| 1 |
Hi all, |
| 2 |
I configured nss & pam in order to make LDAP authentication. In order to |
| 3 |
have a proper authentication and attributes retrieving I added also ccreds |
| 4 |
and nss_updatedb modifying /etc/pam.d/system-auth for the first and |
| 5 |
/etc/nsswithch for both: |
| 6 |
|
| 7 |
/etc/pam.d/system-auth: |
| 8 |
|
| 9 |
auth [success=done default=ignore] pam_unix.so |
| 10 |
nullok_secure try_first_pass debug |
| 11 |
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so |
| 12 |
use_first_pass |
| 13 |
auth [default=done] |
| 14 |
pam_ccreds.so action=validate use_first_pass |
| 15 |
auth [default=done] |
| 16 |
pam_ccreds.so action=store |
| 17 |
auth [default=bad] |
| 18 |
pam_ccreds.so action=update |
| 19 |
|
| 20 |
account [user_unknown=ignore authinfo_unavail=ignore default=done] |
| 21 |
pam_unix.so debug |
| 22 |
account [user_unknown=ignore authinfo_unavail=ignore default=done] |
| 23 |
pam_ldap.so debug |
| 24 |
account required |
| 25 |
pam_permit.so |
| 26 |
|
| 27 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
| 28 |
ocredit=2 try_first_pass retry=3 |
| 29 |
password sufficient pam_unix.so try_first_pass use_authtok |
| 30 |
nullok md5 shadow |
| 31 |
password sufficient pam_ldap.so use_authtok use_first_pass |
| 32 |
password required pam_deny.so |
| 33 |
|
| 34 |
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
| 35 |
session required pam_limits.so |
| 36 |
session required pam_env.so |
| 37 |
session required pam_unix.so |
| 38 |
session optional pam_permit.so |
| 39 |
session optional pam_ldap.so |
| 40 |
|
| 41 |
# /etc/nsswitch.conf: |
| 42 |
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v |
| 43 |
1.1 2006/09/29 23:52:23 vapier Exp $ |
| 44 |
|
| 45 |
passwd: files ldap [NOTFOUND=return] db |
| 46 |
shadow: files ldap |
| 47 |
group: files ldap [NOTFOUND=return] db |
| 48 |
|
| 49 |
#passwd: files ldap |
| 50 |
#shadow: files ldap |
| 51 |
#group: files ldap |
| 52 |
|
| 53 |
# passwd: db files nis |
| 54 |
# shadow: db files nis |
| 55 |
# group: db files nis |
| 56 |
|
| 57 |
hosts: files dns |
| 58 |
networks: files dns |
| 59 |
|
| 60 |
services: db files |
| 61 |
protocols: db files |
| 62 |
rpc: db files |
| 63 |
ethers: db files |
| 64 |
netmasks: files |
| 65 |
netgroup: files ldap |
| 66 |
bootparams: files |
| 67 |
|
| 68 |
automount: files ldap |
| 69 |
aliases: files |
| 70 |
|
| 71 |
sudoers: ldap files |
| 72 |
|
| 73 |
the problem is that, when the connection to the ldap server is down, I can't |
| 74 |
login: |
| 75 |
|
| 76 |
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user |
| 77 |
unknown |
| 78 |
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication |
| 79 |
failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= |
| 80 |
Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't |
| 81 |
contact LDAP server |
| 82 |
Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server |
| 83 |
ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server |
| 84 |
Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server |
| 85 |
- Server is unavailable |
| 86 |
Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR |
| 87 |
`UNKNOWN', User not known to the underlying authentication module |
| 88 |
|
| 89 |
from the last line above it seems like the credentials were not cached or the |
| 90 |
nss switch doesn't use the db service for the passwd and shadow database. |
| 91 |
|
| 92 |
Is there someone that has a working configuration in order to have the |
| 93 |
cached credentials systems working properly ? |
| 94 |
|
| 95 |
Regards |
| 96 |
Giampiero |
Archives