lists.arthurdejong.org
RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem

Le 25/10/2013 17:23, Arthur de Jong a écrit :

One thing that could be different with the other machines is that they
return password hashes via the shadow map. By default nslcd will not
expose password hashes through NSS.

Do both systems produce the same output for
   getent shadow lena


On my Mageia 3 PC, I get

getent shadow lena
lena:*:14855::99999::::0

on others PC


lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0




If you want to expose password hashes via NSS, pam_unix (in your case
probably pam_tcb) usually does the authentication and you don't need
pam_ldap. It is slightly more secure to delegate authentication to your
LDAP server via pam_ldap.

Exposing password hashes via nslcd can be done with:

   map shadow userPassword userPassword



with these modification in nslcd.conf

I got also

getent shadow lena
lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0

but same error with su

nslcd: [b71efb] <authc="lena"> DEBUG: nslcd_pam_authc("lena","su","***")
nslcd: [b71efb] <authc="lena"> DEBUG: myldap_search(base="ou=People,dc=kervao,dc=fr", filter="(&(objectClass=posixAccount)(uid=lena))") nslcd: [b71efb] <authc="lena"> DEBUG: ldap_result(): uid=lena,ou=People,dc=kervao,dc=fr nslcd: [b71efb] <authc="lena"> DEBUG: myldap_search(base="uid=lena,ou=People,dc=kervao,dc=fr", filter="(objectClass=*)") 
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_initialize(ldap://192.168.0.9/)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_rebind_proc()
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) 
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_simple_bind_s("uid=lena,ou=People,dc=kervao,dc=fr","***") (uri="ldap://192.168.0.9/";) nslcd: [b71efb] <authc="lena"> DEBUG: failed to bind to LDAP server ldap://192.168.0.9/: Invalid credentials 
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_unbind()
nslcd: [b71efb] <authc="lena"> uid=lena,ou=People,dc=kervao,dc=fr: lookup failed: Invalid credentials
you can find the log file of the slapd server here http://www.funix.org/fr/linux/fichiers/log-slapd 



If you want to get pam_ldap working, more information on your LDAP
server could be useful. Also, the LDAP server logs may provide more
information on why the authentication failed.


my slapd.conf

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile         /usr/local/var/run/slapd.pid

argsfile        /usr/local/var/run/slapd.args

database        bdb
suffix          "dc=kervao,dc=fr"
rootdn          "cn=Manager,dc=kervao,dc=fr"
rootpw          mot-de-passe
directory       /usr/local/var/openldap-data

index   objectClass     eq


# Basic ACL
access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,dc=kervao,dc=fr" write
        by * none
#
access to *
       by dn="cn=Manager,dc=kervao,dc=fr" write
       by * read


On this page http://www.funix.org/fr/linux/index.php?ref=ldap2
I indicate which method I used to fill the server.

Thank you for your answer.

Olivier
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/