Fedora directory users - Jul 2006 - Question re: {KERBEROS} syntax

I am in the midst of migrating from openldap to fedora ds.

In openldap, I could specify the userpassword as

{KERBEROS}kerberosprinc@REALM

And openldap would utilize that for bind verification..

Is this possible under fedora ds? Would a plugin be required (is one
currently available?)

Thanks!

Tom

Tom Ryan wrote:
> I am in the midst of migrating from openldap to fedora ds.
>
> In openldap, I could specify the userpassword as
>
> {KERBEROS}kerberosprinc@REALM
>
> And openldap would utilize that for bind verification..
>
> Is this possible under fedora ds? Would a plugin be required (is one
> currently available?)
>   
Did you see this? 
http://directory.fedora.redhat.com/wiki/Howto:Kerberos
> Thanks!
>
> Tom
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Yes, but its not quite what I¹m looking for. Using {KERBEROS} under
openldap, the ldap server would validate the supplied user/password using
kerberos.. 

Unless I¹m missing something, this won¹t work for me..

Tom


On 7/25/06 3:37 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>> > I am in the midst of migrating from openldap to fedora ds.
>> >
>> > In openldap, I could specify the userpassword as
>> >
>> > {KERBEROS}kerberosprinc@REALM
>> >
>> > And openldap would utilize that for bind verification..
>> >
>> > Is this possible under fedora ds? Would a plugin be required (is
one
>> > currently available?)
>> >  
> Did you see this?  http://directory.fedora.redhat.com/wiki/Howto:Kerberos
>> > Thanks!
>> >
>> > Tom
>> >
>> > --
>> > Fedora-directory-users mailing list
>> > Fedora-directory-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >  
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Tom Ryan wrote:
> Yes, but its not quite what I’m looking for. Using {KERBEROS} under 
> openldap, the ldap server would validate the supplied user/password 
> using kerberos..
>
> Unless I’m missing something, this won’t work for me..
Are you attempting a SASL/Kerberos bind or a simple username/password 
bind? If the latter, you will need the PAM passthru auth plugin:
http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.4&view=auto
>
> Tom
>
>
> On 7/25/06 3:37 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>     Tom Ryan wrote:
>     > I am in the midst of migrating from openldap to fedora ds.
>     >
>     > In openldap, I could specify the userpassword as
>     >
>     > {KERBEROS}kerberosprinc@REALM
>     >
>     > And openldap would utilize that for bind verification..
>     >
>     > Is this possible under fedora ds? Would a plugin be required (is
one
>     > currently available?)
>     >
>     Did you see this?
>     http://directory.fedora.redhat.com/wiki/Howto:Kerberos
>     > Thanks!
>     >
>     > Tom
>     >
>     > --
>     > Fedora-directory-users mailing list
>     > Fedora-directory-users@redhat.com
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>
>    
------------------------------------------------------------------------
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/25/06 3:51 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>> > Yes, but its not quite what I¹m looking for. Using {KERBEROS}
under
>> > openldap, the ldap server would validate the supplied
user/password
>> > using kerberos..
>> >
>> > Unless I¹m missing something, this won¹t work for me..
> Are you attempting a SASL/Kerberos bind or a simple username/password
> bind? If the latter, you will need the PAM passthru auth plugin:
>
http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passt
> hru/README?root=dirsec=1.4=auto
>
<http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_pass
> thru/README?root=dirsec&rev=1.4&view=auto>
That¹s the general idea of what I want.. The problem is that users might not
necessarily have an account on the box..
Essentially a simple username/password bind that the fedora ds would then
use kerberos to authenticate..

That being said, it would appear that fedora ds does not have an equiv
capability as the openldap server correct out of the box?

Thanks for your very quick responses!

Tom

Tom Ryan wrote:
>
> On 7/25/06 3:51 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>     Tom Ryan wrote:
>     > Yes, but its not quite what I’m looking for. Using {KERBEROS}
under
>     > openldap, the ldap server would validate the supplied
user/password
>     > using kerberos..
>     >
>     > Unless I’m missing something, this won’t work for me..
>     Are you attempting a SASL/Kerberos bind or a simple username/password
>     bind? If the latter, you will need the PAM passthru auth plugin:
>    
http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec=1.4=auto
>    
<http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.4&view=auto>
>    
<http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.4&view=auto>
>
>
>
> That’s the general idea of what I want.. The problem is that users 
> might not necessarily have an account on the box..
> Essentially a simple username/password bind that the fedora ds would 
> then use kerberos to authenticate..
>
> That being said, it would appear that fedora ds does not have an equiv 
> capability as the openldap server correct out of the box?
That is correct, but the pam passthru auth plugin will do what you
want.
>
> Thanks for your very quick responses!
>
> Tom
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/25/06 4:00 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
>> >
>> > That being said, it would appear that fedora ds does not have an
equiv
>> > capability as the openldap server correct out of the box?
> 
> That is correct, but the pam passthru auth plugin will do what you want.
I¹m confused.. It would appear that while it would do something (albeit
similar), it would not do what I want..

I.e. Allow me to authenticate a user (irregardless of whether they have an
account on the local system) by using the supplied simple  bind credentials
and attempting a kerberos validation of them.

Thanks and again, please pardon my ignorance.

Tom

Tom Ryan wrote:
>
>
>
> On 7/25/06 4:00 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>     >
>     > That being said, it would appear that fedora ds does not have an
>     equiv
>     > capability as the openldap server correct out of the box?
>
>     That is correct, but the pam passthru auth plugin will do what you
>     want.
>
>
> I’m confused.. It would appear that while it would do something 
> (albeit similar), it would not do what I want..
>
> I.e. Allow me to authenticate a user (irregardless of whether they 
> have an account on the local system) by using the supplied simple bind 
> credentials and attempting a kerberos validation of them.
Yes, because with the plugin, fedora ds simply passes the credentials 
through to PAM, which can be configured to do kerberos auth (local or 
remote). So, instead of using saslauthd (as in openldap) you just use 
PAM to do the same thing.
>
> Thanks and again, please pardon my ignorance.
>
> Tom
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/25/06 4:22 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> 
>> > I.e. Allow me to authenticate a user (irregardless of whether they
>> > have an account on the local system) by using the supplied simple
bind
>> > credentials and attempting a kerberos validation of them.
> Yes, because with the plugin, fedora ds simply passes the credentials
> through to PAM, which can be configured to do kerberos auth (local or
> remote). So, instead of using saslauthd (as in openldap) you just use
> PAM to do the same thing.
I¹m curious how the pam framework allows for a kerberos principal/realm and
password to be checked...

I.e. Lets say, in openldap, I have {KERBEROS}user@KRB.REALM.COM, under
openldap, this works as expected.

You¹re saying that I can use the pam pass through module and then put

rhuid: user@KRB.REALM.COM

And then in /etc/pam.d/ldapserver (or whatever I compile it as the name to
be), configure it in such a way that

Pam will return success..

Maybe pam_krb5.so?

Ahh.. Maybe no_user_check...

Now I see what you might be referring to..

Thanks!

Also, is there a reason this (the pam_passthru) module is not distributed in
the rpm?

Tom


On 7/25/06 4:32 PM, "Tom Ryan" <tomryan@camlaw.rutgers.edu>
wrote:
> 
> 
> 
> On 7/25/06 4:22 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>> 
>>> > I.e. Allow me to authenticate a user (irregardless of whether
they
>>> > have an account on the local system) by using the supplied
simple bind
>>> > credentials and attempting a kerberos validation of them.
>> Yes, because with the plugin, fedora ds simply passes the credentials
>> through to PAM, which can be configured to do kerberos auth (local or
>> remote). So, instead of using saslauthd (as in openldap) you just use
>> PAM to do the same thing.
> 
> I¹m curious how the pam framework allows for a kerberos principal/realm and
> password to be checked...
> 
> I.e. Lets say, in openldap, I have {KERBEROS}user@KRB.REALM.COM, under
> openldap, this works as expected.
> 
> You¹re saying that I can use the pam pass through module and then put
> 
> rhuid: user@KRB.REALM.COM
> 
> And then in /etc/pam.d/ldapserver (or whatever I compile it as the name to
> be), configure it in such a way that
> 
> Pam will return success..
> 
> Maybe pam_krb5.so?
> 
> Ahh.. Maybe no_user_check...
> 
> Now I see what you might be referring to..
> 
Thanks!

Tom Ryan wrote:
> Also, is there a reason this (the pam_passthru) module is not 
> distributed in the rpm?
It hasn''t been fully tested yet, although it has been in production in 
Red Hat for a few months now - it''s how we do the same thing - simple 
username/password auth against Kerberos.
>
> Tom
>
>
> On 7/25/06 4:32 PM, "Tom Ryan" <tomryan@camlaw.rutgers.edu>
wrote:
>
>
>
>
>     On 7/25/06 4:22 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>
>         > I.e. Allow me to authenticate a user (irregardless of whether
>         they
>         > have an account on the local system) by using the supplied
>         simple bind
>         > credentials and attempting a kerberos validation of them.
>         Yes, because with the plugin, fedora ds simply passes the
>         credentials
>         through to PAM, which can be configured to do kerberos auth
>         (local or
>         remote). So, instead of using saslauthd (as in openldap) you
>         just use
>         PAM to do the same thing.
>
>
>     I’m curious how the pam framework allows for a kerberos
>     principal/realm and password to be checked...
>
>     I.e. Lets say, in openldap, I have {KERBEROS}user@KRB.REALM.COM,
>     under openldap, this works as expected.
>
>     You’re saying that I can use the pam pass through module and then put
>
>     rhuid: user@KRB.REALM.COM
>
>     And then in /etc/pam.d/ldapserver (or whatever I compile it as the
>     name to be), configure it in such a way that
>
>     Pam will return success..
>
>     Maybe pam_krb5.so?
>
>     Ahh.. Maybe no_user_check...
>
>     Now I see what you might be referring to..
>
> Thanks!
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/25/06 5:06 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>> > Also, is there a reason this (the pam_passthru) module is not
>> > distributed in the rpm?
> It hasn''t been fully tested yet, although it has been in
production in
> Red Hat for a few months now - it''s how we do the same thing -
simple
> username/password auth against Kerberos.
Any chance of a binary being made available of it? I am having a heck of a
time building it :)

Tom

On 7/25/06 5:06 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>> > Also, is there a reason this (the pam_passthru) module is not
>> > distributed in the rpm?
> It hasn''t been fully tested yet, although it has been in
production in
> Red Hat for a few months now - it''s how we do the same thing -
simple
> username/password auth against Kerberos.
Last question, I promise..

Where do I get 60pam-config.ldif?

Tom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Tuesday, July 25, 2006 05:13:56 PM -0400 Tom Ryan 
<tomryan@camlaw.rutgers.edu> wrote:
>
> On 7/25/06 5:06 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>
> Tom Ryan wrote:
>> Also, is there a reason this (the pam_passthru) module is not
>> distributed in the rpm?
> It hasn''t been fully tested yet, although it has been in
production in
> Red Hat for a few months now - it''s how we do the same thing -
simple
> username/password auth against Kerberos.
>
>
> Any chance of a binary being made available of it? I am having a heck of
> a time building it :)
>
> Tom
It was a klunky solution, but when I wanted to build the plugin, I ended up 
downloading the dsbuild-fds102 (all-in-one) source tarball, modifying 
dsbuild-fds102/ds/ldapserver/work/fedora-ds-1.0.2/ldap/servers/plugins/Makefile 
so that the pam_plugin was built by default, and doing the full build. 
Afterwards, I just grabbed the pam-passthrough-plugin.so file and dropped 
it into place into the existing /opt/fedora-ds/lib directory from my binary 
rpm install.

Waaaay overkill, I know. But I wasn''t going to fight with trying to
build
just one module on its own. I''m lazy. :)  It seems to be working just
fine.
We''re about to bless the system and roll it out into production.

  -paul

- -- 
Paul D. Engle                | Rice University
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle@rice.edu              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFExo7qCpkISWtyHNsRAjcsAJsEgEn/oZDaYhWL2bmouAx39XGSHACfYfwr
r1Pbl3ujxGeZXpyOg93qxI4=dqhl
-----END PGP SIGNATURE-----

On 7/25/06 5:36 PM, "Paul Engle" <pengle@rice.edu>
wrote:
> 
> It was a klunky solution, but when I wanted to build the plugin, I ended up
> downloading the dsbuild-fds102 (all-in-one) source tarball, modifying
> 
dsbuild-fds102/ds/ldapserver/work/fedora-ds-1.0.2/ldap/servers/plugins/Makefil>
e
> so that the pam_plugin was built by default, and doing the full build.
> Afterwards, I just grabbed the pam-passthrough-plugin.so file and dropped
> it into place into the existing /opt/fedora-ds/lib directory from my binary
> rpm install.
> 
> Waaaay overkill, I know. But I wasn''t going to fight with trying
to build
> just one module on its own. I''m lazy. :)  It seems to be working
just fine.
> We''re about to bless the system and roll it out into production.
> 
>   -paul
> 
That¹s what I ended up doing.. Now I¹m stuck with the dreaded ³reset
required² messsage.. How did you solve that?

Thanks!

Tom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Tuesday, July 25, 2006 05:42:19 PM -0400 Tom Ryan 
<tomryan@camlaw.rutgers.edu> wrote:

>
> That''s what I ended up doing.. Now I''m stuck with the
dreaded "reset
> required" messsage.. How did you solve that?
>
> Thanks!
>
> Tom
I''m not familiar with that message. I don''t recall having any
issues. I
wasn''t trying do add it to a live server, though. I was working on a 
development machine and was able to yank the DS up and down with impunity.

- -- 
Paul D. Engle                | Rice University
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle@rice.edu              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFExpFtCpkISWtyHNsRApTpAKDIjHKZCbqiodW+Ezrln+bRRTklFACgwa1l
QCJUBxk6Gleb5CDnscko6Qs=CyfG
-----END PGP SIGNATURE-----

On 7/25/06 5:47 PM, "Paul Engle" <pengle@rice.edu>
wrote:
> 
> 
> I''m not familiar with that message. I don''t recall having
any issues. I
> wasn''t trying do add it to a live server, though. I was working on
a
> development machine and was able to yank the DS up and down with impunity.
In this message,

http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.html

You noted you had the same error (reset required) when simple binding at
first..

Tom

Tom Ryan wrote:
>
>
>
> On 7/25/06 5:06 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>     Tom Ryan wrote:
>     > Also, is there a reason this (the pam_passthru) module is not
>     > distributed in the rpm?
>     It hasn''t been fully tested yet, although it has been in
production in
>     Red Hat for a few months now - it''s how we do the same thing -
simple
>     username/password auth against Kerberos.
>
>
> Last question, I promise..
>
> Where do I get 60pam-config.ldif?
/opt/fedora-ds/bin/slapd/install/schema
>
> Tom
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/25/06 5:49 PM, "Tom Ryan" <tomryan@camlaw.rutgers.edu>
wrote:
> 
> 
> 
> On 7/25/06 5:47 PM, "Paul Engle" <pengle@rice.edu> wrote:
>> 
>> 
>> I''m not familiar with that message. I don''t recall
having any issues. I
>> wasn''t trying do add it to a live server, though. I was
working on a
>> development machine and was able to yank the DS up and down with
impunity.
> 
> In this message,
> 
>
http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.html
> 
> You noted you had the same error (reset required) when simple binding at
> first..
> 
Argh.. Account required pam_krb5.so..

Sorry all, and thanks everyone who helped me this far!!

I am curious if its possible to pass user@REALM.. Will need to play with
that a bit more..

tom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


*Blush*  Okay, that''s just plain embarrassing. That ended up being
caused
by having the ''auth'' part in the pam configuratoin but no
''account'' line
for pam_krb5.so.

  -paul

- --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan 
<tomryan@camlaw.rutgers.edu> wrote:
>
>
>
> On 7/25/06 5:47 PM, "Paul Engle" <pengle@rice.edu> wrote:
>
>
>
> I''m not familiar with that message. I don''t recall having
any issues. I
> wasn''t trying do add it to a live server, though. I was working on
a
> development machine and was able to yank the DS up and down with impunity.
>
>
> In this message,
>
> http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h
> tml
>
> You noted you had the same error (reset required) when simple binding at
> first..
>
> Tom


- -- 
Paul D. Engle                | Rice University
Sr. Systems Administrator    | Information Technology - MS119
(713) 348-4702               | P.O. Box 1892
pengle@rice.edu              | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM
g1p3GL9gbu4Ja5M880MwZX0=JFVj
-----END PGP SIGNATURE-----

It happens to all of us...

I am still having a couple of issues though (for everyone else listening :)

I changed pamMapMethod to Entry
I then set pamIDAttr to aliasedObjectName (out of laziness for now)

When I start the slapd with this, I get this..

pam_passthru-plugin - Warning: The following suffixes listed in
pamExcludeSuffix or pamIncludeSuffix are not present in this server:
o=NetscapeRoot

But, the admin server will still start just fine..

Regardless, the system does not appear to try to use the aliasedobjectname
for the user to pass to pam.. (I have KRBPRINC@REALM.COM in
aliasedobjectname)..

Any ideas?

Tom

Ps.. If I leave it as RDN, I get no error on startup about suffix and as
long as my bind dn matches my krb princ in the default realm, it works.. So
I¹m halfway there?



On 7/26/06 9:18 AM, "Paul Engle" <pengle@rice.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> *Blush*  Okay, that''s just plain embarrassing. That ended up being
caused
> by having the ''auth'' part in the pam configuratoin but no
''account'' line
> for pam_krb5.so.
> 
>   -paul
> 
> - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan
> <tomryan@camlaw.rutgers.edu> wrote:
> 
>> >
>> >
>> >
>> > On 7/25/06 5:47 PM, "Paul Engle" <pengle@rice.edu>
wrote:
>> >
>> >
>> >
>> > I''m not familiar with that message. I don''t
recall having any issues. I
>> > wasn''t trying do add it to a live server, though. I was
working on a
>> > development machine and was able to yank the DS up and down with
impunity.
>> >
>> >
>> > In this message,
>> >
>> >
http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h
>> > tml
>> >
>> > You noted you had the same error (reset required) when simple
binding at
>> > first..
>> >
>> > Tom
> 
> 
> 
> - --
> Paul D. Engle                | Rice University
> Sr. Systems Administrator    | Information Technology - MS119
> (713) 348-4702               | P.O. Box 1892
> pengle@rice.edu              | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM
> g1p3GL9gbu4Ja5M880MwZX0> =JFVj
> -----END PGP SIGNATURE-----
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Just as a followup, if the pam entries appear at the end of the dse.ldif
file, the server starts without warning, but that¹s it.. Once stopped, the
dse.ldif is rearranged, the pam entry moves up, and the error persists on
subsequent starts..

Regardless, when I manually start it with the entry at the bottom of the
ldif, I still can not get the system to use the aliasedobjectname instead of
the rdn..

Tom

On 7/26/06 11:20 AM, "Tom Ryan" <tomryan@camlaw.rutgers.edu>
wrote:
> It happens to all of us...
> 
> I am still having a couple of issues though (for everyone else listening :)
> 
> I changed pamMapMethod to Entry
> I then set pamIDAttr to aliasedObjectName (out of laziness for now)
> 
> When I start the slapd with this, I get this..
> 
> pam_passthru-plugin - Warning: The following suffixes listed in
> pamExcludeSuffix or pamIncludeSuffix are not present in this server:
> o=NetscapeRoot
> 
> But, the admin server will still start just fine..
> 
> Regardless, the system does not appear to try to use the aliasedobjectname
for
> the user to pass to pam.. (I have KRBPRINC@REALM.COM in
aliasedobjectname)..
> 
> Any ideas?
> 
> Tom
> 
> Ps.. If I leave it as RDN, I get no error on startup about suffix and as
long
> as my bind dn matches my krb princ in the default realm, it works.. So I¹m
> halfway there?

Tom Ryan wrote:
> It happens to all of us...
>
> I am still having a couple of issues though (for everyone else 
> listening :)
>
> I changed pamMapMethod to Entry
> I then set pamIDAttr to aliasedObjectName (out of laziness for now)
>
> When I start the slapd with this, I get this..
>
> pam_passthru-plugin - Warning: The following suffixes listed in 
> pamExcludeSuffix or pamIncludeSuffix are not present in this server: 
> o=NetscapeRoot
>
> But, the admin server will still start just fine..
The warning is just for your information, for debugging the set up, if 
you accidentally set an incorrect suffix. If you don''t have the 
o=NetscapeRoot suffix on this server, or if you don''t want to do pam 
passthru on that suffix, you can either omit it from the include/exclude 
list, or set the attribute pamMissingSuffix in the pam plugin entry to 
"IGNORE".
>
> Regardless, the system does not appear to try to use the 
> aliasedobjectname for the user to pass to pam.. (I have 
> KRBPRINC@REALM.COM in aliasedobjectname)..
Any errors in the errors log? Does it work any better if your krbprinc 
name is all lower case and the realm is all upper case e.g. 
krbprinc@REALM.COM?
>
> Any ideas?
>
> Tom
>
> Ps.. If I leave it as RDN, I get no error on startup about suffix and 
> as long as my bind dn matches my krb princ in the default realm, it 
> works.. So I’m halfway there?
>
>
>
> On 7/26/06 9:18 AM, "Paul Engle" <pengle@rice.edu> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>
>     *Blush* Okay, that''s just plain embarrassing. That ended up
being
>     caused
>     by having the ''auth'' part in the pam configuratoin
but no
>     ''account'' line
>     for pam_krb5.so.
>
>     -paul
>
>     - --On Tuesday, July 25, 2006 05:49:51 PM -0400 Tom Ryan
>     <tomryan@camlaw.rutgers.edu> wrote:
>
>     >
>     >
>     >
>     > On 7/25/06 5:47 PM, "Paul Engle" <pengle@rice.edu>
wrote:
>     >
>     >
>     >
>     > I''m not familiar with that message. I don''t
recall having any
>     issues. I
>     > wasn''t trying do add it to a live server, though. I was
working on a
>     > development machine and was able to yank the DS up and down with
>     impunity.
>     >
>     >
>     > In this message,
>     >
>     >
http://www.redhat.com/archives/fedora-directory-users/2006-May/msg00081.h
>     > tml
>     >
>     > You noted you had the same error (reset required) when simple
>     binding at
>     > first..
>     >
>     > Tom
>
>
>
>     - --
>     Paul D. Engle | Rice University
>     Sr. Systems Administrator | Information Technology - MS119
>     (713) 348-4702 | P.O. Box 1892
>     pengle@rice.edu | Houston, TX 77251-1892
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v1.2.6 (GNU/Linux)
>
>     iD8DBQFEx2vHCpkISWtyHNsRAkdYAKD9mCDZCSGoG+PDcteXOttgyBZYywCfXjmM
>     g1p3GL9gbu4Ja5M880MwZX0>     =JFVj
>     -----END PGP SIGNATURE-----
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/26/06 11:59 AM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> 
>> > Regardless, the system does not appear to try to use the
>> > aliasedobjectname for the user to pass to pam.. (I have
>> > KRBPRINC@REALM.COM in aliasedobjectname)..
> Any errors in the errors log? Does it work any better if your krbprinc
> name is all lower case and the realm is all upper case e.g.
> krbprinc@REALM.COM?
Our princs are very odd.. But there¹s no error, even if I have it set to
ENTRY, it still does the default RDN..



Tom

Tom Ryan wrote:
>
>
>
> On 7/26/06 11:59 AM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>
>     > Regardless, the system does not appear to try to use the
>     > aliasedobjectname for the user to pass to pam.. (I have
>     > KRBPRINC@REALM.COM in aliasedobjectname)..
>     Any errors in the errors log? Does it work any better if your krbprinc
>     name is all lower case and the realm is all upper case e.g.
>     krbprinc@REALM.COM?
>
>
> Our princs are very odd.. But there’s no error, even if I have it set 
> to ENTRY, it still does the default RDN..
Hmm - Try restarting the server. If that doesn''t fix it, post your pam 
passthru config entry and your pam config (e.g.
/etc/pam.d/ldapserver).
>
>
>
> Tom
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/26/06 12:31 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> 
> Hmm - Try restarting the server. If that doesn''t fix it, post your
pam
> passthru config entry and your pam config (e.g. /etc/pam.d/ldapserver).
I have already restarted the server multiple times..

Here¹s the info..

cat /etc/pam.d/ldapserver

auth    sufficient      /lib/security/pam_krb5.so no_user_check
account required        /lib/security/pam_krb5.so no_user_check

And in dse.ldif

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamExcludeSuffix: o=NetscapeRoot
pamExcludeSuffix: cn=config
pamMapMethod: ENTRY
pamFallback: 0
pamSecure: 1
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.0.2
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: PAM pass through authentication plugin
pamIDAttr: aliasedObjectName
modifiersName: 
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
 t
modifyTimestamp: 20060726142549Z

Tom Ryan wrote:
>
> On 7/26/06 12:31 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>
>     Hmm - Try restarting the server. If that doesn''t fix it, post
your pam
>     passthru config entry and your pam config (e.g.
>     /etc/pam.d/ldapserver).
>
>
> I have already restarted the server multiple times..
>
> Here’s the info..
>
> cat /etc/pam.d/ldapserver
>
> auth sufficient /lib/security/pam_krb5.so no_user_check
> account required /lib/security/pam_krb5.so no_user_check
>
> And in dse.ldif
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: /opt/fedora-ds/lib/pam-passthru-plugin.so
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: o=NetscapeRoot
> pamExcludeSuffix: cn=config
> pamMapMethod: ENTRY
This should be pamIDMapMethod. The reason it always uses the RDN value 
is because that is the default if none is specified.
> pamFallback: 0
> pamSecure: 1
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.0.2
> nsslapd-pluginVendor: Fedora Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
> pamIDAttr: aliasedObjectName
> modifiersName: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
> t
> modifyTimestamp: 20060726142549Z
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On 7/26/06 5:29 PM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> 
>> > pamMapMethod: ENTRY
> This should be pamIDMapMethod. The reason it always uses the RDN value
> is because that is the default if none is specified.
> 
Sweet! I wasn¹t looking at the code, just the readme/etc which says
pammapmethod

Regardless, if I use that, it doesn¹t start up now..

I tried adjusting the schema files to state pamidmapmethod instead.. I¹m
getting nothing..

:)

Tom

Tom Ryan wrote:
>
>
>
> On 7/26/06 5:29 PM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>
>     > pamMapMethod: ENTRY
>     This should be pamIDMapMethod. The reason it always uses the RDN value
>     is because that is the default if none is specified.
>
> Sweet! I wasn’t looking at the code, just the readme/etc which says 
> pammapmethod
>
> Regardless, if I use that, it doesn’t start up now..
>
> I tried adjusting the schema files to state pamidmapmethod instead.. 
> I’m getting nothing..
Congratulations - you are the first tester of the ENTRY method! :-)

I''ve made some fixes to pam_ptconfig.c - try the attached
file.
>
> :)
>
> Tom
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> Congratulations - you are the first tester of the ENTRY method! :-)
> I''ve made some fixes to pam_ptconfig.c - try the attached file.
well, it starts now :)

but then..

allow_operation: component identity is NULL
pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 - No such
object)


for testing, i''m using

pamIDAttr: uid
pamIDMapMethod: ENTRY

so closer.. 

Tom

Tom Ryan wrote:
>> Congratulations - you are the first tester of the ENTRY method! :-)
>> I''ve made some fixes to pam_ptconfig.c - try the attached
file.
>>     
>
> well, it starts now :)
>
> but then..
>
> allow_operation: component identity is NULL
> pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 - No such
object)
>   
This says your bind DN is uid=VALUE - was that supposed to be uid=VALUE, 
ou=people, dc=domain, dc=tld?
>
> for testing, i''m using
>
> pamIDAttr: uid
> pamIDMapMethod: ENTRY
>
> so closer.. 
>
> Tom
>   
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

It makes no difference and regardless, it dies anyway..

Tom


On 7/27/06 9:16 AM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>>> >> Congratulations - you are the first tester of the ENTRY
method! :-)
>>> >> I''ve made some fixes to pam_ptconfig.c - try the
attached file.
>>> >>    
>> >
>> > well, it starts now :)
>> >
>> > but then..
>> >
>> > allow_operation: component identity is NULL
>> > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32 -
No such
>> object)
>> >  
> This says your bind DN is uid=VALUE - was that supposed to be uid=VALUE,
> ou=people, dc=domain, dc=tld?
>> >
>> > for testing, i''m using
>> >
>> > pamIDAttr: uid
>> > pamIDMapMethod: ENTRY
>> >
>> > so closer..
>> >
>> > Tom
>> >  
>> >
------------------------------------------------------------------------
>> >
>> > --
>> > Fedora-directory-users mailing list
>> > Fedora-directory-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >  
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

On 7/27/06 10:04 AM, "Richard Megginson" <rmeggins@redhat.com>
wrote:
> Tom Ryan wrote:
>> > It makes no difference and regardless, it dies anyway..
> So if you specify the full DN, you get this error:
>> >  pam_passthru-plugin - Could not find BIND dn <FULL DN>
(error 32 - No
> such object)
> 
> And the server still core dumps?
> 
> yep, and stracing the pid reveals nothing obvious to me..
> 
> Tom
> 
>> >
>> > Tom
>> >
>> >
>> > On 7/27/06 9:16 AM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>> >
>> >     Tom Ryan wrote:
>>>> >     >> Congratulations - you are the first tester of
the ENTRY method!
:-)
>>>> >     >> I''ve made some fixes to
pam_ptconfig.c - try the attached file.
>>>> >     >>   
>>> >     >
>>> >     > well, it starts now :)
>>> >     >
>>> >     > but then..
>>> >     >
>>> >     > allow_operation: component identity is NULL
>>> >     > pam_passthru-plugin - Could not find BIND dn
uid=VALUE (error 32
>> >     - No such object)
>>> >     > 
>> >     This says your bind DN is uid=VALUE - was that supposed to be
>> >     uid=VALUE,
>> >     ou=people, dc=domain, dc=tld?
>>> >     >
>>> >     > for testing, i''m using
>>> >     >
>>> >     > pamIDAttr: uid
>>> >     > pamIDMapMethod: ENTRY
>>> >     >
>>> >     > so closer..
>>> >     >
>>> >     > Tom
>>> >     > 
>>> >     > 
>>>
------------------------------------------------------------------------
>>> >     >
>>> >     > --
>>> >     > Fedora-directory-users mailing list
>>> >     > Fedora-directory-users@redhat.com
>>> >     >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> >     > 
>> >
>> >     
>>
------------------------------------------------------------------------
>> >     --
>> >     Fedora-directory-users mailing list
>> >     Fedora-directory-users@redhat.com
>> >     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>> >
>> >
------------------------------------------------------------------------
>> >
>> > --
>> > Fedora-directory-users mailing list
>> > Fedora-directory-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >  
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Tom Ryan wrote:
> It makes no difference and regardless, it dies anyway..
So if you specify the full DN, you get this error:
>  pam_passthru-plugin - Could not find BIND dn <FULL DN> (error 32 -
No
such object)

And the server still core dumps?
>
> Tom
>
>
> On 7/27/06 9:16 AM, "Richard Megginson"
<rmeggins@redhat.com> wrote:
>
>     Tom Ryan wrote:
>     >> Congratulations - you are the first tester of the ENTRY
method! :-)
>     >> I''ve made some fixes to pam_ptconfig.c - try the
attached file.
>     >>    
>     >
>     > well, it starts now :)
>     >
>     > but then..
>     >
>     > allow_operation: component identity is NULL
>     > pam_passthru-plugin - Could not find BIND dn uid=VALUE (error 32
>     - No such object)
>     >  
>     This says your bind DN is uid=VALUE - was that supposed to be
>     uid=VALUE,
>     ou=people, dc=domain, dc=tld?
>     >
>     > for testing, i''m using
>     >
>     > pamIDAttr: uid
>     > pamIDMapMethod: ENTRY
>     >
>     > so closer..
>     >
>     > Tom
>     >  
>     >
------------------------------------------------------------------------
>     >
>     > --
>     > Fedora-directory-users mailing list
>     > Fedora-directory-users@redhat.com
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >  
>
>    
------------------------------------------------------------------------
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>