Cant authenticate to LDAP domain with Redhat9

shaughto shaughto at ee.ucr.edu
Fri Jul 2 01:27:05 UTC 2004 

Here is my config files if this helps:

[root at blochee pam.d]# cat system-auth
#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient    /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so
account    sufficient    /lib/security/pam_ldap.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    optional      /lib/security/pam_ldap.so

[root at blochee /]# cat /etc/ldap.conf
base dc=ee,dc=ucr,dc=edu
uri ldaps://ldap.ee.ucr.edu/
ldap_version 3
scope sub
timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=ee,dc=ucr,dc=edu?one
nss_base_shadow ou=People,dc=ee,dc=ucr,dc=edu?one
nss_base_group ou=Group,dc=ee,dc=ucr,dc=edu?one
nss_base_netgroup ou=Netgroup,dc=ee,dc=ucr,dc=edu?one

ssl on
tls_cacertdir /etc/ssl/certs
tls_cacert /etc/ssl/certs/eeca.pem
tls_reqcert allow
[root at blochee /]#


[root at blochee /]# cat /etc/nsswitch.conf
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:         files ldap
group:          files ldap


# consult DNS first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts:          files dns

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   ldap
[root at blochee /]#

Thanks again.

----- Original Message ----- 
From: "Rigler, Steve" <SRigler at MarathonOil.com>
To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
Sent: Thursday, July 01, 2004 5:36 PM
Subject: RE: Cant authenticate to LDAP domain with Redhat9


Try running "authconfig" and set up your LDAP configuration
that way.

-Steve


-----Original Message-----
From: redhat-list-bounces at redhat.com on behalf of Steven D. Haughton
Sent: Thu 7/1/2004 5:56 PM
To: redhat-list at redhat.com
Subject: Cant authenticate to LDAP domain with Redhat9

Hi,


I'm new to ldap and fairly new to linux as well so bare with me.....


I've recently installed Red Hat 9 over Gentoo due to some commerical
software support. My problem is that I can not get Red Hat to
authenticate to the ldap domain.
Here is the current ldap software I have installed:

[root at hostname root]# rpm -qa | grep ldap
openldap-2.0.27-8
openldap-clients-2.0.27-8
nss_ldap-202-5
openldap-devel-2.0.27-8
openldap-servers-2.0.27-8
php-ldap-4.2.2-17.2

Here is current openssl:
[root at hostname root]# rpm -qa | grep openssl
openssl-0.9.7a-20.2
openssl-perl-0.9.7a-20.2
openssl096b-0.9.6b-15
openssl-devel-0.9.7a-20.2
openssl096-0.9.6-25.9

I also have autofs installed and running.
I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf,
/etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and
/etc/autofs/auto.master
which work on other linux computers (Mainly Gentoo.... and 2 redhat9
computers).
I also copied ldap.conf into /etc/openldap/ldap.conf and copied
/etc/autofs/auto.master to /etc/auto.master.

So my config files must be correct if they work on other computers...
Leaving me to believe that there must be extra config files on Redhat
that I must setup.
I took out the hostname and domain names in the following test.

Test:
[root@"hostname" root]# ssh -ltestuser "hostname"
testuser@"hostname's" password:
Permission denied, please try again.

Log file:
sshd(pam_unix)[14275]: check pass; user unknown
sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
sshd(pam_unix)[14275]: check pass; user unknown
sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0
euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu

Any Ideas on how to resolve this issue? Thanks.

Also here is some more info on the problem.
When I run ldapsearch i get this...

[root at blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
version: 2

#
# filter: uid=grad-adm
# requesting: ALL
#

# grad-adm, People, ee, ucr, edu
dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
uid: grad-adm
cn: Graduate Affairs
sn: Affairs
mail: grad-adm at ee.ucr.edu <mailto:grad-adm at ee.ucr.edu>
labeledURI: http://www.ee.ucr.edu/~grad-adm
<http://www.ee.ucr.edu/%7Egrad-adm>
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 30501
gidNumber: 402
homeDirectory: /home/eemisc/grad-adm
gecos: Graduate Affairs

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root at blochEE root]#


And when I get this running getent:
[root at blochEE root]# getent passwd grad-adm
grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
[root at blochEE root]#

 From my understandings it looks like the client can communicate ok with
the server, so I am at a loss as to why I can not login using users on
the ldap server?


If you need any more info. please let me know and I'll be happy to
provide it.
Any responses will be most appreciated.
Thank you.


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list