Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>grep base /etc/ldap.conf
----------------------------------
#scope base
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# nss_base_passwd       ou=People,
# to append the default base DN but this
#nss_base_passwd        ou=People,dc=example,dc=com?one
#nss_base_shadow        ou=People,dc=example,dc=com?one
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
#nss_base_passwd ou=aixaccount,?one
#nss_base_group ou=aixgroup,?one
---------------------------------------------------------------------------
 
OK, so i was expecting some base which are binding it to FDS.....but did not find here any such thing...which gives an impression that system-config-authentication is not working proberly in CentOS5.3. My assumption may be wrong....
 
so if i put some entry in this like (base dc=vfds,dc=local)...and then boot the client machine... can i expect it workin then.....
 
waiting for the advise....in the mean time i am rebooting the machine....
 
many thanks in advance...
 
 
--H

On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron <Jean-Noel.Chardron@xxxxxxxxxxxx> wrote:

Hakuna Matata a écrit :

Jean
Thanks for a quick reply.

Client IP address is 192.168.5.4
yes these files are from client only.

all files seem correct , (in system-auth the interresting line are with pam_ldap.so)
So may be, the base to search in the tree are misconfigured in the /etc/ldap.conf

you previously show the /etc/ldap.conf :

uri ldap://192.168.5.1 <http://192.168.5.1>
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

can you show the ouptut of the command :
grep base /etc/ldap.conf
with only the line that are uncommented , normaly this will show the distinguished name of the search base.
and this must correspond with the tree in your FDS




*/etc/pam.d/system-auth *

------------------------------------------------
 This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
-----------------------------------------------------------------------

and* /etc/pam.d/login  *

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke
~                                                  ----------------------------------------------------------------------------------

 what is the *uid of the user test01 in the FDS*

uid is t01

and under Posix user

uid numbe  =2223                                (i manually gave this)
gid number=2223
home dire = /home/test
login shell=/bin/test


and then i create a directory with name "test" under /home ...........eg. mkdir /home/test




Best Regards
--H






On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron <Jean-Noel.Chardron@xxxxxxxxxxxx <mailto:Jean-Noel.Chardron@xxxxxxxxxxxx>> wrote:

   hi,

   ok , I suppose the ip adress of the server is  192.168.5.1 (right ?)
   and you have a client (a centos 5.3)  with unknow to us  ip address.

   I suppose the nsswitch.conf and /etc/ldap.conf below is on the
   client so it is correct

   Then can you show the files /etc/pam.d/system-auth and
   /etc/pam.d/login  that are on the client please

   then can you tell us  what is the uid of the user test01 in the FDS



   Hakuna Matata a écrit :


       yes, my nsswitch.conf file is as below.
       passwd:     files ldap
       shadow:     files ldap
       group:      files ldap

       ethers:     files
       netmasks:   files
       networks:   files
       protocols:  files
       rpc:        files
       services:   files

       netgroup:   files ldap

       publickey:  nisplus

       automount:  files ldap
       aliases:    files nisplus


       and /etc/ldap.conf file contains
       uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1>


       ssl no
       tls_cacertdir /etc/openldap/cacerts
       pam_password md5




       ----i am still not able to authenticate.......


       -best Regards
       --H

       On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov
       <amirov@xxxxxxxxxx <mailto:amirov@xxxxxxxxxx>
       <mailto:amirov@xxxxxxxxxx <mailto:amirov@xxxxxxxxxx>>> wrote:

          Hello

          Is it ldap://ldap.vfds.local correct?
          Please, try this command:

          ping ldap.vfds.local

          If pinging then try to use command getent to check that
       ldap users are
          present in your system.
          getent passwd

          If not pinging, then you need to use FQDN or ip-address,
       like this:

          ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4>
          ldap://example.com <http://example.com> <http://example.com>




          Hakuna Matata wrote:
          > Hi,
          >
          > I am new to FDS, i have set this up as per the
       documentation . It is
          > working fine .
          > Now want that linux client (CentOS 5.3) to authenticate
       with FDS.
          >
          > hostname of FDS = ldap.fds.local
          >
          > i create a user test01 and fill the posix information
          >
          > on client machine i am using system-config-authentiation
          > 1. check the LDAP box and filled the details as .
          > LDAP search base dn =                          dc=vfds,
       dc=local
          > LDAP Server =                                                      ldap://ldap.vfds.local
          >
          > then i rebooted the machine and trying to login via user
       test01. now
          > it is showing error as username or password incorrect.
          >
          >
          > i would really appreciate if someone can give me some
       pointer or
          help
          > where i am doing wrong.
          >
          > Many Thanks in advance
          > Best regards
          > --H
          >
          > --
          > 389 users mailing list
          > 389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>
       <mailto:389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>>


          >
       https://www.redhat.com/mailman/listinfo/fedora-directory-users
          >

          --
          389 users mailing list
          389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>
       <mailto:389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>>


          https://www.redhat.com/mailman/listinfo/fedora-directory-users


       ------------------------------------------------------------------------

       --
       389 users mailing list
       389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>
       https://www.redhat.com/mailman/listinfo/fedora-directory-users
       



   --
   389 users mailing list
   389-users@xxxxxxxxxx <mailto:389-users@xxxxxxxxxx>
   https://www.redhat.com/mailman/listinfo/fedora-directory-users


------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 


--
Jean-Noel Chardron

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux