Tony Wasson wrote:
>
> George Toft wrote:
> > Has anyone set up a debian box to use LDAP for authentication? I tried
> > it last night with mixed results:
> > - LDAP is working fine: I can retrieve the entries, and the command
> > getent shows entries from files and ldap.
> > - I can't log in:
> > - I can't change password:
> > # passwd gtoft
> > passwd: Critical error - immediate abort
> > #
> >
> > I think my problem lies in my PAM configuration. If anyone has done
> > this and wants to share their pam configs, I would be very appreciative.
> >
> > I have googled for the errors I've been getting and have retrieved 0
> > hits consistently :( This seems to be trivial under RedHat (or so say
> > all the web pages I found on the topic). Debian is another story.
>
> Hi George,
>
> I use LDAP for authentication for IMAP/POP/SMTP/Web and SSH. Our LDAP
> backend is controlled by ISPMan, but I can use generic LDAP tools to add
> and modify users too.
>
> Most likely the problem lies in either in:
> 1) /etc/pam-ldap.conf NOT matching /etc/ldap/slapd.conf
> 2) /etc/pam.d/* NOT being setup correctly.
>
> The pam modules and plugins started off with great documentation. Then
> some "cool hacks" started happening and things were no longer documented.
>
> Here's a sample pam.d I stole off a mailing list for SSH, this will
> allow a fallthrough to local authentication if LDAP is unreachable. It
> will require a local account.
>
> /------/etc/pam.d/ssh START
> auth sufficient pam_ldap.so
> auth required pam_nologin.so
> auth required pam_unix.so
>
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> session sufficient pam_ldap.so
> session required pam_unix.so
>
> password sufficient pam_ldap.so
> password required pam_unix.so
>
> \-----------END
>
> Because you can't change passwords using LDAP, it sounds like your
> pam-ldap connector does not have the right LDAP username/password and
> Base DN information. Can you check your slapd.conf and run
> "dpkg-reconfigure libpam-ldap"?
>
> Hope this gets you started!
> Tony
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Cha-ching!!!
This, and the liberal use of "debug" helped. I also read page 16 of
this month's SysAdmin mag that tells me how to do this for Debian.
Despite the article, it was this config that did it for me - 10,000
thank you's!!!
--
George Toft +---------------------------------------------+
CISSP, MSIS | Kerckhoffs' Principle: If the cryptographic |
CTO/Computer Security | algorithm must remain secret in order for |
AGD,LLC | the system to be secure, then the system is |
www.agdllc.com | less secure. |
623-203-1760 +---------------------------------------------+
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)