Thanks for the clarification. Those authconfig files were bothering me.
Ok, I did an ldapsearch and getent and they work fine (from what I can tell).
Output:
[root@blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm version: 2
# # filter: uid=grad-adm # requesting: ALL #
# grad-adm, People, ee, ucr, edu dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu uid: grad-adm cn: Graduate Affairs sn: Affairs mail: grad-adm@xxxxxxxxxx labeledURI: http://www.ee.ucr.edu/~grad-adm objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 30501 gidNumber: 402 homeDirectory: /home/eemisc/grad-adm gecos: Graduate Affairs
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@blochee /]# getent passwd grad-adm grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
Should I test ldapsearch with some different commands?
Also I tried logging in on virtual consoles with no luck (only root works). = (
You said that if ldapsearch and getent work then I should focus on pam....
how would I go about testing pam?
Thanks again for all your help.
-- Steven
Rigler, Steve wrote:
To clarify the purposes of some of the files:
/etc/ldap.conf is used by pam_nss so that pam/nss knows where to go to authenticate and/or look up/map user/group information. It should be a long, heavily commented file.
/etc/openldap/ldap.conf is used by the openldap client utilities and probably anything linked against the openldap libraries (eg. the autofs lookup_ldap.so library). It will probably only have a few lines (HOST, BASE, TLS_CACERT, etc).
Those two files are *not* interchangeable. Due to confusion between the two, some distributions have resorted to renaming the file used by pam (eg. pam_ldap.conf).
I wouldn't be as concerned about the information in your /etc/sysconfig/authconfig. AFAIK, it is more used by the authconfig
utility to populate itself than for any authentication purposes.
You can edit /etc/pam.d/system-auth manually, but be aware that it will get overwritten by authconfig should you decide to run it and change something that way.
Also, there was a brief thread on the openldap-software list about login with local accounts not working when the ldap server is unavailably. Check here for the fix (I don't remember in which version of RedHat this was fixed): http://www.netsys.com/openldap-software/2003/02/msg00202.html (I wouldn't post any questions to the openldap-software list that aren't specific to openldap...that means no pam, autofs, etc).
I'd check the low-level things on your problem machine first. Make sure you can reach your ldap server with ldapsearch, make sure getent works and then start hitting the pam stuff. Check via other login means besides ssh also (try from a virtual console).
-Steve
-----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of shaughto Sent: Thursday, July 01, 2004 11:07 PM To: General Red Hat Linux discussion list Subject: Re: Cant authenticate to LDAP domain with Redhat9
Ok, here is so more info, but some background first.
A few weeks ago some researchers in my department took it upon themselves to install Redhat 9 over Gentoo. Well then they asked me to set it up onto the domain. Needless to say my boss was a bit upset that they did this, but on with the story. Well I managed to get one server to authenticate fairly easy. I copied the /etc/ldap.conf, /etc/nsswitch, /etc/pam.d/system-auth, /etc/ssl/certs/eeca.pem, and /etc/autofs/auto.master. However it did not work, but once I copied /etc/ldap.conf to /etc/openldap/ldap.conf it worked!!!!! The second computer was not so easy, no matter what I did it would not authenticate to the ldap domain. Well I worked on it for two days with no success, and then the next morning it was working. WTF is all could think, but at least it worked (wish I knew what happen though). I really didn't modify any extra files on that machine except that I modified the slapd.conf and got openldap running, which should have nothing to with the client authentication (please correct me if I am wrong). Well I was poking in all of the system files so maybe I did modify one... if only I could remember.
So now to my point about /etc/sysconfig/authconfig. On these two computers with redhat9, the authconfig is different on both and they both authenticate!!! BTW I never ran authconfig or authconfig-gtk on these machines.
Computer 1 authconfig: USEHESIOD=no USELDAP=yes USENIS=no USEKERBEROS=no USELDAPAUTH=yes USEMD5=yes USESHADOW=yes USESMBAUTH=no
Computer 2 authconfig: USEDB=no USEHESIOD=no USELDAP=no USENIS=no USEKERBEROS=no USELDAPAUTH=no USEMD5=yes USESHADOW=yes USESMBAUTH=no
As you can see the authconfig differs in the computers in the ldap sections. I have tried both variations on the my problematic computer (I'll call it Computer 3) with no luck. This confuses me and I'm not sure what is going on with redhat and openldap.
Can someone please shed some light onto this and rid me of my ignorance on the subject. Thanks for your time, and sorry for the long email.
-- Steven
-- Original Message ----- From: "shaughto" <shaughto@xxxxxxxxxx>
To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx>
Sent: Thursday, July 01, 2004 6:23 PM
Subject: Re: Cant authenticate to LDAP domain with Redhat9
InThanks for the response...
I have tried authconfig and authconfig-gtk, however they did not work.
fact when I tried to log on after using those programs I could not login
as
root, nor any users. I noticed that authconfig modified some of theLDAP
config files, I believe it was /etc/pam.d/system-auth. I simplycopied
back
handmy original config files, which is /etc/ldap.conf, /etc/nsswitch.conf, /etc/autofs/auto.master, /etc/ssl/certs/eeca.pem, and /etc/pam.d/system-auth. With those files back to my setting I can once log on as root.
Hmm, what files does authconfig modify? Maybe I can modify them by
uid=grad-adm(through vi).
Thanks again for the response.
----- Original Message ----- From: "Rigler, Steve" <SRigler@xxxxxxxxxxxxxxx>
To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx>
Sent: Thursday, July 01, 2004 5:36 PM
Subject: RE: Cant authenticate to LDAP domain with Redhat9
Try running "authconfig" and set up your LDAP configuration that way.
-Steve
-----Original Message----- From: redhat-list-bounces@xxxxxxxxxx on behalf of Steven D. Haughton Sent: Thu 7/1/2004 5:56 PM To: redhat-list@xxxxxxxxxx Subject: Cant authenticate to LDAP domain with Redhat9
Hi,
I'm new to ldap and fairly new to linux as well so bare with me.....
I've recently installed Red Hat 9 over Gentoo due to some commerical software support. My problem is that I can not get Red Hat to authenticate to the ldap domain. Here is the current ldap software I have installed:
[root@hostname root]# rpm -qa | grep ldap openldap-2.0.27-8 openldap-clients-2.0.27-8 nss_ldap-202-5 openldap-devel-2.0.27-8 openldap-servers-2.0.27-8 php-ldap-4.2.2-17.2
Here is current openssl: [root@hostname root]# rpm -qa | grep openssl openssl-0.9.7a-20.2 openssl-perl-0.9.7a-20.2 openssl096b-0.9.6b-15 openssl-devel-0.9.7a-20.2 openssl096-0.9.6-25.9
I also have autofs installed and running. I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf, /etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and /etc/autofs/auto.master which work on other linux computers (Mainly Gentoo.... and 2 redhat9 computers). I also copied ldap.conf into /etc/openldap/ldap.conf and copied /etc/autofs/auto.master to /etc/auto.master.
So my config files must be correct if they work on other computers... Leaving me to believe that there must be extra config files on Redhat that I must setup. I took out the hostname and domain names in the following test.
Test: [root@"hostname" root]# ssh -ltestuser "hostname" testuser@"hostname's" password: Permission denied, please try again.
Log file: sshd(pam_unix)[14275]: check pass; user unknown sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu sshd(pam_unix)[14275]: check pass; user unknown sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
Any Ideas on how to resolve this issue? Thanks.
Also here is some more info on the problem. When I run ldapsearch i get this...
[root@blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu"
withversion: 2
# # filter: uid=grad-adm # requesting: ALL #
# grad-adm, People, ee, ucr, edu dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu uid: grad-adm cn: Graduate Affairs sn: Affairs mail: grad-adm@xxxxxxxxxx <mailto:grad-adm@xxxxxxxxxx> labeledURI: http://www.ee.ucr.edu/~grad-adm <http://www.ee.ucr.edu/%7Egrad-adm> objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 30501 gidNumber: 402 homeDirectory: /home/eemisc/grad-adm gecos: Graduate Affairs
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@blochEE root]#
And when I get this running getent: [root@blochEE root]# getent passwd grad-adm grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash [root@blochEE root]#
From my understandings it looks like the client can communicate ok
the server, so I am at a loss as to why I can not login using users on the ldap server?
If you need any more info. please let me know and I'll be happy to provide it. Any responses will be most appreciated. Thank you.
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
