SUMMARY: LDAP authentication problem

From: Will Dowling <william.m.dowling_at_nuim.ie>
Date: Thu Mar 03 2005 - 04:53:43 EST
Thanks to the many who replied and helped. I finally managed
to narrow down the problem and got a solution from the Sun
Support forum. Turns out that I hadn't got proxyagent set up
properly so the client was not binding to the server
properly.
I just ran idsconfig again and reconfigured the values for
the proxy agent. Also my pam.conf was wrong. Here is the
hacked version that worked.

#
# Authentication
#
login auth optional pam_authtok_get.so.1
login auth optional pam_dhkeys.so.1
login auth optional pam_dial_auth.so.1
login auth sufficient pam_unix.so.1
login auth required pam_ldap.so.1 try_first_pass
sshd auth sufficient pam_unix.so.1
sshd auth required pam_ldap.so.1 try_first_pass
other auth optional pam_authtok_get.so.1
other auth optional pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1 try_first_pass
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 try_first_pass
#
# Account
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1 try_first_pass

#
# Session
#
other session required pam_unix_session.so.1

#
# Passwd
#
other password required pam_dhkeys.so.1
other password required pam_authtok_get.so.1
other password required pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
other password required pam_ldap.so.1

Again thanks to everyone that replied!


Original Question

> 
> hey folks,
> Hope you guys can help me.
> I've got Sun One Directory Server 5.2 installed under
> Solaris 9.
> I have the server configured fine and all and clients are
> initialised.
> getent passwd user works fine,
> ldaplist -l passwd works fine,
> But when I try to su to the user it asks for a password
> and then an ldap password. When I enter the password I set
> on the directory server startconsole  it says: 
> 
>    bash-2.05$ su jdoe 
>    Password: 
>    LDAP Password: 
>    su: Unknown id: jdoe
>    bash-2.05$ 
> 
> also if I try to change the password it doesn't work :
> 
>   # passwd -r ldap jdoe
>   Enter jdoe's password: 
>   New Password: 
>   Re-enter new Password: 
>   passwd: System error: no ldap password for jdoe.
>   passwd(LDAP): jdoe does not exist
>   Permission denied
>   # 
> 
> Yet I can finger user and id user and brings me back all
> the appropriate info. Is this a pam.conf problem or do I
> not have the password configured correctly. I see some
> examples with crypt{} in their output but I specified that
> the DS would use crypt. I presume it would store them in
> crypt automatically when I add a user via the
> startconsole.  here is ldaplist -l passwd output :
> 
> dn: uid=jdoe,ou=People, dc=example,dc=com
> uid: jdoe
> givenName: john
> sn: doe
> cn: john doe
> uidNumber: 104
> gidNumber: 10
> homeDirectory: /export/home/jdoe
> loginShell: /bin/sh
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> 
> and here is my pam.conf :
> 
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth sufficient pam_unix_auth.so.1
> #login auth required pam_dial_auth.so.1
> login auth required pam_ldap.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> #rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_auth.so.1
> #rlogin auth required pam_ldap.so.1 try_first_pass
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> #rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_auth.so.1
> #rsh auth required pam_ldap.so.1 try_first_pass
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_auth.so.1
> #ppp auth required pam_dial_auth.so.1
> #ppp auth required pam_ldap.so.1 try_first_pass
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for
> authenctication
> #
> other auth required pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth sufficient pam_unix_auth.so.1
> other auth required pam_ldap.so.1
> 
> passwd auth sufficient pam_passwd_auth.so.1
> passwd auth required pam_ldap.so.1
> #
> # cron service (explicit because of non-usage of
> pam_roles.so.1)
> #
> cron account required pam_projects.so.1
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for
> account management
> #
> other account requisite pam_roles.so.1
> other account required pam_projects.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for
> session management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for
> password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password sufficient pam_authtok_store.so.1
> other password required pam_ldap.so.1
> 
> any help would be appreciated!
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Mar 3 04:54:10 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:43 EST