1 |
Hi all, |
2 |
I configured nss & pam in order to make LDAP authentication. In order to |
3 |
have a proper authentication and attributes retrieving I added also ccreds |
4 |
and nss_updatedb modifying /etc/pam.d/system-auth for the first and |
5 |
/etc/nsswithch for both: |
6 |
|
7 |
/etc/pam.d/system-auth: |
8 |
|
9 |
auth [success=done default=ignore] pam_unix.so |
10 |
nullok_secure try_first_pass debug |
11 |
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so |
12 |
use_first_pass |
13 |
auth [default=done] |
14 |
pam_ccreds.so action=validate use_first_pass |
15 |
auth [default=done] |
16 |
pam_ccreds.so action=store |
17 |
auth [default=bad] |
18 |
pam_ccreds.so action=update |
19 |
|
20 |
account [user_unknown=ignore authinfo_unavail=ignore default=done] |
21 |
pam_unix.so debug |
22 |
account [user_unknown=ignore authinfo_unavail=ignore default=done] |
23 |
pam_ldap.so debug |
24 |
account required |
25 |
pam_permit.so |
26 |
|
27 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
28 |
ocredit=2 try_first_pass retry=3 |
29 |
password sufficient pam_unix.so try_first_pass use_authtok |
30 |
nullok md5 shadow |
31 |
password sufficient pam_ldap.so use_authtok use_first_pass |
32 |
password required pam_deny.so |
33 |
|
34 |
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
35 |
session required pam_limits.so |
36 |
session required pam_env.so |
37 |
session required pam_unix.so |
38 |
session optional pam_permit.so |
39 |
session optional pam_ldap.so |
40 |
|
41 |
# /etc/nsswitch.conf: |
42 |
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v |
43 |
1.1 2006/09/29 23:52:23 vapier Exp $ |
44 |
|
45 |
passwd: files ldap [NOTFOUND=return] db |
46 |
shadow: files ldap |
47 |
group: files ldap [NOTFOUND=return] db |
48 |
|
49 |
#passwd: files ldap |
50 |
#shadow: files ldap |
51 |
#group: files ldap |
52 |
|
53 |
# passwd: db files nis |
54 |
# shadow: db files nis |
55 |
# group: db files nis |
56 |
|
57 |
hosts: files dns |
58 |
networks: files dns |
59 |
|
60 |
services: db files |
61 |
protocols: db files |
62 |
rpc: db files |
63 |
ethers: db files |
64 |
netmasks: files |
65 |
netgroup: files ldap |
66 |
bootparams: files |
67 |
|
68 |
automount: files ldap |
69 |
aliases: files |
70 |
|
71 |
sudoers: ldap files |
72 |
|
73 |
the problem is that, when the connection to the ldap server is down, I can't |
74 |
login: |
75 |
|
76 |
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user |
77 |
unknown |
78 |
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication |
79 |
failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= |
80 |
Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't |
81 |
contact LDAP server |
82 |
Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server |
83 |
ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server |
84 |
Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server |
85 |
- Server is unavailable |
86 |
Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR |
87 |
`UNKNOWN', User not known to the underlying authentication module |
88 |
|
89 |
from the last line above it seems like the credentials were not cached or the |
90 |
nss switch doesn't use the db service for the passwd and shadow database. |
91 |
|
92 |
Is there someone that has a working configuration in order to have the |
93 |
cached credentials systems working properly ? |
94 |
|
95 |
Regards |
96 |
Giampiero |