Enrico Valsecchi
2005-Dec-16 12:07 UTC
[Fedora-directory-users] Probably very stupid problem ....
Hi All, I have a problem. My Users, stored correctly into Fedora-DS, can''t login into my Linux System. (With OpenLdap did not have this problem) I don''t understand where is MY error! :( There are my system settings.... Many Thanks! Bye, Enrico /etc/pam.d/system-auth auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap /etc/ldap.conf AND /etc/openldap.conf suffix "dc=chiccomara,dc=org" uri ldap://centos.chiccomara.org/ ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid pam_password ssha nss_base_passwd ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org nss_base_shadow ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org nss_base_group ou=Groups,ou=Mizar Solutions,dc=chiccomara,dc=org # nss_base_hosts ou=Host,ou=Mizar Solutions,dc=chiccomara,dc=org scope one
Craig White
2005-Dec-16 13:23 UTC
Re: [Fedora-directory-users] Probably very stupid problem ....
On Fri, 2005-12-16 at 13:07 +0100, Enrico Valsecchi wrote:> Hi All, > > I have a problem. > My Users, stored correctly into Fedora-DS, > can''t login into my Linux System. > (With OpenLdap did not have this problem) > I don''t understand where is MY error! > :( > > There are my system settings.... > > Many Thanks! > > Bye, > > Enrico > > /etc/pam.d/system-auth > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so broken_shadow > account sufficient /lib/security/$ISA/pam_localuser.so > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet > account [default=bad success=ok > user_unknown=ignore] /lib/security/$ISA/pam_ldap.so > account required /lib/security/$ISA/pam_permit.so > > password requisite /lib/security/$ISA/pam_cracklib.so retry=3 > password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok > md5 shadow > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session optional /lib/security/$ISA/pam_ldap.so > > /etc/nsswitch.conf > passwd: files ldap > shadow: files ldap > group: files ldap > > /etc/ldap.conf AND /etc/openldap.conf > suffix "dc=chiccomara,dc=org"---- should have /etc/openldap/ldap.conf with at least... BASE: dc=chiccomara,dc=org HOST: 127.0.0.1 ----> > uri ldap://centos.chiccomara.org/ > ldap_version 3 > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberuid > pam_password ssha > nss_base_passwd ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org > nss_base_shadow ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org > nss_base_group ou=Groups,ou=Mizar Solutions,dc=chiccomara,dc=org > # nss_base_hosts ou=Host,ou=Mizar Solutions,dc=chiccomara,dc=org > scope one----- probably need here... base: dc=chiccomara,dc=org host: 127.0.0.1 rootbinddn: cn=Directory Manager #or whatever bind dn you choose and I am not all knowing on PADL tools but I would have... nss_base_passwd ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one nss_base_shadow ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one nss_base_group ou=Groups,ou=Mizar Solutions,dc=chiccomara,dc=org?one and then /etc/ldap.secret with your rootbinddn password chmod 600 and you should be able to simply test it by doing... getent passwd getent group and get your users/groups listed Craig
Enrico Valsecchi
2005-Dec-16 13:36 UTC
Re: [Fedora-directory-users] Probably very stupid problem ....
> should have /etc/openldap/ldap.conf with at least... > > BASE: dc=chiccomara,dc=org > HOST: 127.0.0.1[.... cut ....]> > # nss_base_hosts ou=Host,ou=Mizar Solutions,dc=chiccomara,dc=org > > scope one > probably need here... > > base: dc=chiccomara,dc=org > host: 127.0.0.1 > rootbinddn: cn=Directory Manager #or whatever bind dn you choose > and I am not all knowing on PADL tools but I would have... > nss_base_passwd ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one > nss_base_shadow ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one > nss_base_group ou=Groups,ou=Mizar Solutions,dc=chiccomara,dc=org?one > > and then /etc/ldap.secret with your rootbinddn password chmod 600 > > and you should be able to simply test it by doing... > > getent passwd > getent groupMumble mumble, if if run getent passwd and getent group, I have a complete list of users and group. Only problem is user authentication! I have saved my users (with posixAccount) under ou called "Users". During last hour I have search into the net a solution, without result. After, I have thought to replace ou "Users" with ou "People", and I have saved a new user under this new ou. Magically all it works. Question: to this point, it''s necessary have one ou called "People" in order to guarantee the authentication under Linux with Fedora-DS? Bye, Enrico
Richard Megginson
2005-Dec-16 16:11 UTC
Re: [Fedora-directory-users] Probably very stupid problem ....
Enrico Valsecchi wrote:>>should have /etc/openldap/ldap.conf with at least... >> >>BASE: dc=chiccomara,dc=org >>HOST: 127.0.0.1 >> >> > >[.... cut ....] > > >>># nss_base_hosts ou=Host,ou=Mizar Solutions,dc=chiccomara,dc=org >>>scope one >>> >>> >>probably need here... >> >>base: dc=chiccomara,dc=org >>host: 127.0.0.1 >>rootbinddn: cn=Directory Manager #or whatever bind dn you choose >>and I am not all knowing on PADL tools but I would have... >>nss_base_passwd ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one >>nss_base_shadow ou=Users,ou=Mizar Solutions,dc=chiccomara,dc=org?one >>nss_base_group ou=Groups,ou=Mizar Solutions,dc=chiccomara,dc=org?one >> >>and then /etc/ldap.secret with your rootbinddn password chmod 600 >> >>and you should be able to simply test it by doing... >> >>getent passwd >>getent group >> >> > >Mumble mumble, if if run getent passwd and getent group, >I have a complete list of users and group. >Only problem is user authentication! >I have saved my users (with posixAccount) under ou called "Users". >During last hour I have search into the net a solution, without result. > >After, I have thought to replace ou "Users" with ou "People", and I have saved >a new user under this new ou. >Magically all it works. >Question: to this point, it''s necessary have one ou called "People" >in order to guarantee the authentication under Linux with Fedora-DS? > >No. You can use any naming convention you want. By default, FDS uses ou=People, and perhaps some of the openldap/nis/nss/pam stuff uses ou=Users by default. It was probably just some lingering config file somewhere.>Bye, > >Enrico > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >