1 |
In data giovedì 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto: |
2 |
: > Hi all, |
3 |
> I configured nss & pam in order to make LDAP authentication. In order to |
4 |
> have a proper authentication and attributes retrieving I added also ccreds |
5 |
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and |
6 |
> /etc/nsswithch for both: |
7 |
> |
8 |
> /etc/pam.d/system-auth: |
9 |
> |
10 |
> auth [success=done default=ignore] pam_unix.so |
11 |
> nullok_secure try_first_pass debug |
12 |
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so |
13 |
> use_first_pass |
14 |
> auth [default=done] |
15 |
> pam_ccreds.so action=validate use_first_pass |
16 |
> auth [default=done] |
17 |
> pam_ccreds.so action=store |
18 |
> auth [default=bad] |
19 |
> pam_ccreds.so action=update |
20 |
> |
21 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
22 |
> pam_unix.so debug |
23 |
> account [user_unknown=ignore authinfo_unavail=ignore default=done] |
24 |
> pam_ldap.so debug |
25 |
> account required |
26 |
> pam_permit.so |
27 |
> |
28 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
29 |
> ocredit=2 try_first_pass retry=3 |
30 |
> password sufficient pam_unix.so try_first_pass use_authtok |
31 |
> nullok md5 shadow |
32 |
> password sufficient pam_ldap.so use_authtok use_first_pass |
33 |
> password required pam_deny.so |
34 |
> |
35 |
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
36 |
> session required pam_limits.so |
37 |
> session required pam_env.so |
38 |
> session required pam_unix.so |
39 |
> session optional pam_permit.so |
40 |
> session optional pam_ldap.so |
41 |
> |
42 |
> # /etc/nsswitch.conf: |
43 |
> # $Header: |
44 |
> /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 |
45 |
> 2006/09/29 23:52:23 vapier Exp $ |
46 |
> |
47 |
> passwd: files ldap [NOTFOUND=return] db |
48 |
> shadow: files ldap |
49 |
> group: files ldap [NOTFOUND=return] db |
50 |
> |
51 |
> #passwd: files ldap |
52 |
> #shadow: files ldap |
53 |
> #group: files ldap |
54 |
> |
55 |
> # passwd: db files nis |
56 |
> # shadow: db files nis |
57 |
> # group: db files nis |
58 |
> |
59 |
> hosts: files dns |
60 |
> networks: files dns |
61 |
> |
62 |
> services: db files |
63 |
> protocols: db files |
64 |
> rpc: db files |
65 |
> ethers: db files |
66 |
> netmasks: files |
67 |
> netgroup: files ldap |
68 |
> bootparams: files |
69 |
> |
70 |
> automount: files ldap |
71 |
> aliases: files |
72 |
> |
73 |
> sudoers: ldap files |
74 |
> |
75 |
> the problem is that, when the connection to the ldap server is down, I |
76 |
> can't login: |
77 |
> |
78 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user |
79 |
> unknown |
80 |
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication |
81 |
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= |
82 |
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't |
83 |
> contact LDAP server |
84 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP |
85 |
> server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server |
86 |
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server |
87 |
> - Server is unavailable |
88 |
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR |
89 |
> `UNKNOWN', User not known to the underlying authentication module |
90 |
> |
91 |
> from the last line above it seems like the credentials were not cached or |
92 |
> the nss switch doesn't use the db service for the passwd and shadow |
93 |
> database. |
94 |
> |
95 |
> Is there someone that has a working configuration in order to have the |
96 |
> cached credentials systems working properly ? |
97 |
> |
98 |
> Regards |
99 |
> Giampiero |
100 |
The problem was due to a missing sys-libs/nss-db ebuild. |
101 |
This one provide the needed NSS module for using Berkeley Databases as a |
102 |
naming service by glibc (actually the same used by nss-updatedb). |
103 |
|
104 |
Now everything works well. |
105 |
|
106 |
Bye all |
107 |
Giampiero |
108 |
|
109 |
P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss- |
110 |
updatedb ebuild... |