Ldap x local users
Tiago Cruz
tiagocruz at forumgdh.net
Tue Oct 16 19:22:38 UTC 2007
Hello Kent,
Thanks for reply!
I have my users stored on my /etc/passwd, but sound's like nss_ldap
and/or pam_ldap look local _and_ remote before give-me one answer.
Please, look at one 'id' with debug output:
[root at sites-12 logs]# id daemon
ldap_create
ldap_url_parse_ext(ldap://saracura:636)
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP saracura:636
ldap_new_socket: 3
[...]
** Connections:
* host: saracura port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Oct 16 17:17:37 2007
[...]
ldap_search_ext
put_filter: "(&(objectClass=posixGroup)(memberUid=daemon))"
put_filter: AND
put_filter_list "(objectClass=posixGroup)(memberUid=daemon)"
put_filter: "(objectClass=posixGroup)"
put_filter: simple
put_simple_filter: "objectClass=posixGroup"
put_filter: "(memberUid=daemon)"
put_filter: simple
put_simple_filter: "memberUid=daemon"
[...]
ldap_chkResponseList for msgid=2, all=0
ldap_chkResponseList returns NULL
[...]
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
uid=2(daemon) gid=2(daemon) groups=2(daemon),1(bin),4(adm),7(lp)
On Tue, 2007-10-16 at 14:40 -0400, Rankin, Kent wrote:
> Just store them locally in /etc/passwd and /etc/shadow, and tell PAM to check those sources as well.
Maybe I have some mistake in PAM configuration:
Content of: /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022
Thanks for you help and attention!
--
Tiago Cruz
http://everlinux.com
Linux User #282636
More information about the redhat-sysadmin-list
mailing list