Trouble setting up pam passthru plugin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Engle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi all,
>   I'm trying to set up our FDS 1.0.2 server  to do the PAM passthrough 
> authentication for simple binds so that we don't have to store passwords in 
> the DS. I'm new to FDS, but not to LDAP or kerberos. Something is wonky, 
> though, and I'm at a loss.
>
> I've compiled the pam-passthru-plugin.so library, and configured it 
> according to the README doc for that plugin. The plugin is showing as 
> loaded, and the response I'm getting back indicates that it is trying to do 
> the check, so I don't think it's a config issue with the plugin.
>
> However, I'm getting conflicting log entries as to the success of the 
> authentication. The slapd error logs are showing:
>
> [15/May/2006:14:22:49 -0500] pam_passthru-plugin - Expired PAM password for 
> user id [pengle], bind DN [uid=pengle,ou=people,dc=rice,dc=edu]: reset 
> required
>
> But, /var/log/messages is reporting:
>
> May 15 14:22:49 ldap1 ns-slapd: pam_krb5[1832]: authentication succeeds for 
> 'pengle' (pengle at RICE.EDU)
>
> So, it looks like the kerberos auth is working, but whatever response the 
> ldap server is getting isn't being interpreted as a success.
>
> I'm not a pam guru, so my /etc/pam.d/ldapserver is very basic:
>
> #%PAM-1.0
> auth        required     /lib/security/$ISA/pam_krb5.so debug no_user_check
>
> In case it's an issue, this is a RHEL4 box. And the command I'm testing 
> with is
>
> /usr/bin/ldapsearch -x -W -H 'ldaps://ldap1.rice.edu:636' -D 
> "uid=pengle,ou=People,dc=rice,dc=edu" -b "ou=People,dc=rice,dc=edu" 
> '(uid=pengle)'
>
> Have I done something obviously wrong? If anyone has gotten this to work 
> and can give me some pointers, I'd be very grateful. As far as I know, our 
> kerberos repository doesn't do password aging, so I don't understand the 
> error.
>   
I'm not really sure.
# You can enable plug-in debug logging which may give some more 
indication of the problem, but this will slow down the server.  So if 
you need to run with logging on in production, do so only for a short 
period of time.  http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting
# pam_passthru-plugin also allows for some thing called "exclude 
suffix". So you can create a suffix dc=local and have a user called 
uid=test and see if that succeeds.
# Are there any 8 bit characters in your password?

> Thanks for your time,
>   -paul
>
> - -- 
> Paul D. Engle                | Rice University
> Sr. Systems Administrator    | Information Technology - MS119
> (713) 348-4702               | P.O. Box 1892
> pengle at rice.edu              | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFEaOQkCpkISWtyHNsRAuW0AKC43a0i+Uo9+Cz30wMRLVWPPXCgJQCg6iZo
> a8KZSegBSrE4vajTSp10UO4=
> =efIA
> -----END PGP SIGNATURE-----
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060518/647d8c90/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux