| 1 |
On 07/29/2010 06:50 PM, Giampiero Gabbiani wrote: |
| 2 |
> Hi all, |
| 3 |
> I configured nss & pam in order to make LDAP authentication. In order to |
| 4 |
> have a proper authentication and attributes retrieving I added also ccreds |
| 5 |
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and |
| 6 |
> /etc/nsswithch for both: |
| 7 |
> |
| 8 |
> /etc/pam.d/system-auth: |
| 9 |
> |
| 10 |
> auth [success=done default=ignore] pam_unix.so |
| 11 |
> nullok_secure try_first_pass debug |
| 12 |
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so |
| 13 |
> use_first_pass |
| 14 |
> auth [default=done] |
| 15 |
> pam_ccreds.so action=validate use_first_pass |
| 16 |
> auth [default=done] |
| 17 |
> pam_ccreds.so action=store |
| 18 |
> auth [default=bad] |
| 19 |
> pam_ccreds.so action=update |
| 20 |
> |
| 21 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
| 22 |
> pam_unix.so debug |
| 23 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
| 24 |
> pam_ldap.so debug |
| 25 |
> account required |
| 26 |
> pam_permit.so |
| 27 |
> |
| 28 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
| 29 |
> ocredit=2 try_first_pass retry=3 |
| 30 |
> password sufficient pam_unix.so try_first_pass use_authtok |
| 31 |
> nullok md5 shadow |
| 32 |
> password sufficient pam_ldap.so use_authtok use_first_pass |
| 33 |
> password required pam_deny.so |
| 34 |
> |
| 35 |
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
| 36 |
> session required pam_limits.so |
| 37 |
> session required pam_env.so |
| 38 |
> session required pam_unix.so |
| 39 |
> session optional pam_permit.so |
| 40 |
> session optional pam_ldap.so |
| 41 |
> |
| 42 |
> # /etc/nsswitch.conf: |
| 43 |
> # $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v |
| 44 |
> 1.1 2006/09/29 23:52:23 vapier Exp $ |
| 45 |
> |
| 46 |
> passwd: files ldap [NOTFOUND=return] db |
| 47 |
> shadow: files ldap |
| 48 |
> group: files ldap [NOTFOUND=return] db |
| 49 |
> |
| 50 |
> #passwd: files ldap |
| 51 |
> #shadow: files ldap |
| 52 |
> #group: files ldap |
| 53 |
> |
| 54 |
> # passwd: db files nis |
| 55 |
> # shadow: db files nis |
| 56 |
> # group: db files nis |
| 57 |
> |
| 58 |
> hosts: files dns |
| 59 |
> networks: files dns |
| 60 |
> |
| 61 |
> services: db files |
| 62 |
> protocols: db files |
| 63 |
> rpc: db files |
| 64 |
> ethers: db files |
| 65 |
> netmasks: files |
| 66 |
> netgroup: files ldap |
| 67 |
> bootparams: files |
| 68 |
> |
| 69 |
> automount: files ldap |
| 70 |
> aliases: files |
| 71 |
> |
| 72 |
> sudoers: ldap files |
| 73 |
> |
| 74 |
> the problem is that, when the connection to the ldap server is down, I can't |
| 75 |
> login: |
| 76 |
> |
| 77 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user |
| 78 |
> unknown |
| 79 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication |
| 80 |
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= |
| 81 |
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't |
| 82 |
> contact LDAP server |
| 83 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server |
| 84 |
> ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server |
| 85 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server |
| 86 |
> - Server is unavailable |
| 87 |
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR |
| 88 |
> `UNKNOWN', User not known to the underlying authentication module |
| 89 |
> |
| 90 |
> from the last line above it seems like the credentials were not cached or the |
| 91 |
> nss switch doesn't use the db service for the passwd and shadow database. |
| 92 |
> |
| 93 |
> Is there someone that has a working configuration in order to have the |
| 94 |
> cached credentials systems working properly ? |
| 95 |
> |
| 96 |
> Regards |
| 97 |
> Giampiero |
| 98 |
> |
| 99 |
I haven't done this on Gentoo, only on a Ubuntu 10.04 system of a |
| 100 |
client, but there it works like a charm. So I don't know if the |
| 101 |
following applies, but here are my ideas: |
| 102 |
|
| 103 |
Did you run "sudo nss_updatedb ldap"? In Ubuntu it fetches the |
| 104 |
(non-password) data for "getent passwd" and "getent group" and stores it |
| 105 |
in /var/lib/misc/passwd.db and /var/lib/misc/group.db. |
| 106 |
Check those files. You should be able to list LDAP-users and LDAP-groups |
| 107 |
now without connection to the LDAP (by running "getent passwd" and |
| 108 |
"getent group"). |
| 109 |
|
| 110 |
The PAM configuration is very different of course. |
| 111 |
|
| 112 |
Then to be able to login the user must have logged in once with the LDAP |
| 113 |
connected, so that the password can be stored locally. If that was |
| 114 |
successful, can be checked by running "sudo cc_dump". It prints: |
| 115 |
|
| 116 |
$ sudo cc_dump |
| 117 |
|
| 118 |
Credential Type User Service Cached Credentials |
| 119 |
------------------------------------------------------------------------ |
| 120 |
Salted SHA1 daniel any 788e8f863a089211911dbbf1774ce141516936f4 |
| 121 |
|
| 122 |
|
| 123 |
Hope it helps... |
| 124 |
Daniel |
| 125 |
|
| 126 |
|
| 127 |
-- |
| 128 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
| 129 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |
Archives