Hi Damon,
Damon Getsman schrieb:
I struggled for some time trying to get LDAP and PAM to work together
well enough to be able to authenticate successfully on a couple of
ubuntu machines here. Now that it's working successfully we want to
move our OpenSuSE Linux server cluster to be utilizing LDAP; that was
the SunRays that they serve can be much more centrally administrated...
Doing password and other various user changes across the entire array of
Linux machines has been a nightmare.
Makes sense.
Anyway, now that I'm starting to know LDAP fairly well, I just dropped
the working PAM configuration files into /etc/pam.d on one of the
machines in our server cluster.
What OpenSuSE version is this? What version of SLES does it correspond
to? Have you also configured naming services (/etc/nsswitch.conf) to use
LDAP?
Which files did you drop into /etc/pam.d?
I assume that you replaced the /etc/pam.d/common-{auth,account,password}
files. If so, that should normally work for Sun Ray sessions, if it
works for other services.
Well, all of the standard linux
services (su, sshd, login, chsh, EVERYTHING) worked just fine relying
only on the LDAP directory for authentication (this is OpenLDAP, btw,
not one of sun's directory services which I've only been able to get
working with the Calendar suite for its own data). Unfortunately, gdm
and the SunRay services refuse to authenticate with that data.
Does gdm also refuse to authenticate on the console (or in an XDMCP
session from another host) with these settings, or is it really a Sun
Ray specific issue?
Additionally: How does it refuse to authenticate? Are there any messages
in the system logs about the failed authentications?
I had to
restore /etc/pam.d from backup in order to get the SunRays to let anyone
authenticate.
/etc/pam.d is modular for a reason. You should be able to modify just
/etc/pam.d/gdm to point to copies of the old common-* files and leave
LDAP active for other services. Then you can investigate where things
break, if you point gdm to LDAP again.
One more question: what architecture are you using? what version of gdm
(and from where)? If you are using a 64-bit system, please note that (up
to and including SRSS 4.0) the Sun Ray PAM modules are 32-bit only, the
gdm shipping with Sun Ray is 32-bit, so any PAM modules you use need to
have 32-bit versions installed and the /etc/pam.d files must be set up
accordingly.
Does anybody out there have a SunRay/SRSS system set up that is using
OpenLDAP? I started looking through the various files in pam.d that
SRSS seems to rely heavily on and I see that they're full of libraries
which appear to be (big surprise) nonstandard and Sun proprietary.
None of these really do system authentication. You can drop most of them
(losing some Sun Ray functionality on the way) or leave them where they
are - they should work together with LDAP authentication. See Bob's mail
for more detail.
HTH
- Jörg
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
