|
»
»
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
by lavermil
::
Rate this Message:
Weston,
Why doesn't auth have pam_ldap included? The only place I see your
pam_ldap is under password.
I do not see a single ldap request with this configuration. I have
tried with and without the $ISA. Any other thoughts?
-lance
On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
> This is what I use for /etc/pam.d/system-auth (you don't need to touch
> /etc/pam.d/sshd) :
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
>
> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>> Hello All,
>>
>> I am having a bit of an issue. I want to use pam_ldap for
>> authentication and do not want to have a local user account that is
>> the for each user that I want to authenticate via ldap. So for example
>> if I have linux client A receive a login request from a user with the
>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>> the password which the user provided to bind to the ldap server. For
>> some reason I have something out of order and if the user does not
>> have a local account it is forwarding INCORRECT as the password to the
>> ldap server. If I create the username "user.2" on the local system it
>> will then forward the password provided by the user and the I am off
>> and running. Any thoughts?
>>
>> #
>> # TCPDUMP showing that the password for AUTH is incorrect
>> # user.2 does not exist locally
>> #
>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>> 0@...`;. ...'uid=
>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>> ,dc=disa mcep,dc=
>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>> com..... .INCORRE
>> 000000B4 43 54
>> CT
>>
>>
>> #
>> # TCPDUMP showing that the password for AUTH is correct
>> # after /usr/sbin/adduser user.2
>> #
>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>> 000000A4 63 6f 6d 80 04 74 65 73 74
>> com..test
>>
>>
>> OS: CentOS 5.1
>>
>> #
>> # /etc/pam.d/sshd
>> #
>> #%PAM-1.0
>> auth required /lib/security/pam_nologin.so
>> auth sufficient /lib/security/pam_ldap.so
>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>
>> account sufficient /lib/security/pam_ldap.so
>> account required /lib/security/pam_unix_acct.so
>>
>> password required /lib/security/pam_cracklib.so
>> password sufficient /lib/security/pam_ldap.so
>> password required /lib/security/pam_pwdb.so use_first_pass
>>
>> session required /lib/security/pam_unix_session.so
>>
>> #
>> # /etc/pam.d/system-auth
>> #
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3
>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>>
>
Why doesn't auth have pam_ldap included? The only place I see your
pam_ldap is under password.
I do not see a single ldap request with this configuration. I have
tried with and without the $ISA. Any other thoughts?
-lance
On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
> This is what I use for /etc/pam.d/system-auth (you don't need to touch
> /etc/pam.d/sshd) :
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
>
> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>> Hello All,
>>
>> I am having a bit of an issue. I want to use pam_ldap for
>> authentication and do not want to have a local user account that is
>> the for each user that I want to authenticate via ldap. So for example
>> if I have linux client A receive a login request from a user with the
>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>> the password which the user provided to bind to the ldap server. For
>> some reason I have something out of order and if the user does not
>> have a local account it is forwarding INCORRECT as the password to the
>> ldap server. If I create the username "user.2" on the local system it
>> will then forward the password provided by the user and the I am off
>> and running. Any thoughts?
>>
>> #
>> # TCPDUMP showing that the password for AUTH is incorrect
>> # user.2 does not exist locally
>> #
>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>> 0@...`;. ...'uid=
>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>> ,dc=disa mcep,dc=
>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>> com..... .INCORRE
>> 000000B4 43 54
>> CT
>>
>>
>> #
>> # TCPDUMP showing that the password for AUTH is correct
>> # after /usr/sbin/adduser user.2
>> #
>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>> user.2,o u=People
>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>> 000000A4 63 6f 6d 80 04 74 65 73 74
>> com..test
>>
>>
>> OS: CentOS 5.1
>>
>> #
>> # /etc/pam.d/sshd
>> #
>> #%PAM-1.0
>> auth required /lib/security/pam_nologin.so
>> auth sufficient /lib/security/pam_ldap.so
>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>
>> account sufficient /lib/security/pam_ldap.so
>> account required /lib/security/pam_unix_acct.so
>>
>> password required /lib/security/pam_cracklib.so
>> password sufficient /lib/security/pam_ldap.so
>> password required /lib/security/pam_pwdb.so use_first_pass
>>
>> session required /lib/security/pam_unix_session.so
>>
>> #
>> # /etc/pam.d/system-auth
>> #
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3
>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>>
>
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
| Free embeddable forum powered by Nabble | Forum Help |
