pam_ldap problem

Petr Klíma petr.klima na madeta-group.cz
Pondělí Září 12 11:20:38 CEST 2005


> 
>>>snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.

mam popis jen pro RHEL

> 
> 
>>jen vystrel do vzduchu: /etc/libnss-ldap.conf + nssswitch.conf mate
>>nastavene? Podle me dalsi BIND via libnss, kdy se system snazi zjistit
>>neco o uzivateli (home, uid, gid, ...). 
> 
> milan zjavne nepochopil, aký je rozdiel medzi pam a nss...
> 
>>'getent passwd' jako root Vam toho uzivatele z ldapu vypise?
> 
> a prečo by ako mal?
> 

aaaa pán je odborník ... neeee spis si tu větrá ego ...

Ondřej a Milan se snaží najít řešení ...

'getent passwd puzman' IMHO musí pro už. z LDAP vrátit řádek který bude 
vypadat stejně jako kdyby byl z /etc/passwd . Tzn. systém zná už. jako 
regulérního uživatele ... A to je mám pocit cíl Ondřejovo snažení ...

> 
>>>Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
>>>uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
>>>bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
>>>netusim, kde by mohla byt chyba.
> 
> 
>>>Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND
>>>dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
>>>Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97
>>>err=49 text=
> 

Já mám postup jen pro RHEL ale roydíly nebudou velke, snad to pomuze

(LDAP server je SUN DS 5.2)


/etc/ldap.conf (!!!!! v orig souboru jsou popsány odlišnosti 
jednotlivých DS)
--------------------------------------------------------------------------
# Your LDAP server. Must be resolvable without using LDAP.
host sun.wwwwwwwwww.cz
# The distinguished name of the search base.
base dc=nnnnnnnnnnnnn,dc=cz
# The LDAP version to use (defaults to 2,
ldap_version 3

# pouyivam usera s hodne omezenym prisupem
# The distinguished name to bind to the server with.
binddn uid=dsproxy,ou=People,dc=nnnnnnnnnnn,dc=cz
# The credentials to bind with.
bindpw jabaduba
# The port.
# Optional: default is 389. 636 is for ldaps
port 389
# The search scope.
scope sub
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
pam_member_attribute memberuid
pam_crypt local
#
# SSL Configuration
ssl no
#sslpath /usr/local/ssl/certs
#
pam_member_attribute memberUid
pam_password md5
nss_base_passwd dc=nnnnnnnnnnnnn,dc=cz?sub
nss_base_shadow dc=nnnnnnnnnnnnn,dc=cz?sub
nss_base_group  dc=nnnnnnnnnnnnn,dc=cz?sub
--------------------------------------------------------------------------


Tady si over ldapsearch uid=puzman dn cn


Zmeny v /etc/nsswitch.conf a /etc/pam.d
================================================================
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#   nisplus or nis+     Use NIS+ (NIS version 3)
#   nis or yp       Use NIS (NIS version 2), also called YP
#   dns         Use DNS (Domain Name Service)
#   files           Use the local files
#   db          Use the local database (.db) files
#   compat          Use NIS on compat mode
#   hesiod          Use Hesiod for user lookups
#   [NOTFOUND=return]   Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
================================================================

/etc/pam.d/system_auth
================================================================
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so umask=0077 
skel=/etc/skel
session     optional      /lib/security/$ISA/pam_ldap.so
================================================================

do /etc/pam.d/system-auth pridej na konec "session required"
--------------------------------------------------------------------------
# Umozni automaticky vytvaret home dir
session     required      /lib/security/$ISA/pam_mkhomedir.so umask=0077 
skel=/etc/skel
--------------------------------------------------------------------------

vytvor /usr/bin/sh pro uzivatele z HP/UX
--------------------------------------------------------------------------
ln -s /bin/bash /usr/bin/sh
echo "/usr/bin/sh" >> /etc/shells
--------------------------------------------------------------------------


-- 

    Petr Klíma

    e-mail:  petr.klima na madeta-group.cz   MADETA Group a.s.
    phone:   +420 389 136 209             Rudolfovská 246/83
    web:     http://www.madeta-group.cz   370 50 České Budějovice
                                          Czech Republic




Další informace o konferenci Linux