pam_ldap problem
Petr Klíma
petr.klima na madeta-group.cz
Pondělí Září 12 11:20:38 CEST 2005
>
>>>snazim se rozbehat autentizaci uzivatelu na Debianu pomoci pam_ldap.
mam popis jen pro RHEL
>
>
>>jen vystrel do vzduchu: /etc/libnss-ldap.conf + nssswitch.conf mate
>>nastavene? Podle me dalsi BIND via libnss, kdy se system snazi zjistit
>>neco o uzivateli (home, uid, gid, ...).
>
> milan zjavne nepochopil, aký je rozdiel medzi pam a nss...
>
>>'getent passwd' jako root Vam toho uzivatele z ldapu vypise?
>
> a prečo by ako mal?
>
aaaa pán je odborník ... neeee spis si tu větrá ego ...
Ondřej a Milan se snaží najít řešení ...
'getent passwd puzman' IMHO musí pro už. z LDAP vrátit řádek který bude
vypadat stejně jako kdyby byl z /etc/passwd . Tzn. systém zná už. jako
regulérního uživatele ... A to je mám pocit cíl Ondřejovo snažení ...
>
>>>Problem je, ze kdyz se pam_ldap pokousi provest bind na jmeno
>>>uzivatele, tak se mu to nepodari (Invalid credentials). Pokud zkusim
>>>bind, treba pomoci ldapsearch, tak vse funguje spravne - uz naprosto
>>>netusim, kde by mohla byt chyba.
>
>
>>>Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 BIND
>>>dn="uid=puzman,ou=people,dc=amit,dc=cz" method=128
>>>Sep 11 01:32:53 localhost slapd[5633]: conn=0 op=2 RESULT tag=97
>>>err=49 text=
>
Já mám postup jen pro RHEL ale roydíly nebudou velke, snad to pomuze
(LDAP server je SUN DS 5.2)
/etc/ldap.conf (!!!!! v orig souboru jsou popsány odlišnosti
jednotlivých DS)
--------------------------------------------------------------------------
# Your LDAP server. Must be resolvable without using LDAP.
host sun.wwwwwwwwww.cz
# The distinguished name of the search base.
base dc=nnnnnnnnnnnnn,dc=cz
# The LDAP version to use (defaults to 2,
ldap_version 3
# pouyivam usera s hodne omezenym prisupem
# The distinguished name to bind to the server with.
binddn uid=dsproxy,ou=People,dc=nnnnnnnnnnn,dc=cz
# The credentials to bind with.
bindpw jabaduba
# The port.
# Optional: default is 389. 636 is for ldaps
port 389
# The search scope.
scope sub
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
pam_member_attribute memberuid
pam_crypt local
#
# SSL Configuration
ssl no
#sslpath /usr/local/ssl/certs
#
pam_member_attribute memberUid
pam_password md5
nss_base_passwd dc=nnnnnnnnnnnnn,dc=cz?sub
nss_base_shadow dc=nnnnnnnnnnnnn,dc=cz?sub
nss_base_group dc=nnnnnnnnnnnnn,dc=cz?sub
--------------------------------------------------------------------------
Tady si over ldapsearch uid=puzman dn cn
Zmeny v /etc/nsswitch.conf a /etc/pam.d
================================================================
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
================================================================
/etc/pam.d/system_auth
================================================================
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_mkhomedir.so umask=0077
skel=/etc/skel
session optional /lib/security/$ISA/pam_ldap.so
================================================================
do /etc/pam.d/system-auth pridej na konec "session required"
--------------------------------------------------------------------------
# Umozni automaticky vytvaret home dir
session required /lib/security/$ISA/pam_mkhomedir.so umask=0077
skel=/etc/skel
--------------------------------------------------------------------------
vytvor /usr/bin/sh pro uzivatele z HP/UX
--------------------------------------------------------------------------
ln -s /bin/bash /usr/bin/sh
echo "/usr/bin/sh" >> /etc/shells
--------------------------------------------------------------------------
--
Petr Klíma
e-mail: petr.klima na madeta-group.cz MADETA Group a.s.
phone: +420 389 136 209 Rudolfovská 246/83
web: http://www.madeta-group.cz 370 50 České Budějovice
Czech Republic
Další informace o konferenci Linux