # This file is included from other service-specific PAM config > files, > > > > # and should contain a list of the authentication modules that > define > > > > # the central authentication scheme for use on the system > > > > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use > the > > > > # traditional Unix authentication mechanisms. > > > > # > > > > #auth required pam_unix.so nullok_secure > > > > auth sufficient pam_unix.so > > > > auth sufficient pam_ldap.so use_first_pass > > > > auth required pam_deny.so > > > > > > > > > > > > > > > > Bueno esa es la configuración de PAM. Te cuento que puedo loguearme > y > > > > cambiar la password de un usuario desde otro computaror mediante el > > > > comando: > > > > > > > > ldappasswd -x -D cn=admin,dc=ldap,dc=spcservices,dc=com -W -S > > > > uid=nihat,ou=people,dc=ldap,dc=spcservices,dc=com -h 172.31.20.3 > > > > > > > > > > > > Ecuentro extraño que no se pueda realizar desde otra aplicación. > > > > > > > > Quedo atento a los comentarios > > > > Saludos y Feliz día!!! > > > > > > > > > > > > > > > > > en /etc/pam.d/ debes tener un archivo para cada aplicación, samba, > > > apache, ssh, etc > > > > > > > > > -- > > > > > > Manuel Garcia > > > Administrador de redes y servidores > > > Corporacion Lynqus > > > Debian GNU/Linux 4.1 > > > codename "Lenny" > > > > > > > Ok, pero el apache en este caso es remoto, es decir que noe esta > > instalado en la máquina con LDAP. > > Mira, te explico: > > > > Gateway con Astaro (firewall de seguridad, etc,etc) > > Servidor Debian (Ldap) > > > > Entonces necesito cominicar a gateway astaro con servidor Debian. > > Entonces no comprendo configurar un archivo para astaro dentro de > > /etc/pam.d/ en servidor Debian > > > > Adjunto una imagen de la configuración de LDAP desde Astaro > > > > > > Saludos y muchas gracias > > > > > > Eso es más complejo, e involucra las IP's etc, yo tengo todo montado > en un mismo servidor así que no te voy a poder ayudar mucho más, éxito > con eso. > > > -- > > Manuel Garcia > Administrador de redes y servidores > Corporacion Lynqus > Debian GNU/Linux 4.1 > codename "Lenny" >
OK muchas gracias por la ayuda, seguiré revisando. Salu2