[389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS

narender.hooda at gmail.com (Hakuna Matata) · Wed, 17 Jun 2009 21:44:08 +0530

>>>>grep base /etc/ldap.conf
----------------------------------
#scope base
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# nss_base_passwd       ou=People,
# to append the default base DN but this
#nss_base_passwd        ou=People,dc=example,dc=com?one
#nss_base_shadow        ou=People,dc=example,dc=com?one
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
#nss_base_passwd ou=aixaccount,?one
#nss_base_group ou=aixgroup,?one
---------------------------------------------------------------------------

OK, so i was expecting some base which are binding it to FDS.....but did not
find here any such thing...which gives an impression that
system-config-authentication is not working proberly in CentOS5.3. My
assumption may be wrong....

so if i put some entry in this like (base dc=vfds,dc=local)...and then boot
the client machine... can i expect it workin then.....

waiting for the advise....in the mean time i am rebooting the machine....

many thanks in advance...

--H

On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron <
Jean-Noel.Chardron at dr15.cnrs.fr> wrote:

>
> Hakuna Matata a ?crit :
>
>> Jean
>> Thanks for a quick reply.
>>
>> Client IP address is 192.168.5.4
>> yes these files are from client only.
>>
>> all files seem correct , (in system-auth the interresting line are with
> pam_ldap.so)
> So may be, the base to search in the tree are misconfigured in the
> /etc/ldap.conf
>
> you previously show the /etc/ldap.conf :
> uri ldap://192.168.5.1 <http://192.168.5.1>
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
> can you show the ouptut of the command :
> grep base /etc/ldap.conf
> with only the line that are uncommented , normaly this will show the
> distinguished name of the search base.
> and this must correspond with the tree in your FDS
>
>
>
>
>> */etc/pam.d/system-auth *
>>
>> ------------------------------------------------
>>  This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_ldap.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_ldap.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_ldap.so
>> -----------------------------------------------------------------------
>>
>> and* /etc/pam.d/login  *
>>
>> #%PAM-1.0
>> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
>> pam_securetty.so
>> auth       include      system-auth
>> account    required     pam_nologin.so
>> account    include      system-auth
>> password   include      system-auth
>> # pam_selinux.so close should be the first session rule
>> session    required     pam_selinux.so close
>> session    include      system-auth
>> session    required     pam_loginuid.so
>> session    optional     pam_console.so
>> # pam_selinux.so open should only be followed by sessions to be executed
>> in the user context
>> session    required     pam_selinux.so open
>> session    optional     pam_keyinit.so force revoke
>> ~
>>  ----------------------------------------------------------------------------------
>>
>>  what is the *uid of the user test01 in the FDS*
>>
>> uid is t01
>>
>> and under Posix user
>>
>> uid numbe  =2223                                (i manually gave this)
>> gid number=2223
>> home dire = /home/test
>> login shell=/bin/test
>>
>>
>> and then i create a directory with name "test" under /home ...........eg.
>> mkdir /home/test
>>
>>
>>
>>
>> Best Regards
>> --H
>>
>>
>>
>>
>>
>>
>>  On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron <
>> Jean-Noel.Chardron at dr15.cnrs.fr <mailto:Jean-Noel.Chardron at dr15.cnrs.fr>>
>> wrote:
>>
>>    hi,
>>
>>    ok , I suppose the ip adress of the server is  192.168.5.1 (right ?)
>>    and you have a client (a centos 5.3)  with unknow to us  ip address.
>>
>>    I suppose the nsswitch.conf and /etc/ldap.conf below is on the
>>    client so it is correct
>>
>>    Then can you show the files /etc/pam.d/system-auth and
>>    /etc/pam.d/login  that are on the client please
>>
>>    then can you tell us  what is the uid of the user test01 in the FDS
>>
>>
>>
>>    Hakuna Matata a ?crit :
>>
>>
>>        yes, my nsswitch.conf file is as below.
>>        passwd:     files ldap
>>        shadow:     files ldap
>>        group:      files ldap
>>
>>        ethers:     files
>>        netmasks:   files
>>        networks:   files
>>        protocols:  files
>>        rpc:        files
>>        services:   files
>>
>>        netgroup:   files ldap
>>
>>        publickey:  nisplus
>>
>>        automount:  files ldap
>>        aliases:    files nisplus
>>
>>
>>        and /etc/ldap.conf file contains
>>        uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1>
>>
>>        ssl no
>>        tls_cacertdir /etc/openldap/cacerts
>>        pam_password md5
>>
>>
>>
>>
>>        ----i am still not able to authenticate.......
>>
>>
>>        -best Regards
>>        --H
>>
>>        On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov
>>        <amirov at infinet.ru <mailto:amirov at infinet.ru>
>>        <mailto:amirov at infinet.ru <mailto:amirov at infinet.ru>>> wrote:
>>
>>           Hello
>>
>>           Is it ldap://ldap.vfds.local correct?
>>           Please, try this command:
>>
>>           ping ldap.vfds.local
>>
>>           If pinging then try to use command getent to check that
>>        ldap users are
>>           present in your system.
>>           getent passwd
>>
>>           If not pinging, then you need to use FQDN or ip-address,
>>        like this:
>>
>>           ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4>
>>           ldap://example.com <http://example.com> <http://example.com>
>>
>>
>>
>>
>>           Hakuna Matata wrote:
>>           > Hi,
>>           >
>>           > I am new to FDS, i have set this up as per the
>>        documentation . It is
>>           > working fine .
>>           > Now want that linux client (CentOS 5.3) to authenticate
>>        with FDS.
>>           >
>>           > hostname of FDS = ldap.fds.local
>>           >
>>           > i create a user test01 and fill the posix information
>>           >
>>           > on client machine i am using system-config-authentiation
>>           > 1. check the LDAP box and filled the details as .
>>           > LDAP search base dn =                          dc=vfds,
>>        dc=local
>>           > LDAP Server =
>>      ldap://ldap.vfds.local
>>           >
>>           > then i rebooted the machine and trying to login via user
>>        test01. now
>>           > it is showing error as username or password incorrect.
>>           >
>>           >
>>           > i would really appreciate if someone can give me some
>>        pointer or
>>           help
>>           > where i am doing wrong.
>>           >
>>           > Many Thanks in advance
>>           > Best regards
>>           > --H
>>           >
>>           > --
>>           > 389 users mailing list
>>           > 389-users at redhat.com <mailto:389-users at redhat.com>
>>        <mailto:389-users at redhat.com <mailto:389-users at redhat.com>>
>>
>>           >
>>        https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>           >
>>
>>           --
>>           389 users mailing list
>>           389-users at redhat.com <mailto:389-users at redhat.com>
>>        <mailto:389-users at redhat.com <mailto:389-users at redhat.com>>
>>
>>           https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>        --
>>        389 users mailing list
>>        389-users at redhat.com <mailto:389-users at redhat.com>
>>        https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>>    --
>>    389 users mailing list
>>    389-users at redhat.com <mailto:389-users at redhat.com>
>>    https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
> --
> Jean-Noel Chardron
>
>
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090617/fb574f7d/attachment.html 