problems with pam ldap ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok
so now my configuration looks like this 

# Server1, Groups, pol.mediaimage.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
objectClass: top
objectClass: posixgroup
cn: Server1
gidNumber: 100
memberUid: alex
memberUid: vion

and ldap.conf :

URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group  ou=People,dc=pol,dc=ro

and pam system-auth :

auth    required     pam_env.so
auth    [success=ignore default=1] pam_localuser.so
auth    [success=done new_authtok_reqd=done default=1]  pam_unix.so 
likeauth nullok try_first_pass
auth    sufficient pam_ldap.so try_first_pass
auth    required     pam_deny.so

account    sufficient   pam_unix.so
account    required     pam_access.so
account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=2 dcredit=2 
ocredit=2 retry=1
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
#Creates the home directories if they do not exist
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional     pam_ldap.so


but with all this all users could login to the system with no problem 






> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> > I'm using the fedora directory server for centralized
> > authentication , and i have made users with posix account and i
> > put them in ou=People like this :
>
> [snip]
>
> > # Server1, Groups, pol.ro
> > dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> > description: group for users that have access on server 1
> > objectClass: top
> > objectClass: groupofuniquenames
> > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> > cn: Server1
>
> [snip]
>
> > and my ldap.conf looks like this :
> >
> > URI ldap://lacatzel.pol.ro
> > port=389
> > BASE dc=pol,dc=ro
> > host lacatzel.pol.ro
> > TLS_CACERTDIR /etc/openldap/cacerts
> > TLS_REQCERT allow
> > scope sub
> > bind_policy soft
> > #pam_password exop
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > pam_member_attribute memberUid
> > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
>
> [snip]
>
> The combination of the pam_groupdn and pam_member_attribute
> settings you have here instructs pam_ldap to check for the user's
> DN among the values for the group object's "memberUid" attribute,
> but the user's DN is stored in the "uniqueMember" attribute.  Try
> changing that (or removing it, because "pam_member_attribute
> uniquemember" is the default).
>
> But if that were the only problem, I'd expect that none of your
> users would be able to log in.  You should probably double-check
> that your PAM configuration is able to deny users entry when
> pam_ldap's account management function (which is the part that
> checks group membership) returns a failure.
>
> HTH,
>
> Nalin
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users





[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux