2010/3/26 Prashanth Sundaram <psundaram@xxxxxxxx>: > > Hi, > > Here’s how my PAM PTA looks like. But id on;t think it is of much use. > > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > nsslapd-pluginEnabled: on > pamSecure: FALSE > pamExcludeSuffix: o=NetscapeRoot > pamExcludeSuffix: cn=config Thanks again, My file looks like yours except I have pamSecure because I need that layer of security. It works with the krb Pass through. I have disabled it for testing(secure that is) to try passing through to LDAP. > > I don’t think the PTA will work against some other attribute which has same > value as ‘uid’. You may have to hack the filters under the hood to be able > to achieve that. Well supposedly the pam_login_attribute can be passed through the config files to the correct attribute. This is according to the PAM PTA docs unless I have misunderstood. > > My first guess: > If you use PAM-PTA, you still need some PAM module to specify the stack to > be used for PTA. So you need ‘ldapserver01’ file enabled and there you > define the translation of uid attribute to new attribute. I don’t know if > this is do-able. I am using ldapserver as the service file , in this I have pam_ldap as the auth module pointing to a config file that specifies the attribute map.(See below) > > Can you post some logs, which will tell where the block is. How are you > specifying the master ldap server(server to authenticate)? Here is the failing block for PAM PTA..Looks like PAMS misconfigured but looks right. pam_passthru-plugin - => pam_passthru_bindpreop pam_passthru-plugin - pam msg [0] = 1 Password: pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied) pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [test_user], bind DN [uid=test_user,dc=example,dc=com] pam_passthru-plugin - <= handled (error 1 - Operations error) In the ldapserver service file, I use the config=/pathtofile arg to pam_ldap.so that points to a specific ldap.conf config file for this action. In that I put the hostname, the port, the pam_login_attribute etc...I have also tried putting the master server params in the /etc/ldap.conf instead of a config file. Looks like this auth sufficient /lib/security/pam_ldap.so config=/pathtoldap.conf account optional /lib/security/pam_ldap.so (error 1- operations error) is vague..Need it more verbose than this, I will have to try logging more. There does not appear to be a pluginarg attribute like with the PTA plugin that allows you to specify the LDAP URL so I am not sure how to specify the destination server using PAM PTA..The doc says to use the pam service file which is why I tried what I did above. I would like to know if anyone is familiar with the code and can tell me if the service file (ldapserver)can hold ldap.conf like params or is it merely for specifying auth, account, session, and password parameters? Thanks again > > -Prashanth > > ---------------------------- > Hey thanks man. > > I have PAM PTA with krb working fine as well.. > However..I am trying to pass through to another LDAP server, how can i > go about doing that? The base of the tree on the other LDAP server is > different i want to use it to authenticate the accounts. The other > tree has the equivalent of the uid attribute in a different attribute. > I think my service file (ldapserver) is off. Anyone have PAM PTA to > another LDAP server working? An example perhaps? > I am getting operations errors trying to use PAM PTA. I know the > passwords are correct so I am doing something incorrectly. > > pam_passthru-plugin - => pam_passthru_bindpreop > pam_passthru-plugin - pam msg [0] = 1 Password: > pam_passthru-plugin - Error from PAM during pam_authenticate (6: > Permission denied) > pam_passthru-plugin - Unknown PAM error [Permission denied] for user > id [test_user], bind DN [uid=test_user,dc=example,dc=com] > pam_passthru-plugin - <= handled (error 1 - Operations error) > > Thanks again > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
