[plug] KRB5/LDAP Authentication

Brenno J.S.A.A.F. de Winter brenno at dewinter.com
Mon Apr 14 00:00:40 WST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,

I have the funniest thing with LDAP that I could use some help with. On
a RedHat machine I'm trying to authenticate against Active Directory.
What works is a user in /etc/passwd without a valid password in
/etc/shadow, but with a valid password in AD: logon succeeds.

But having the stuff configured for LDAP is more complicated. When I do
a manual lookup ldapsearch -x "sAMAccount=klaas" succeeds, but on login
I get in /var/log/secure "failed login for illegal user klaas". When I'm
logged in to the machine su - klaas gives me 'cannot find user klaas'.
This leads me to believe that there is no ldap_search being performed.

Please find below my system-auth (that is the most likely place to have
a mistake). I feel that I'm nearly done and this is the last problem to
overcome, but as usual the last 20% cost 80% of your time :-( (and
believe me I have spent 5 days getting everything aligned and reading
the good documentation and of course the shitty documentation).	

Cheers,

Brenno.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/pam_krb5.so use_authtok
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5.so
session     optional      /lib/security/pam_ldap.so

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE+mYmo3GS+v2n8CeMRAq0mAJ4jh4w+Nisbm1h0S6WWkPkv8M1bRgCffCgw
hTdYKRVpXjozkOZiI47MwMk=
=HY3L
-----END PGP SIGNATURE-----



More information about the plug mailing list