Hi all! I am happy to see that the communty have got a good-looking directory server. Soon, I hope I can throw away our M$ active directory, and run fedora directory instead, but I am having some issue, authenticating linux desktops. So, here''s what I have: Fedora Directory installed on CentOS 4.0 (redhat EL clone) Ran the typical install (after reading redhat directory install manual) I can successfully login to the web-admin interface, and add users (after binding as Directory Manager). Due to a java error, I cannot use the console, but I rather use GQ (a gnome LDAP tool). I can bind (as Directory Manager), and add/remove stuff. So, here''s what I continued doing: Added a user (using the webinterface). Added objectclass posixAccount to this user (using GQ) Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using this ldap config: host ldap.mydomain.com base dc=mydomain,dc=com ldap_version 3 timelimit 30 pam_filter objectclass=posixAccount pam_login_attribute uid ssl no #ssl start_tls #tls_checkpeer no pam_password ssha I''ve tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works. In my log on the fedora directory server, I see the connection, and it first tries to find the posixAccount, and returns no error. Then it looks for shadowAccount, and returns no error (after I added that objectclass as well). The client worked fine, authenticating with my previous openldap server... and I can''t see why I doesn''t authenticate with my new fedora server. Help would be highly appreciated :) /Thomas
Christopher Blizzard
2005-Jun-07 13:21 UTC
Re: [Fedora-directory-users] PAM authentication
Thomas Mathiesen wrote:> Due to a java error, I cannot use the console, but I rather use GQ (a gnome > LDAP tool). I can bind (as Directory Manager), and add/remove stuff.Are you running into this problem? http://directory.fedora.redhat.com/wiki/FAQ#Exception_in_thread_.22main.22_java.lang.ExceptionInInitializerError --Chris
Thomas Mathiesen wrote:>Hi all! > >I am happy to see that the communty have got a good-looking directory server. >Soon, I hope I can throw away our M$ active directory, and run fedora >directory instead, but I am having some issue, authenticating linux desktops. > >So, here''s what I have: >Fedora Directory installed on CentOS 4.0 (redhat EL clone) >Ran the typical install (after reading redhat directory install manual) > >I can successfully login to the web-admin interface, and add users (after >binding as Directory Manager). > >Due to a java error, I cannot use the console, but I rather use GQ (a gnome >LDAP tool). I can bind (as Directory Manager), and add/remove stuff. > >So, here''s what I continued doing: >Added a user (using the webinterface). >Added objectclass posixAccount to this user (using GQ) > >Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using >this ldap config: >host ldap.mydomain.com >base dc=mydomain,dc=com >ldap_version 3 >timelimit 30 >pam_filter objectclass=posixAccount >pam_login_attribute uid >ssl no >#ssl start_tls >#tls_checkpeer no >pam_password ssha > >I''ve tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works. > >In my log on the fedora directory server, I see the connection, and it first >tries to find the posixAccount, and returns no error. Then it looks for >shadowAccount, and returns no error (after I added that objectclass as well). > >The client worked fine, authenticating with my previous openldap server... and >I can''t see why I doesn''t authenticate with my new fedora server. > >Hi Thomas, What ldap requests are your clients posting to the fedora directory server for authentication? Could you cut and paste the corresponding access log entries from the fedora directory server? Thanks, -- toto>Help would be highly appreciated :) > >/Thomas > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
On Tue, Jun 07, 2005 at 12:00:34PM +0000, Thomas Mathiesen wrote:> So, here''s what I continued doing: > Added a user (using the webinterface). > Added objectclass posixAccount to this user (using GQ) > > Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using > this ldap config: > host ldap.mydomain.com > base dc=mydomain,dc=com > ldap_version 3 > timelimit 30 > pam_filter objectclass=posixAccount > pam_login_attribute uid > ssl no > #ssl start_tls > #tls_checkpeer no > pam_password ssha > > I''ve tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works. > > In my log on the fedora directory server, I see the connection, and it first > tries to find the posixAccount, and returns no error. Then it looks for > shadowAccount, and returns no error (after I added that objectclass as well). > > The client worked fine, authenticating with my previous openldap server... and > I can''t see why I doesn''t authenticate with my new fedora server.Can you give us some more details to go on? Are you using pam_ldap to check passwords, or are you just using nss_ldap in combination with pam_unix? What do your system logs indicate when the user''s attempt to authenticate fails? If it''s nss_ldap+pam_unix, can you read the userPassword attribute of the user''s posixAccount object when you bind to the directory anonymously? For example, does this command give you any userPassword values? ldapsearch -x -h ldap.mydomain.com -b dc=mydomain,dc=com \ uid=username userPassword My guess here is that you have an ACI on dc=mydomain,dc=com which allows read access to any attribute except "userPassword" for anonymous users, and because nss_ldap is binding to the directory anonymously on pam_unix''s behalf to read the attribute, pam_unix can''t check passwords. HTH, Nalin