[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
From: Steve James <ste@xxxxxxxx>
Date: Mon, 20 Oct 2008 11:10:17 +0100

On Saturday 18 Oct 2008, Rob Beard wrote:
> Hi folks,
>
> I'm wondering if someone could advise me on this.  I'm trying to
> authenticate users an Ubuntu 8.04.1 desktop using LDAP.
>
> I've tried following a couple of guides including these two:
>
> http://linuxadministration.us/2008/05/17/ubuntu-804-hardy-ldap-client/
> http://boilinglinux.blogspot.com/2008/10/howto-configure-ubuntu-804-hardy-l
>dap.html
>
> Using the second guide I got as far as running 'getent passwd' from a
> terminal when logged on as a local user and it does list the passwd file
> (or at least something that looks like the passwd file) on the server.
> I can also get information about the users with ldapsearch.
>
> The problem is, when I try and login at the Ubuntu login screen (or at
> the login prompt on the text console) it doesn't recognise the user, or
> at least it comes up with an incorrect password.
>
> I just wondered if anyone had any details of how to set this up.  I'm
> not sure if it helps but the userPassword is set to crypt (with a load
> of extra characters next to it, which I presume is the password encrypted).
>
> Below are details of the /etc/ldap.conf and /etc/ldap/ldap.conf:
>
> # /etc/ldap.conf
>
> host officeserver.somedomain.homelinux.org
> base dc=somedomain,dc=homelinux,dc=org
> uri ldap://officeserver.somedomain.homelinux.org/
> ldap_version 3
> bindpw secret
> rootbinddn cn=root,dc=somedomain,dc=homelinux,dc=org
> bind_policy soft
> pam_filter objectclass=Users
> pam_login_attribute uid
> pam_password crypt # I was using pam_password md5
> nss_initgroups_ignoreusers
> avahi,avahi-autoipd,backup,bin,daemon,dhcp,games,gdm,gnats,haldaemon,hplip,
>irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,roo
>t,sync,sys,syslog,uucp,www-data # ---- end of /etc/ldap.conf
>
> # /etc/ldap/ldap.conf
> BASE    dc=somedomain,dc=homelinux,dc=org
> URI     ldap://officeserver.somedomain.homelinux.org
> # ---- end of /etc/ldap/ldap.conf
>
>
> Both /etc/hosts on the client machine and the DNS on my DNS server point
> officeserver.somedomain.homelinux.org to the internal IP address
> (192.168.0.180) and it can ping fine.
>
> I did also try authenticating against a Samba 3 domain (both manually
> configuring PAM and with Likewise-Open) but that doesn't seem to work
> either.
>
> I'm really stumped on this, it's the only thing that's holding back on a
> rollout of a Linux server and some Ubuntu desktop machines to replace a
> load of XP machines and a Windows 2003 Server.
>
> If anyone could advise on how to resolve this I could be really grateful
> as I've spent the past 3 days trying to resolve this.
>
> Ta,
>
> Rob

Rob, I've had this very scenario working fine, so don't despair!

Those instructions look sane to me. I've never messed with 'bind_policy' 
before.

Make sure you shut down nscd when fiddling with this stuff. It's a sod for 
tricking you into false assumptions. Keep it shut down until everything is 
stable.

I recommend a simpler ldap.conf. You can make do with only three lines:-

base dc=somedomain,dc=homelinux,dc=org
uri ldap://officeserver.somedomain.homelinux.org/
ldap_version 3

I note that you have both 'host' and 'uri' fields set. Don't do that!

I wouldn't bind as 'root'. Use a dedicated LDAP admin account, say 'admin', 
with a unique password. Beware that any client workstation administrator can 
see this password.

Unless you require a user to be able to make a change to her password from the 
client workstation, I wouldn't bind with admin privileges at all. You can 
then dispense with /etc/ldap.secret and you can be sure that the LDAP 
database can only be modified centrally. I let users change password using 
Usermin running on the LDAP server (or it could be on a separate, privileged 
machine)

If getent(1) returns a valid entry, then your libnss has bound to LDAP OK. You 
should also find that file ownerships (ls -l) are correctly reported. But if 
you can't login, PAM isn't binding. What's in /var/log/auth.log?

You can serve {crypt} or {md5} (and others) from your LDAP database and of 
course PAM must correspond. I recommend the phpldapadmin package for 
adjusting the database via a web page. It also has a password verifier 
feature where you can check if the password hash in the database matches a 
password you enter.

I have the working configuration files in a backup. I can root them out if 
you're still stuck.

Good luck,
Steve.

-- 
blog: http://ste.mooco.ws  PGP:ED407E68

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
- From: Rob Beard
Follow-up: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
- From: Rob Beard

References:
- [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
  - From: Rob Beard

Prev by Date: Re: [LUG] patents and windows pre installation environments
Next by Date: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
Previous by thread: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
Next by thread: Re: [LUG] Authenticating user logons with LDAP on Ubuntu 8.04
Index(es):
- Date
- Thread