Hi,
I am trying to set up a Fedora Directory server for centralised authentication.
I configure the directory server, add a user called (via the Java GUI) test and then, using system-config-authentication, enable LDAP on both tabs. I then try to log-in using the test account I set up on the directory, but I get an error message in /var/log/messages:
May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain
which seems to indicate that it cannot find the user in the directory. The server is accepting connections on the standard LDAP port.
Am I missing anything?
Thanks
Gabriel
___________________________________________________________ What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk
On Thu, May 31, 2007 at 12:38:55PM +0100, first last wrote:
Hi,
I am trying to set up a Fedora Directory server for centralised authentication.
I'm using that setup.
I configure the directory server, add a user called (via the Java GUI) test
Could you do an ldap search for that user and show the output, please? Like so: # ldapsearch -LLL -x 'uid=lmf
The output should be something like: dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com uid: lmf cn: Luciano Rocha cn: luciano objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12715 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 501 homeDirectory: /home/lmf gecos: Luciano Rocha
the ou=Users can be ou=People or something else. But uid must be present for the user you added and also objectClass: posixAccount.
Then check if you can bind to ldap using the dn of the user: # ldapsearch -LLL -x 'uid=lmf' -D uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com -W uid Enter LDAP Password: dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com uid: lmf
and then, using system-config-authentication, enable LDAP on both tabs.
/etc/nsswitch.conf should have: passwd: files ldap
And /etc/openldap/ldap.conf should have a valid URI, pointing to the server and a valid BASE
If that file has all those values commented out, then they should be in /etc/ldap.conf.
In any case, also check /etc/ldap.conf. If /etc/openldap/ldap.conf has a valid URI, then comment out any host definition. Check that base is the correct one, and also check that any nss_base, if defined has the same basedn as the one you found in the search.
Then test the user identification by running id <user>: # id lmf uid=501(lmf) gid=501(lmf) groups=501(lmf),...
If this works, then the next step is checking the pam configuration. But I'll end the email now because it's lunch time here. :)
Could you do an ldap search for that user and show the output, please? Like so: # ldapsearch -LLL -x 'uid=lmf
I do ldapsearch -LLL -x 'uid=ttest' and I get nothing
if I do ldapsearch -LLL -x I get a list of things like: dn: cn=Accounting Managers,ou=groups,dc=internal,dc=domain,dc=com objectClass: top objectClass: groupOfUniqueNames ou: groups description: blah, blah
But I can not see the group I added (developers) or the user (ttest).
The user has all the POSIX details filled in.
Then check if you can bind to ldap using the dn of the user: # ldapsearch -LLL -x 'uid=lmf' -D uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com -W uid Enter LDAP Password: dn: uid=lmf,ou=Users,dc=udp,dc=eurotux,dc=com uid: lmf
this doesn't work (as expected).
and then, using system-config-authentication, enable LDAP on both tabs.
/etc/nsswitch.conf should have: passwd: files ldap
This is correct. Also group and shadow have "files ldap"
And /etc/openldap/ldap.conf should have a valid URI, pointing to the server and a valid BASE
If that file has all those values commented out, then they should be in /etc/ldap.conf.
Same content on both files.
In any case, also check /etc/ldap.conf. If /etc/openldap/ldap.conf has a valid URI, then comment out any host definition. Check that base is the correct one, and also check that any nss_base, if defined has the same basedn as the one you found in the search.
These are correct, BASE is set to internal.domain.com and URI to the server I am running it on
Any help would be appreciated :)
Gabriel
___________________________________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/
first last wrote:
Hi,
I am trying to set up a Fedora Directory server for centralised authentication.
I configure the directory server, add a user called (via the Java GUI) test and then, using system-config-authentication, enable LDAP on both tabs. I then try to log-in using the test account I set up on the directory, but I get an error message in /var/log/messages:
May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain
which seems to indicate that it cannot find the user in the directory. The server is accepting connections on the standard LDAP port.
Am I missing anything?
Thanks
Gabriel
___________________________________________________________ What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Just on a lark, check the contents of /etc/ldap.conf, the file the nss_ldap/pam_ldap stuff uses to identify the server. I ran the system-config-authentication GUI on some CentOS 4.5 systems and they failed to change the contents of that file as appropriate.
All I had to do was change the "host" and "base" entries to point to my server and it worked just fine. I'm not sure if this is an isolated problem or a real, live bug, I'm going to test it further to see if I can tell.
I am trying to set up a Fedora Directory server for centralised authentication.
I configure the directory server, add a user called (via the Java
GUI)
test and then, using system-config-authentication, enable LDAP on
both
tabs. I then try to log-in using the test account I set up on the directory, but I get an error message in /var/log/messages:
May 30 16:28:27 ds1 sshd(pam_unix)[4445]: check pass; user unknown May 30 16:28:27 ds1 sshd(pam_unix)[4445]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain
which seems to indicate that it cannot find the user in the
directory.
The server is accepting connections on the standard LDAP port.
Am I missing anything?
Thanks
Gabriel
___________________________________________________________ What kind of emailer are you? Find out today - get a free analysis
of your email personality. Take the quiz at the Yahoo! Mail Championship.
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Just on a lark, check the contents of /etc/ldap.conf, the file the nss_ldap/pam_ldap stuff uses to identify the server. I ran the system-config-authentication GUI on some CentOS 4.5 systems and they failed to change the contents of that file as appropriate.
All I had to do was change the "host" and "base" entries to point to my server and it worked just fine. I'm not sure if this is an isolated problem or a real, live bug, I'm going to test it further to see if I
can tell.
I have checked the configuration and it is correct. The directory log reports that the search does not find the uid for the user, which seems to indicate that the error is not within CentOS, as it is passing the right data via the ldap module.
I guess it is time to hit the fedora lists.
Thanks
Gabriel
___________________________________________________________ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/
-
first last -
Jay Leafey -
Luciano Rocha