Paul Engle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I'm trying to set up our FDS 1.0.2 server to do the PAM passthrough
authentication for simple binds so that we don't have to store passwords in
the DS. I'm new to FDS, but not to LDAP or kerberos. Something is wonky,
though, and I'm at a loss.
I've compiled the pam-passthru-plugin.so library, and configured it
according to the README doc for that plugin. The plugin is showing as
loaded, and the response I'm getting back indicates that it is trying to do
the check, so I don't think it's a config issue with the plugin.
However, I'm getting conflicting log entries as to the success of the
authentication. The slapd error logs are showing:
[15/May/2006:14:22:49 -0500] pam_passthru-plugin - Expired PAM password for
user id [pengle], bind DN [uid=pengle,ou=people,dc=rice,dc=edu]: reset
required
But, /var/log/messages is reporting:
May 15 14:22:49 ldap1 ns-slapd: pam_krb5[1832]: authentication succeeds for
'pengle' (pengle(a)RICE.EDU)
So, it looks like the kerberos auth is working, but whatever response the
ldap server is getting isn't being interpreted as a success.
I'm not a pam guru, so my /etc/pam.d/ldapserver is very basic:
#%PAM-1.0
auth required /lib/security/$ISA/pam_krb5.so debug no_user_check
In case it's an issue, this is a RHEL4 box. And the command I'm testing
with is
/usr/bin/ldapsearch -x -W -H 'ldaps://ldap1.rice.edu:636' -D
"uid=pengle,ou=People,dc=rice,dc=edu" -b "ou=People,dc=rice,dc=edu"
'(uid=pengle)'
Have I done something obviously wrong? If anyone has gotten this to work
and can give me some pointers, I'd be very grateful. As far as I know, our
kerberos repository doesn't do password aging, so I don't understand the
error.
I'm not really sure.
# You can enable plug-in debug logging which may give some more
indication of the problem, but this will slow down the server. So if
you need to run with logging on in production, do so only for a short
period of time.
http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting
# pam_passthru-plugin also allows for some thing called "exclude
suffix". So you can create a suffix dc=local and have a user called
uid=test and see if that succeeds.
# Are there any 8 bit characters in your password?
Thanks for your time,
-paul
- --
Paul D. Engle | Rice University
Sr. Systems Administrator | Information Technology - MS119
(713) 348-4702 | P.O. Box 1892
pengle(a)rice.edu | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFEaOQkCpkISWtyHNsRAuW0AKC43a0i+Uo9+Cz30wMRLVWPPXCgJQCg6iZo
a8KZSegBSrE4vajTSp10UO4=
=efIA
-----END PGP SIGNATURE-----
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users