Re: [rlug] OpenLDAP with PAM

Mon, 21 Nov 2005 11:16:28 -0800 

On Mon, Nov 21, 2005 at 08:13:47PM +0200, Alexandru Ionica wrote:
> > 'getent shadow lucica' nu da nimic. In schimb pt. useri din /etc/shadow
> > scrie ce ar trebui. Asta nu mi se pare normal. nss problem?
> da , nss nu merge deloc, eu credeam ca la getent passwd iti arata si useri
> din ldap

Don't get me wrong, 'getent passwd' da si userii din ldap, iar 'getent
shadow' nu da si userii din ldap. 

> ...

Main point, am facut configurarile respective, si am observat
urmatoarele:
'getent passwd' nu mai da userii din ldap, decat daca ii pun
rootbinddn.
Fara rootbinddn, pam_ldap ma injura si el:

[EMAIL PROTECTED]:~# su - lucica
su: Authentication service cannot retrieve authentication info.
(Ignored)
I have no [EMAIL PROTECTED]:~$

I have no [EMAIL PROTECTED]:~$ id
uid=3001 gid=3000 groups=3000

Si:
Nov 21 20:42:27 odin slapd[23005]: => acl_mask: access to entry
"uid=lucica,ou=people,dc=ict4u,dc=ro", attr "uid" requested 
Nov 21 20:42:27 odin slapd[23005]: => acl_mask: to value by "", (=n)  
Nov 21 20:42:27 odin slapd[23005]: <= check a_dn_pat:
cn=admin,dc=ict4u,dc=ro 
Nov 21 20:42:27 odin slapd[23005]: <= acl_mask: no more <who> clauses,
returning =n (stop) 
Nov 21 20:42:27 odin slapd[23005]: => access_allowed: search access
denied by =n 



In general am inteles fiecare ce rol are, cu exceptia urmatoare: cine
cum ce face cu parola? Daca pam_ldap o hash-uieste, atunci daca slapd
tine parolele in alt format (am vazut parca ca foloseste sha1), atunci
ce-am facut? De-asta am lasat eu clear peste tot. Si pana la urma parola
hashed/not hashed cine cui cum i-o trimite? slapd lui pam_ldap mi se
pare mie logic. pam_ldap ar putea mai departe sa ia seed-uri, trage un
hash peste parola in clear cu acelasi seed si compara. Dar asta se
intampla? Trebuie sa caut mai adanc.

Anyway main point: still not working.

PS: Folosesc Debian etch (i.e. testing). Sa fie vreo problema si iau
pachetele corespunzatoare stable-ului? Ce versiuni de pachete ai
folosit?

_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug

Raspunde prin e-mail lui