RE: Cant authenticate to LDAP domain with Redhat9

From: Rigler, Steve (SRigler_at_MarathonOil.com)
Date: 07/02/04

  • Next message: Jason Staudenmayer: "RE: iptables question.." 
    Date: Fri, 2 Jul 2004 08:01:54 -0500
To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>

    To clarify the purposes of some of the files:

    /etc/ldap.conf is used by pam_nss so that pam/nss knows where to
    go to authenticate and/or look up/map user/group information.
    It should be a long, heavily commented file.

    /etc/openldap/ldap.conf is used by the openldap client utilities
    and probably anything linked against the openldap libraries
    (eg. the autofs lookup_ldap.so library). It will probably only
    have a few lines (HOST, BASE, TLS_CACERT, etc).

    Those two files are *not* interchangeable. Due to confusion between
    the two, some distributions have resorted to renaming the file
    used by pam (eg. pam_ldap.conf).

    I wouldn't be as concerned about the information in your
    /etc/sysconfig/authconfig. AFAIK, it is more used by the authconfig
    utility to populate itself than for any authentication purposes.

    You can edit /etc/pam.d/system-auth manually, but be aware that it
    will get overwritten by authconfig should you decide to run it and
    change something that way.

    Also, there was a brief thread on the openldap-software list about
    login with local accounts not working when the ldap server is
    unavailably.
    Check here for the fix (I don't remember in which version of RedHat this
    was fixed):
    http://www.netsys.com/openldap-software/2003/02/msg00202.html
    (I wouldn't post any questions to the openldap-software list that
    aren't specific to openldap...that means no pam, autofs, etc).

    I'd check the low-level things on your problem machine first. Make
    sure you can reach your ldap server with ldapsearch, make sure getent
    works and then start hitting the pam stuff. Check via other login
    means besides ssh also (try from a virtual console).

    -Steve

    -----Original Message-----
    From: redhat-list-bounces@redhat.com
    [mailto:redhat-list-bounces@redhat.com] On Behalf Of shaughto
    Sent: Thursday, July 01, 2004 11:07 PM
    To: General Red Hat Linux discussion list
    Subject: Re: Cant authenticate to LDAP domain with Redhat9

    Ok, here is so more info, but some background first.

     A few weeks ago some researchers in my department took it upon
    themselves
    to install Redhat 9 over Gentoo. Well then they asked me to set it up
    onto
    the domain. Needless to say my boss was a bit upset that they did this,
    but
    on with the story. Well I managed to get one server to authenticate
    fairly
    easy. I copied the /etc/ldap.conf, /etc/nsswitch,
    /etc/pam.d/system-auth,
    /etc/ssl/certs/eeca.pem, and /etc/autofs/auto.master. However it did
    not
    work, but once I copied /etc/ldap.conf to /etc/openldap/ldap.conf it
    worked!!!!!
    The second computer was not so easy, no matter what I did it would not
    authenticate to the ldap domain. Well I worked on it for two days with
    no
    success, and then the next morning it was working. WTF is all could
    think,
    but at least it worked (wish I knew what happen though). I really
    didn't
    modify any extra files on that machine except that I modified the
    slapd.conf
    and got openldap running, which should have nothing to with the client
    authentication (please correct me if I am wrong). Well I was poking in
    all
    of the system files so maybe I did modify one... if only I could
    remember.

    So now to my point about /etc/sysconfig/authconfig. On these two
    computers
    with redhat9, the authconfig is different on both and they both
    authenticate!!! BTW I never ran authconfig or authconfig-gtk on these
    machines.

    Computer 1 authconfig:
    USEHESIOD=no
    USELDAP=yes
    USENIS=no
    USEKERBEROS=no
    USELDAPAUTH=yes
    USEMD5=yes
    USESHADOW=yes
    USESMBAUTH=no

    Computer 2 authconfig:
    USEDB=no
    USEHESIOD=no
    USELDAP=no
    USENIS=no
    USEKERBEROS=no
    USELDAPAUTH=no
    USEMD5=yes
    USESHADOW=yes
    USESMBAUTH=no

    As you can see the authconfig differs in the computers in the ldap
    sections.
    I have tried both variations on the my problematic computer (I'll call
    it
    Computer 3) with no luck. This confuses me and I'm not sure what is
    going
    on with redhat and openldap.

    Can someone please shed some light onto this and rid me of my ignorance
    on
    the subject.
    Thanks for your time, and sorry for the long email. 

    --
Steven
-- Original Message ----- 
From: "shaughto" <shaughto@ee.ucr.edu>
To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>
Sent: Thursday, July 01, 2004 6:23 PM
Subject: Re: Cant authenticate to LDAP domain with Redhat9
> Thanks for the response...
>
> I have tried authconfig and authconfig-gtk, however they did not work.
In
> fact when I tried to log on after using those programs I could not log
in
as
> root, nor any users.  I noticed that authconfig modified some of the
LDAP
> config files, I believe it was /etc/pam.d/system-auth.  I simply
copied
back
> my original config files, which is /etc/ldap.conf, /etc/nsswitch.conf,
> /etc/autofs/auto.master, /etc/ssl/certs/eeca.pem, and
> /etc/pam.d/system-auth.
> With those files back to my setting I can once log on as root.
>
> Hmm, what files does authconfig modify?  Maybe I can modify them by
hand
> (through vi).
>
> Thanks again for the response.
>
> ----- Original Message ----- 
> From: "Rigler, Steve" <SRigler@MarathonOil.com>
> To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>
> Sent: Thursday, July 01, 2004 5:36 PM
> Subject: RE: Cant authenticate to LDAP domain with Redhat9
>
>
> Try running "authconfig" and set up your LDAP configuration
> that way.
>
> -Steve
>
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com on behalf of Steven D. Haughton
> Sent: Thu 7/1/2004 5:56 PM
> To: redhat-list@redhat.com
> Subject: Cant authenticate to LDAP domain with Redhat9
>
> Hi,
>
>
> I'm new to ldap and fairly new to linux as well so bare with me.....
>
>
> I've recently installed Red Hat 9 over Gentoo due to some commerical
> software support. My problem is that I can not get Red Hat to
> authenticate to the ldap domain.
> Here is the current ldap software I have installed:
>
> [root@hostname root]# rpm -qa | grep ldap
> openldap-2.0.27-8
> openldap-clients-2.0.27-8
> nss_ldap-202-5
> openldap-devel-2.0.27-8
> openldap-servers-2.0.27-8
> php-ldap-4.2.2-17.2
>
> Here is current openssl:
> [root@hostname root]# rpm -qa | grep openssl
> openssl-0.9.7a-20.2
> openssl-perl-0.9.7a-20.2
> openssl096b-0.9.6b-15
> openssl-devel-0.9.7a-20.2
> openssl096-0.9.6-25.9
>
> I also have autofs installed and running.
> I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf,
> /etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and
> /etc/autofs/auto.master
> which work on other linux computers (Mainly Gentoo.... and 2 redhat9
> computers).
> I also copied ldap.conf into /etc/openldap/ldap.conf and copied
> /etc/autofs/auto.master to /etc/auto.master.
>
> So my config files must be correct if they work on other computers...
> Leaving me to believe that there must be extra config files on Redhat
> that I must setup.
> I took out the hostname and domain names in the following test.
>
> Test:
> [root@"hostname" root]# ssh -ltestuser "hostname"
> testuser@"hostname's" password:
> Permission denied, please try again.
>
> Log file:
> sshd(pam_unix)[14275]: check pass; user unknown
> sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0
> tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
> sshd(pam_unix)[14275]: check pass; user unknown
> sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0
> euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu
>
> Any Ideas on how to resolve this issue? Thanks.
>
> Also here is some more info on the problem.
> When I run ldapsearch i get this...
>
> [root@blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu"
uid=grad-adm
> version: 2
>
> #
> # filter: uid=grad-adm
> # requesting: ALL
> #
>
> # grad-adm, People, ee, ucr, edu
> dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
> uid: grad-adm
> cn: Graduate Affairs
> sn: Affairs
> mail: grad-adm@ee.ucr.edu <mailto:grad-adm@ee.ucr.edu>
> labeledURI: http://www.ee.ucr.edu/~grad-adm
> <http://www.ee.ucr.edu/%7Egrad-adm>
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 30501
> gidNumber: 402
> homeDirectory: /home/eemisc/grad-adm
> gecos: Graduate Affairs
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> [root@blochEE root]#
>
>
> And when I get this running getent:
> [root@blochEE root]# getent passwd grad-adm
> grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
> [root@blochEE root]#
>
>  From my understandings it looks like the client can communicate ok
with
> the server, so I am at a loss as to why I can not login using users on
> the ldap server?
>
>
> If you need any more info. please let me know and I'll be happy to
> provide it.
> Any responses will be most appreciated.
> Thank you.
>
>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=subscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Jason Staudenmayer: "RE: iptables question.."

    Relevant Pages

    • Re: Cant authenticate to LDAP domain with Redhat9
      ... Those authconfig files were bothering me. ... >go to authenticate and/or look up/map user/group information. ... >sure you can reach your ldap server with ldapsearch, ... >Subject: Re: Cant authenticate to LDAP domain with Redhat9 ...
      (RedHat)
    • Re: Cant authenticate to LDAP domain with Redhat9
      ... Well I managed to get one server to authenticate fairly ... BTW I never ran authconfig or authconfig-gtk on these ... As you can see the authconfig differs in the computers in the ldap sections. ... Cant authenticate to LDAP domain with Redhat9 ...
      (RedHat)
    • Re: ipfw plus authentication (authpf is cool but....)
      ... their ipaddress, mac address, workstation os, etc. in our ldap directory. ... gain network access is indeed belongs to that user. ... router first before being allowed to access any server. ... user will authenticate to a web based login form which is tied up ...
      (freebsd-questions)
    • Re: Trouble Authenticating users from trusted domains
      ... For the internal referrals, ... We have a new ERP system that can either authenticate with it's own user ... If you specify an LDAP server, ... >> login as a user from the child domain, ...
      (microsoft.public.win2000.active_directory)
    • Re: Anonymous LDAP Access Problem
      ... Check the ADSI ... I need to authenticate using LDAP and I still am having some problems. ... which works when that is a domain account, but does not when that account ...
      (microsoft.public.windows.server.active_directory)