Re: Cant authenticate to LDAP domain with Redhat9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Here is my config files if this helps:

[root@blochee pam.d]# cat system-auth
#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient    /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so
account    sufficient    /lib/security/pam_ldap.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    optional      /lib/security/pam_ldap.so

[root@blochee /]# cat /etc/ldap.conf
base dc=ee,dc=ucr,dc=edu
uri ldaps://ldap.ee.ucr.edu/
ldap_version 3
scope sub
timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=ee,dc=ucr,dc=edu?one
nss_base_shadow ou=People,dc=ee,dc=ucr,dc=edu?one
nss_base_group ou=Group,dc=ee,dc=ucr,dc=edu?one
nss_base_netgroup ou=Netgroup,dc=ee,dc=ucr,dc=edu?one

ssl on
tls_cacertdir /etc/ssl/certs
tls_cacert /etc/ssl/certs/eeca.pem
tls_reqcert allow
[root@blochee /]#


[root@blochee /]# cat /etc/nsswitch.conf
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:         files ldap
group:          files ldap


# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files dns

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   ldap
[root@blochee /]#

Thanks again.

----- Original Message ----- 
From: "Rigler, Steve" <SRigler@xxxxxxxxxxxxxxx>
To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx>
Sent: Thursday, July 01, 2004 5:36 PM
Subject: RE: Cant authenticate to LDAP domain with Redhat9


Try running "authconfig" and set up your LDAP configuration
that way.

-Steve


-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx on behalf of Steven D. Haughton
Sent: Thu 7/1/2004 5:56 PM
To: redhat-list@xxxxxxxxxx
Subject: Cant authenticate to LDAP domain with Redhat9

Hi,


I'm new to ldap and fairly new to linux as well so bare with me.....


I've recently installed Red Hat 9 over Gentoo due to some commerical
software support. My problem is that I can not get Red Hat to
authenticate to the ldap domain.
Here is the current ldap software I have installed:

[root@hostname root]# rpm -qa | grep ldap
openldap-2.0.27-8
openldap-clients-2.0.27-8
nss_ldap-202-5
openldap-devel-2.0.27-8
openldap-servers-2.0.27-8
php-ldap-4.2.2-17.2

Here is current openssl:
[root@hostname root]# rpm -qa | grep openssl
openssl-0.9.7a-20.2
openssl-perl-0.9.7a-20.2
openssl096b-0.9.6b-15
openssl-devel-0.9.7a-20.2
openssl096-0.9.6-25.9

I also have autofs installed and running.
I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf,
/etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and
/etc/autofs/auto.master
which work on other linux computers (Mainly Gentoo.... and 2 redhat9
computers).
I also copied ldap.conf into /etc/openldap/ldap.conf and copied
/etc/autofs/auto.master to /etc/auto.master.

So my config files must be correct if they work on other computers...
Leaving me to believe that there must be extra config files on Redhat
that I must setup.
I took out the hostname and domain names in the following test.

Test:
[root@"hostname" root]# ssh -ltestuser "hostname"
testuser@"hostname's" password:
Permission denied, please try again.

Log file:
sshd(pam_unix)[14275]: check pass; user unknown
sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
sshd(pam_unix)[14275]: check pass; user unknown
sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0
euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu

Any Ideas on how to resolve this issue? Thanks.

Also here is some more info on the problem.
When I run ldapsearch i get this...

[root@blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
version: 2

#
# filter: uid=grad-adm
# requesting: ALL
#

# grad-adm, People, ee, ucr, edu
dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
uid: grad-adm
cn: Graduate Affairs
sn: Affairs
mail: grad-adm@xxxxxxxxxx <mailto:grad-adm@xxxxxxxxxx>
labeledURI: http://www.ee.ucr.edu/~grad-adm
<http://www.ee.ucr.edu/%7Egrad-adm>
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 30501
gidNumber: 402
homeDirectory: /home/eemisc/grad-adm
gecos: Graduate Affairs

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@blochEE root]#


And when I get this running getent:
[root@blochEE root]# getent passwd grad-adm
grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
[root@blochEE root]#

 From my understandings it looks like the client can communicate ok with
the server, so I am at a loss as to why I can not login using users on
the ldap server?


If you need any more info. please let me know and I'll be happy to
provide it.
Any responses will be most appreciated.
Thank you.


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list



-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux