Ldap x local users

Tiago Cruz tiagocruz at forumgdh.net
Tue Oct 16 19:22:38 UTC 2007 

Hello Kent,

Thanks for reply!

I have my users stored on my /etc/passwd, but sound's like nss_ldap
and/or pam_ldap look local _and_ remote before give-me one answer.

Please, look at one 'id' with debug output:

[root at sites-12 logs]# id daemon
ldap_create
ldap_url_parse_ext(ldap://saracura:636)
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP saracura:636
ldap_new_socket: 3

[...]

** Connections:
* host: saracura  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 16 17:17:37 2007

[...]

ldap_search_ext
put_filter: "(&(objectClass=posixGroup)(memberUid=daemon))"
put_filter: AND
put_filter_list "(objectClass=posixGroup)(memberUid=daemon)"
put_filter: "(objectClass=posixGroup)"
put_filter: simple
put_simple_filter: "objectClass=posixGroup"
put_filter: "(memberUid=daemon)"
put_filter: simple
put_simple_filter: "memberUid=daemon"

[...]

ldap_chkResponseList for msgid=2, all=0
ldap_chkResponseList returns NULL

[...]

res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree

uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)


On Tue, 2007-10-16 at 14:40 -0400, Rankin, Kent wrote:
> Just store them locally in /etc/passwd and /etc/shadow, and tell PAM to check those sources as well.

Maybe I have some mistake in PAM configuration:

Content of: /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022

Thanks for you help and attention!


-- 
Tiago Cruz
http://everlinux.com
Linux User #282636

More information about the redhat-sysadmin-list mailing list