[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Fedora-directory-users] Trouble setting up pam passthru plugin



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all,
  I'm trying to set up our FDS 1.0.2 server  to do the PAM passthrough 
authentication for simple binds so that we don't have to store passwords in 
the DS. I'm new to FDS, but not to LDAP or kerberos. Something is wonky, 
though, and I'm at a loss.

I've compiled the pam-passthru-plugin.so library, and configured it 
according to the README doc for that plugin. The plugin is showing as 
loaded, and the response I'm getting back indicates that it is trying to do 
the check, so I don't think it's a config issue with the plugin.

However, I'm getting conflicting log entries as to the success of the 
authentication. The slapd error logs are showing:

[15/May/2006:14:22:49 -0500] pam_passthru-plugin - Expired PAM password for 
user id [pengle], bind DN [uid=pengle,ou=people,dc=rice,dc=edu]: reset 
required

But, /var/log/messages is reporting:

May 15 14:22:49 ldap1 ns-slapd: pam_krb5[1832]: authentication succeeds for 
'pengle' (pengle RICE EDU)

So, it looks like the kerberos auth is working, but whatever response the 
ldap server is getting isn't being interpreted as a success.

I'm not a pam guru, so my /etc/pam.d/ldapserver is very basic:

#%PAM-1.0
auth        required     /lib/security/$ISA/pam_krb5.so debug no_user_check

In case it's an issue, this is a RHEL4 box. And the command I'm testing 
with is

/usr/bin/ldapsearch -x -W -H 'ldaps://ldap1.rice.edu:636' -D 
"uid=pengle,ou=People,dc=rice,dc=edu" -b "ou=People,dc=rice,dc=edu" 
'(uid=pengle)'

Have I done something obviously wrong? If anyone has gotten this to work 
and can give me some pointers, I'd be very grateful. As far as I know, our 
kerberos repository doesn't do password aging, so I don't understand the 
error.

Thanks for your time,
  -paul

- -- 
Paul D. Engle                | Rice University
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle rice edu              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEaOQkCpkISWtyHNsRAuW0AKC43a0i+Uo9+Cz30wMRLVWPPXCgJQCg6iZo
a8KZSegBSrE4vajTSp10UO4=
=efIA
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]