[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: [PAM] Getting Better + LDAP + PAM



On Thu, Oct 12, 2006 at 04:20:43PM +0000, Net Warrior wrote:
> Hi guys
> Thank to the kindness of the list, I'm getting better results with this.
> Well.. this is what I've got right now.
> 
> I configure NIS, so, getent passwd netwarrior returns
> 
> netwarrior:x:1002:513:System User:/home/netwarrior:/bin/bash
> This is perfect, cuz netwarrior is in the LDAP database and not a local
> users, so this is an upgrade :)
> 
> Now, what I'm trying to do is to connect from a windows machine, which is
> not part of the domain and from a freebsd host which is neither part of the
> domain and I'm getting this:
> 
> This is not the entire log, but as I can see, it retrieving all the user
> info, gecos, pasword, login shell
> 

>              [.../...]
> Oct 12 14:05:03 test-server slapd[3940]: => access_allowed: read access
> denied by auth(=xd)
> Oct 12 14:05:03 test-server slapd[3940]: send_search_entry: conn 3 access to
> attribute userPassword, value #0 not allowed
>              [.../...]

It seems you have the same pb I had.

Assume you have put "ldap" in /etc/nsswith.conf on entries "passwd"
and "shadow". So module "pam_unix2" think it can authentificate LDAP
user with a "getpwnam". But as you have restricted "userPassword" to
athentification only ("=xd") so "pam_unix2" can't read password and
fails with "auth_err".

So I withdrawed "ldap" in /etc/nsswith.conf to entry "shadow" and
"pam_unix2" fails but with a different error than "auth_err". My
"common-auth" is :

auth    [success=1 auth_err=bad default=ignore] pam_unix.so debug
auth    required                pam_ldap.so use_first_pass debug
auth    required		pam_access.so


> common-session
> session required pam_limits.so
> session required pam_unix2.so
> session sufficient pam_ldap.so

It's strange that the "sufficient" module is after the "required" one
because, for a LDAP user, "pam_unix2" is due to fail and so the module
fails whatever do the "pam_ldap".

a+,
-- 
Julien
	<< Vous n'avez rien a dire... Parlons-en! >>

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

Add to Google Powered by Linux