|
»
»
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
by wrogers
::
Rate this Message:
This config works fine on 2000+ hosts. You have all your other bases
covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
Wes
On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
> Weston,
>
> Why doesn't auth have pam_ldap included? The only place I see your
> pam_ldap is under password.
>
> I do not see a single ldap request with this configuration. I have
> tried with and without the $ISA. Any other thoughts?
>
> -lance
>
> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>> /etc/pam.d/sshd) :
>>
>> auth required /lib/security/$ISA/pam_env.so
>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth required /lib/security/$ISA/pam_deny.so
>>
>> account required /lib/security/$ISA/pam_unix.so
>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>> account required /lib/security/$ISA/pam_permit.so
>>
>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>> password required /lib/security/$ISA/pam_deny.so
>>
>> session required /lib/security/$ISA/pam_limits.so
>> session required /lib/security/$ISA/pam_unix.so
>>
>>
>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>> Hello All,
>>>
>>> I am having a bit of an issue. I want to use pam_ldap for
>>> authentication and do not want to have a local user account that is
>>> the for each user that I want to authenticate via ldap. So for example
>>> if I have linux client A receive a login request from a user with the
>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>> the password which the user provided to bind to the ldap server. For
>>> some reason I have something out of order and if the user does not
>>> have a local account it is forwarding INCORRECT as the password to the
>>> ldap server. If I create the username "user.2" on the local system it
>>> will then forward the password provided by the user and the I am off
>>> and running. Any thoughts?
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is incorrect
>>> # user.2 does not exist locally
>>> #
>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>> 0@...`;. ...'uid=
>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>> ,dc=disa mcep,dc=
>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>> com..... .INCORRE
>>> 000000B4 43 54
>>> CT
>>>
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is correct
>>> # after /usr/sbin/adduser user.2
>>> #
>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>> com..test
>>>
>>>
>>> OS: CentOS 5.1
>>>
>>> #
>>> # /etc/pam.d/sshd
>>> #
>>> #%PAM-1.0
>>> auth required /lib/security/pam_nologin.so
>>> auth sufficient /lib/security/pam_ldap.so
>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>
>>> account sufficient /lib/security/pam_ldap.so
>>> account required /lib/security/pam_unix_acct.so
>>>
>>> password required /lib/security/pam_cracklib.so
>>> password sufficient /lib/security/pam_ldap.so
>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>
>>> session required /lib/security/pam_unix_session.so
>>>
>>> #
>>> # /etc/pam.d/system-auth
>>> #
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth required pam_env.so
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_localuser.so
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account required pam_permit.so
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>>
>>
>
covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
Wes
On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
> Weston,
>
> Why doesn't auth have pam_ldap included? The only place I see your
> pam_ldap is under password.
>
> I do not see a single ldap request with this configuration. I have
> tried with and without the $ISA. Any other thoughts?
>
> -lance
>
> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>> /etc/pam.d/sshd) :
>>
>> auth required /lib/security/$ISA/pam_env.so
>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>> auth required /lib/security/$ISA/pam_deny.so
>>
>> account required /lib/security/$ISA/pam_unix.so
>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>> account required /lib/security/$ISA/pam_permit.so
>>
>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>> password required /lib/security/$ISA/pam_deny.so
>>
>> session required /lib/security/$ISA/pam_limits.so
>> session required /lib/security/$ISA/pam_unix.so
>>
>>
>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>> Hello All,
>>>
>>> I am having a bit of an issue. I want to use pam_ldap for
>>> authentication and do not want to have a local user account that is
>>> the for each user that I want to authenticate via ldap. So for example
>>> if I have linux client A receive a login request from a user with the
>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>> the password which the user provided to bind to the ldap server. For
>>> some reason I have something out of order and if the user does not
>>> have a local account it is forwarding INCORRECT as the password to the
>>> ldap server. If I create the username "user.2" on the local system it
>>> will then forward the password provided by the user and the I am off
>>> and running. Any thoughts?
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is incorrect
>>> # user.2 does not exist locally
>>> #
>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>> 0@...`;. ...'uid=
>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>> ,dc=disa mcep,dc=
>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>> com..... .INCORRE
>>> 000000B4 43 54
>>> CT
>>>
>>>
>>> #
>>> # TCPDUMP showing that the password for AUTH is correct
>>> # after /usr/sbin/adduser user.2
>>> #
>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>> user.2,o u=People
>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>> com..test
>>>
>>>
>>> OS: CentOS 5.1
>>>
>>> #
>>> # /etc/pam.d/sshd
>>> #
>>> #%PAM-1.0
>>> auth required /lib/security/pam_nologin.so
>>> auth sufficient /lib/security/pam_ldap.so
>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>
>>> account sufficient /lib/security/pam_ldap.so
>>> account required /lib/security/pam_unix_acct.so
>>>
>>> password required /lib/security/pam_cracklib.so
>>> password sufficient /lib/security/pam_ldap.so
>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>
>>> session required /lib/security/pam_unix_session.so
>>>
>>> #
>>> # /etc/pam.d/system-auth
>>> #
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth required pam_env.so
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_localuser.so
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account required pam_permit.so
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>>
>>
>
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
| Free embeddable forum powered by Nabble | Forum Help |
