Re: [gentoo-user] openldap: taking too much of time to authenticate - gentoo-user

From:	bijayant kumar <bijayant4u@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] openldap: taking too much of time to authenticate
Date:	Mon, 28 Aug 2006 08:46:47
Message-Id:	`20060828083944.44273.qmail@web32706.mail.mud.yahoo.com`
In Reply to:	Re: [gentoo-user] openldap: taking too much of time to authenticate by Marc Blumentritt

1

Hi Marc,

2

                       First of all i want to thank you for your response. I tried everything which  you have suggested to me, but unfortunately it didnot worked for me. It still taking 15 to 20 seconds to authenticate. Does it takes too much time or i am doing something wrong. Please help me. I am doing this from last 8 days. And one more thing i want to know, how would i know that user is authenticated via the ldap not the system.

3

4

Marc Blumentritt <M.Blumentritt@×××××××××××××××.de> wrote: bijayant kumar schrieb:

5

> Hi,

6

>        I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd  is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me.  I followed  step by step

7

> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2

8

9

[...]

10

>

11

> access to *

12

> by dn="uid=root,ou=people,dc=kavach,dc=blr" write

13

> by users read

14

> by anonymous auth

15

>

16

> access to attrs=userPassword,gecos,description,loginShell

17

> by self write

18

19

Your first access rule makes your second one obsolete, because * is for

20

everything. Therefore your second rule will never jump in. Take always

21

the rule with * as your last access rule.

22

23

24

> My  /etc/pam.d/system-auth  :--

25

>

26

> auth        required      /lib/security/pam_env.so

27

> auth        sufficient    /lib/security/pam_unix.so likeauth nullok

28

> auth        sufficient    /lib/security/pam_ldap.so use_first_pass

29

> auth        required      /lib/security/pam_deny.so

30

>

31

> account     required      /lib/security/pam_unix.so

32

> account     sufficient    /lib/security/pam_ldap.so

33

>

34

> password    required      /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0

35

> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

36

> password    sufficient    /lib/security/pam_ldap.so use_authtok

37

> password    required      /lib/security/pam_deny.so

38

>

39

> session     required      /lib/security/pam_limits.so

40

> session     required      /lib/security/pam_unix.so

41

> session     optional      /lib/security/pam_ldap.so

42

43

I'm no expert at all with pam rules, but your rules always have the unix

44

 rule before ldap rule. If you try login with a local account (not in

45

passwd), than perhaps you run in timeouts?

46

47

I have set up ldap on debian with the following pam rules:

48

49

auth [success=1 default=ignore] pam_unix.so nullok_secure

50

auth    required        pam_ldap.so use_first_pass

51

auth    required        pam_permit.so

52

53

account [success=1 default=ignore]      pam_unix.so

54

account required        pam_ldap.so

55

account required        pam_permit.so

56

57

password        sufficient      pam_ldap.so use_first_pass use_authtok

58

password        required        pam_unix.so nullok obscure min=4 max=8 md5

59

60

session         optional        pam_ldap.so

61

session         required        pam_unix.so

62

63

The first rule of auth and account allows you to login even if ldap is

64

down: the rules check, if a local account exists; if yes jump to third

65

rule; if no jump to second rule.

66

67

Perhaps this can help you.

68

69

> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also.

70

Hm, this sounds a little bit wrong. Even if your LDAP server runs on

71

another system, the accounts saved in it are part of your system, if you

72

configure it that way (which you did with /etc/nsswitch.conf and

73

/etc/ldap.conf). They are not automatically in it, if you do not set

74

these files properly (which I think you did), local ldap or not.

75

76

Regards,

77

Marc

78

79

80

--

81

gentoo-user@g.o mailing list

 Send instant messages to your online friends http://uk.messenger.yahoo.com

1	Hi Marc,
2	First of all i want to thank you for your response. I tried everything which you have suggested to me, but unfortunately it didnot worked for me. It still taking 15 to 20 seconds to authenticate. Does it takes too much time or i am doing something wrong. Please help me. I am doing this from last 8 days. And one more thing i want to know, how would i know that user is authenticated via the ldap not the system.
3
4	Marc Blumentritt <M.Blumentritt@×××××××××××××××.de> wrote: bijayant kumar schrieb:
5	> Hi,
6	> I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step
7	> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2
8
9	[...]
10	>
11	> access to *
12	> by dn="uid=root,ou=people,dc=kavach,dc=blr" write
13	> by users read
14	> by anonymous auth
15	>
16	> access to attrs=userPassword,gecos,description,loginShell
17	> by self write
18
19	Your first access rule makes your second one obsolete, because * is for
20	everything. Therefore your second rule will never jump in. Take always
21	the rule with * as your last access rule.
22
23
24	> My /etc/pam.d/system-auth :--
25	>
26	> auth required /lib/security/pam_env.so
27	> auth sufficient /lib/security/pam_unix.so likeauth nullok
28	> auth sufficient /lib/security/pam_ldap.so use_first_pass
29	> auth required /lib/security/pam_deny.so
30	>
31	> account required /lib/security/pam_unix.so
32	> account sufficient /lib/security/pam_ldap.so
33	>
34	> password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
35	> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
36	> password sufficient /lib/security/pam_ldap.so use_authtok
37	> password required /lib/security/pam_deny.so
38	>
39	> session required /lib/security/pam_limits.so
40	> session required /lib/security/pam_unix.so
41	> session optional /lib/security/pam_ldap.so
42
43	I'm no expert at all with pam rules, but your rules always have the unix
44	rule before ldap rule. If you try login with a local account (not in
45	passwd), than perhaps you run in timeouts?
46
47	I have set up ldap on debian with the following pam rules:
48
49	auth [success=1 default=ignore] pam_unix.so nullok_secure
50	auth required pam_ldap.so use_first_pass
51	auth required pam_permit.so
52
53	account [success=1 default=ignore] pam_unix.so
54	account required pam_ldap.so
55	account required pam_permit.so
56
57	password sufficient pam_ldap.so use_first_pass use_authtok
58	password required pam_unix.so nullok obscure min=4 max=8 md5
59
60	session optional pam_ldap.so
61	session required pam_unix.so
62
63	The first rule of auth and account allows you to login even if ldap is
64	down: the rules check, if a local account exists; if yes jump to third
65	rule; if no jump to second rule.
66
67	Perhaps this can help you.
68
69	> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also.
70	Hm, this sounds a little bit wrong. Even if your LDAP server runs on
71	another system, the accounts saved in it are part of your system, if you
72	configure it that way (which you did with /etc/nsswitch.conf and
73	/etc/ldap.conf). They are not automatically in it, if you do not set
74	these files properly (which I think you did), local ldap or not.
75
76	Regards,
77	Marc
78
79
80	--
81	gentoo-user@g.o mailing list
82
83
84
85	Send instant messages to your online friends http://uk.messenger.yahoo.com

Gentoo Archives: gentoo-user