Prashanth Sundaram wrote: > Hello, > > PS: I am sorry to paste such big error log. > > I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD. > > So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results. > > [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x > > [root at centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/ > [21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn="" > [21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s > erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe > cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid > =psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p > sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p > sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram, > ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n > et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc > =net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc= > net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net > ).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla > ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t > o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass > ) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > > > > But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails. > > [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x > Enter LDAP Password: > ldap_bind: Operations error (1) > additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net] > > > less /var/log/dirsrv/slapd-centos-lin/errors > [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied) > [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor > dan,ou=people,dc=fedorads,dc=net] > > > >From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know? > Does it work if you create a local user account for uid=tjordan? > > Here is my PAM PTA > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > cn: PAM Pass Through Auth > nsslapd-pluginPath: libpam-passthru-plugin > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: cn=config > pamExcludeSuffix: o=NetscapeRoot > pamIDMapMethod: RDN > pamIDAttr: notUsedWithRDNMethod > pamFallback: FALSE > pamSecure: FALSE > pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.2.2 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: PAM pass through authentication plugin > modifiersName: cn=directory manager > modifyTimestamp: 20090921225438Z > > > > Thanks, > Prashanth > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090922/8ee5e087/attachment.bin
