| 1 |
bijayant kumar schrieb: |
| 2 |
> Hi, |
| 3 |
> I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step |
| 4 |
> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2 |
| 5 |
|
| 6 |
[...] |
| 7 |
> |
| 8 |
> access to * |
| 9 |
> by dn="uid=root,ou=people,dc=kavach,dc=blr" write |
| 10 |
> by users read |
| 11 |
> by anonymous auth |
| 12 |
> |
| 13 |
> access to attrs=userPassword,gecos,description,loginShell |
| 14 |
> by self write |
| 15 |
|
| 16 |
Your first access rule makes your second one obsolete, because * is for |
| 17 |
everything. Therefore your second rule will never jump in. Take always |
| 18 |
the rule with * as your last access rule. |
| 19 |
|
| 20 |
|
| 21 |
> My /etc/pam.d/system-auth :-- |
| 22 |
> |
| 23 |
> auth required /lib/security/pam_env.so |
| 24 |
> auth sufficient /lib/security/pam_unix.so likeauth nullok |
| 25 |
> auth sufficient /lib/security/pam_ldap.so use_first_pass |
| 26 |
> auth required /lib/security/pam_deny.so |
| 27 |
> |
| 28 |
> account required /lib/security/pam_unix.so |
| 29 |
> account sufficient /lib/security/pam_ldap.so |
| 30 |
> |
| 31 |
> password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 |
| 32 |
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow |
| 33 |
> password sufficient /lib/security/pam_ldap.so use_authtok |
| 34 |
> password required /lib/security/pam_deny.so |
| 35 |
> |
| 36 |
> session required /lib/security/pam_limits.so |
| 37 |
> session required /lib/security/pam_unix.so |
| 38 |
> session optional /lib/security/pam_ldap.so |
| 39 |
|
| 40 |
I'm no expert at all with pam rules, but your rules always have the unix |
| 41 |
rule before ldap rule. If you try login with a local account (not in |
| 42 |
passwd), than perhaps you run in timeouts? |
| 43 |
|
| 44 |
I have set up ldap on debian with the following pam rules: |
| 45 |
|
| 46 |
auth [success=1 default=ignore] pam_unix.so nullok_secure |
| 47 |
auth required pam_ldap.so use_first_pass |
| 48 |
auth required pam_permit.so |
| 49 |
|
| 50 |
account [success=1 default=ignore] pam_unix.so |
| 51 |
account required pam_ldap.so |
| 52 |
account required pam_permit.so |
| 53 |
|
| 54 |
password sufficient pam_ldap.so use_first_pass use_authtok |
| 55 |
password required pam_unix.so nullok obscure min=4 max=8 md5 |
| 56 |
|
| 57 |
session optional pam_ldap.so |
| 58 |
session required pam_unix.so |
| 59 |
|
| 60 |
The first rule of auth and account allows you to login even if ldap is |
| 61 |
down: the rules check, if a local account exists; if yes jump to third |
| 62 |
rule; if no jump to second rule. |
| 63 |
|
| 64 |
Perhaps this can help you. |
| 65 |
|
| 66 |
> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also. |
| 67 |
Hm, this sounds a little bit wrong. Even if your LDAP server runs on |
| 68 |
another system, the accounts saved in it are part of your system, if you |
| 69 |
configure it that way (which you did with /etc/nsswitch.conf and |
| 70 |
/etc/ldap.conf). They are not automatically in it, if you do not set |
| 71 |
these files properly (which I think you did), local ldap or not. |
| 72 |
|
| 73 |
Regards, |
| 74 |
Marc |
| 75 |
|
| 76 |
|
| 77 |
-- |
| 78 |
gentoo-user@g.o mailing list |
Archives