Hi, I am trying to set up a Fedora Directory server for centralised authentication. I configure the directory server, add a user called (via the Java GUI) test and then, using system-config-authentication, enable LDAP on both tabs. I then try to log-in using the test account I set up on the directory, but I get an error message in /var/log/messages: May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain which seems to indicate that it cannot find the user in the directory. The server is accepting connections on the standard LDAP port. Am I missing anything? Thanks Gabriel ___________________________________________________________ What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk
On Thu, May 31, 2007 at 12:38:55PM +0100, first last wrote:> Hi, > > I am trying to set up a Fedora Directory server for centralised > authentication.I'm using that setup.> I configure the directory server, add a user called (via the Java GUI) > testCould you do an ldap search for that user and show the output, please? Like so: # ldapsearch -LLL -x 'uid=lmf The output should be something like: dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com uid: lmf cn: Luciano Rocha cn: luciano objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12715 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 501 homeDirectory: /home/lmf gecos: Luciano Rocha the ou=Users can be ou=People or something else. But uid must be present for the user you added and also objectClass: posixAccount. Then check if you can bind to ldap using the dn of the user: # ldapsearch -LLL -x 'uid=lmf' -D uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com -W uid Enter LDAP Password: dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com uid: lmf> and then, using system-config-authentication, enable LDAP on both > tabs./etc/nsswitch.conf should have: passwd: files ldap And /etc/openldap/ldap.conf should have a valid URI, pointing to the server and a valid BASE If that file has all those values commented out, then they should be in /etc/ldap.conf. In any case, also check /etc/ldap.conf. If /etc/openldap/ldap.conf has a valid URI, then comment out any host definition. Check that base is the correct one, and also check that any nss_base, if defined has the same basedn as the one you found in the search. Then test the user identification by running id <user>: # id lmf uid=501(lmf) gid=501(lmf) groups=501(lmf),... If this works, then the next step is checking the pam configuration. But I'll end the email now because it's lunch time here. :) -- lfr 0/0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20070531/1382c5a6/attachment.sig>
first last wrote:> Hi, > > I am trying to set up a Fedora Directory server for centralised > authentication. > > I configure the directory server, add a user called (via the Java GUI) > test and then, using system-config-authentication, enable LDAP on both > tabs. I then try to log-in using the test account I set up on the > directory, but I get an error message in /var/log/messages: > > May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown > May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain > > which seems to indicate that it cannot find the user in the directory. > The server is accepting connections on the standard LDAP port. > > Am I missing anything? > > Thanks > > Gabriel > > > > ___________________________________________________________ > What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. > http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosJust on a lark, check the contents of /etc/ldap.conf, the file the nss_ldap/pam_ldap stuff uses to identify the server. I ran the system-config-authentication GUI on some CentOS 4.5 systems and they failed to change the contents of that file as appropriate. All I had to do was change the "host" and "base" entries to point to my server and it worked just fine. I'm not sure if this is an isolated problem or a real, live bug, I'm going to test it further to see if I can tell. -- Jay Leafey - Memphis, TN jay.leafey at mindless.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5177 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.centos.org/pipermail/centos/attachments/20070531/19a459e9/attachment.bin>
> Could you do an ldap search for that user and show the output, > please? > Like so: > # ldapsearch -LLL -x 'uid=lmfI do ldapsearch -LLL -x 'uid=ttest' and I get nothing if I do ldapsearch -LLL -x I get a list of things like: dn: cn=Accounting Managers,ou=groups,dc=internal,dc=domain,dc=com objectClass: top objectClass: groupOfUniqueNames ou: groups description: blah, blah But I can not see the group I added (developers) or the user (ttest). The user has all the POSIX details filled in.> Then check if you can bind to ldap using the dn of the user: > # ldapsearch -LLL -x 'uid=lmf' -D > uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com -W uid > Enter LDAP Password: > dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com > uid: lmfthis doesn't work (as expected).> > and then, using system-config-authentication, enable LDAP on both > > tabs. > /etc/nsswitch.conf should have: > passwd: files ldapThis is correct. Also group and shadow have "files ldap"> > And /etc/openldap/ldap.conf should have a valid URI, pointing to the > server and a valid BASE > > If that file has all those values commented out, then they should be > in > /etc/ldap.conf. >Same content on both files.> In any case, also check /etc/ldap.conf. If /etc/openldap/ldap.conf > has a > valid URI, then comment out any host definition. Check that base is > the > correct one, and also check that any nss_base, if defined has the > same > basedn as the one you found in the search.These are correct, BASE is set to internal.domain.com and URI to the server I am running it on Any help would be appreciated :) Gabriel ___________________________________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/
> > I am trying to set up a Fedora Directory server for centralised > > authentication. > > > > I configure the directory server, add a user called (via the Java > GUI) > > test and then, using system-config-authentication, enable LDAP on > both > > tabs. I then try to log-in using the test account I set up on the > > directory, but I get an error message in /var/log/messages: > > > > May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown > > May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; > > logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain > > > > which seems to indicate that it cannot find the user in the > directory. > > The server is accepting connections on the standard LDAP port. > > > > Am I missing anything? > > > > Thanks > > > > Gabriel > > > > > > > > ___________________________________________________________ > > What kind of emailer are you? Find out today - get a free analysis > of your email personality. Take the quiz at the Yahoo! Mail > Championship. > > http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > Just on a lark, check the contents of /etc/ldap.conf, the file the > nss_ldap/pam_ldap stuff uses to identify the server. I ran the > system-config-authentication GUI on some CentOS 4.5 systems and they > failed to change the contents of that file as appropriate. > > All I had to do was change the "host" and "base" entries to point to > my > server and it worked just fine. I'm not sure if this is an isolated > problem or a real, live bug, I'm going to test it further to see if I > > can tell.I have checked the configuration and it is correct. The directory log reports that the search does not find the uid for the user, which seems to indicate that the error is not within CentOS, as it is passing the right data via the ldap module. I guess it is time to hit the fedora lists. Thanks Gabriel ___________________________________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/