1 |
On 07/29/2010 06:50 PM, Giampiero Gabbiani wrote: |
2 |
> Hi all, |
3 |
> I configured nss & pam in order to make LDAP authentication. In order to |
4 |
> have a proper authentication and attributes retrieving I added also ccreds |
5 |
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and |
6 |
> /etc/nsswithch for both: |
7 |
> |
8 |
> /etc/pam.d/system-auth: |
9 |
> |
10 |
> auth [success=done default=ignore] pam_unix.so |
11 |
> nullok_secure try_first_pass debug |
12 |
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so |
13 |
> use_first_pass |
14 |
> auth [default=done] |
15 |
> pam_ccreds.so action=validate use_first_pass |
16 |
> auth [default=done] |
17 |
> pam_ccreds.so action=store |
18 |
> auth [default=bad] |
19 |
> pam_ccreds.so action=update |
20 |
> |
21 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
22 |
> pam_unix.so debug |
23 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
24 |
> pam_ldap.so debug |
25 |
> account required |
26 |
> pam_permit.so |
27 |
> |
28 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
29 |
> ocredit=2 try_first_pass retry=3 |
30 |
> password sufficient pam_unix.so try_first_pass use_authtok |
31 |
> nullok md5 shadow |
32 |
> password sufficient pam_ldap.so use_authtok use_first_pass |
33 |
> password required pam_deny.so |
34 |
> |
35 |
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
36 |
> session required pam_limits.so |
37 |
> session required pam_env.so |
38 |
> session required pam_unix.so |
39 |
> session optional pam_permit.so |
40 |
> session optional pam_ldap.so |
41 |
> |
42 |
> # /etc/nsswitch.conf: |
43 |
> # $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v |
44 |
> 1.1 2006/09/29 23:52:23 vapier Exp $ |
45 |
> |
46 |
> passwd: files ldap [NOTFOUND=return] db |
47 |
> shadow: files ldap |
48 |
> group: files ldap [NOTFOUND=return] db |
49 |
> |
50 |
> #passwd: files ldap |
51 |
> #shadow: files ldap |
52 |
> #group: files ldap |
53 |
> |
54 |
> # passwd: db files nis |
55 |
> # shadow: db files nis |
56 |
> # group: db files nis |
57 |
> |
58 |
> hosts: files dns |
59 |
> networks: files dns |
60 |
> |
61 |
> services: db files |
62 |
> protocols: db files |
63 |
> rpc: db files |
64 |
> ethers: db files |
65 |
> netmasks: files |
66 |
> netgroup: files ldap |
67 |
> bootparams: files |
68 |
> |
69 |
> automount: files ldap |
70 |
> aliases: files |
71 |
> |
72 |
> sudoers: ldap files |
73 |
> |
74 |
> the problem is that, when the connection to the ldap server is down, I can't |
75 |
> login: |
76 |
> |
77 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user |
78 |
> unknown |
79 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication |
80 |
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= |
81 |
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't |
82 |
> contact LDAP server |
83 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server |
84 |
> ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server |
85 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server |
86 |
> - Server is unavailable |
87 |
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR |
88 |
> `UNKNOWN', User not known to the underlying authentication module |
89 |
> |
90 |
> from the last line above it seems like the credentials were not cached or the |
91 |
> nss switch doesn't use the db service for the passwd and shadow database. |
92 |
> |
93 |
> Is there someone that has a working configuration in order to have the |
94 |
> cached credentials systems working properly ? |
95 |
> |
96 |
> Regards |
97 |
> Giampiero |
98 |
> |
99 |
I haven't done this on Gentoo, only on a Ubuntu 10.04 system of a |
100 |
client, but there it works like a charm. So I don't know if the |
101 |
following applies, but here are my ideas: |
102 |
|
103 |
Did you run "sudo nss_updatedb ldap"? In Ubuntu it fetches the |
104 |
(non-password) data for "getent passwd" and "getent group" and stores it |
105 |
in /var/lib/misc/passwd.db and /var/lib/misc/group.db. |
106 |
Check those files. You should be able to list LDAP-users and LDAP-groups |
107 |
now without connection to the LDAP (by running "getent passwd" and |
108 |
"getent group"). |
109 |
|
110 |
The PAM configuration is very different of course. |
111 |
|
112 |
Then to be able to login the user must have logged in once with the LDAP |
113 |
connected, so that the password can be stored locally. If that was |
114 |
successful, can be checked by running "sudo cc_dump". It prints: |
115 |
|
116 |
$ sudo cc_dump |
117 |
|
118 |
Credential Type User Service Cached Credentials |
119 |
------------------------------------------------------------------------ |
120 |
Salted SHA1 daniel any 788e8f863a089211911dbbf1774ce141516936f4 |
121 |
|
122 |
|
123 |
Hope it helps... |
124 |
Daniel |
125 |
|
126 |
|
127 |
-- |
128 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
129 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |