FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-18-2010, 10:44 PM
Techie
 
Default Documentation for pam pass

Hello,

Does anyone know if there is more pam pass through documentation out
there. I see the FDS how to but it does not explain how to connect to
the other server.
I am trying to use my 389 server for authorization but OpenLDAP for
authentication.

Thank you
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-19-2010, 02:30 PM
Prashanth Sundaram
 
Default Documentation for pam pass

Title: RE: [389-users] Documentation for pam pass



HI,



I think you might just need PTA plugin, unless you want to use a different PAM stack for the authentication. Here’s some documentation for PTA.

http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Using_the_Pass_through_Authentication_Plug_in.html



Sun’s documentation gives a good detail.

http://docs.sun.com/source/817-7613/passthru.html



PAM-PTA:

http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through



I have implemented PAM PTA for authentication against Windows AD using kerberos stack.



-Prashanth



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-26-2010, 07:14 AM
Techie
 
Default Documentation for pam pass

2010/3/19 Prashanth Sundaram <psundaram@wgen.net>:
> HI,
>
> I think you might just need PTA plugin, unless you want to use a different
> PAM stack for the authentication. Here’s some documentation for PTA.
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Using_the_Pass_through_Authentication_Plug_in.html
>
> Sun’s documentation gives a good detail.
> http://docs.sun.com/source/817-7613/passthru.html
>
> PAM-PTA:
> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>
> I have implemented PAM PTA for authentication against Windows AD using
> kerberos stack.
Hey thanks man.

I have PAM PTA with krb working fine as well..
However..I am trying to pass through to another LDAP server, how can i
go about doing that? The base of the tree on the other LDAP server is
different i want to use it to authenticate the accounts. The other
tree has the equivalent of the uid attribute in a different attribute.
I think my service file (ldapserver) is off. Anyone have PAM PTA to
another LDAP server working? An example perhaps?
I am getting operations errors trying to use PAM PTA. I know the
passwords are correct so I am doing something incorrectly.

pam_passthru-plugin - => pam_passthru_bindpreop
pam_passthru-plugin - pam msg [0] = 1 Password:
pam_passthru-plugin - Error from PAM during pam_authenticate (6:
Permission denied)
pam_passthru-plugin - Unknown PAM error [Permission denied] for user
id [test_user], bind DN [uid=test_user,dc=example,dc=com]
pam_passthru-plugin - <= handled (error 1 - Operations error)

Thanks again
>
> -Prashanth
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-26-2010, 01:24 PM
Prashanth Sundaram
 
Default Documentation for pam pass

Title: Re: [389-users] Documentation for pam pass





Hi,



Here’s how my PAM PTA looks like. But id on;t think it is of much use.



dn: cn=PAM Pass Through Auth,cn=plugins,cn=config

nsslapd-pluginEnabled: on

pamSecure: FALSE

pamExcludeSuffix: o=NetscapeRoot

pamExcludeSuffix: cn=config



I don’t think the PTA will work against some other attribute which has same value as ‘uid’. You may have to hack the filters under the hood to be able to achieve that.



My first guess:

If you use PAM-PTA, you still need some PAM module to specify the stack to be used for PTA. So you need ‘ldapserver01’ file enabled and there you define the translation of uid attribute to new attribute. I don’t know if this is do-able.



Can you post some logs, which will tell where the block is. How are you specifying the master ldap server(server to authenticate)?



-Prashanth



----------------------------

Hey thanks man.



I have PAM PTA *with krb working fine as well..

However..I am trying to pass through to another LDAP server, how can i

go about doing that? The base of the tree on the other LDAP server is

different i want to use it to authenticate the accounts. The other

tree has the equivalent of the uid attribute in a different attribute.

I think my service file (ldapserver) is off. *Anyone have PAM PTA to

another LDAP server working? An example perhaps?

I am getting operations errors trying to use PAM PTA. I know the

passwords are correct so I am doing something incorrectly.



pam_passthru-plugin - => pam_passthru_bindpreop

pam_passthru-plugin - pam msg [0] = 1 Password:

pam_passthru-plugin - Error from PAM during pam_authenticate (6:

Permission denied)

pam_passthru-plugin - Unknown PAM error [Permission denied] for user

id [test_user], bind DN [uid=test_user,dc=example,dc=com]

*pam_passthru-plugin - <= handled (error 1 - Operations error)



Thanks again





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-26-2010, 08:55 PM
Techie
 
Default Documentation for pam pass

2010/3/26 Prashanth Sundaram <psundaram@wgen.net>:
>
> Hi,
>
> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> nsslapd-pluginEnabled: on
> pamSecure: FALSE
> pamExcludeSuffix: o=NetscapeRoot
> pamExcludeSuffix: cn=config
Thanks again,
My file looks like yours except I have pamSecure because I need that
layer of security. It works with the krb Pass through. I have disabled
it for testing(secure that is) to try passing through to LDAP.
>
> I don’t think the PTA will work against some other attribute which has same
> value as ‘uid’. You may have to hack the filters under the hood to be able
> to achieve that.
Well supposedly the pam_login_attribute can be passed through the
config files to the correct attribute. This is according to the PAM
PTA docs unless I have misunderstood.
>
> My first guess:
> If you use PAM-PTA, you still need some PAM module to specify the stack to
> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
> define the translation of uid attribute to new attribute. I don’t know if
> this is do-able.
I am using ldapserver as the service file , in this I have pam_ldap as
the auth module pointing to a config file that specifies the attribute
map.(See below)
>
> Can you post some logs, which will tell where the block is. How are you
> specifying the master ldap server(server to authenticate)?
Here is the failing block for PAM PTA..Looks like PAMS misconfigured
but looks right.
pam_passthru-plugin - => pam_passthru_bindpreop
pam_passthru-plugin - pam msg [0] = 1 Password:
pam_passthru-plugin - Error from PAM during pam_authenticate (6:
Permission denied)
pam_passthru-plugin - Unknown PAM error [Permission denied] for user
id [test_user], bind DN [uid=test_user,dc=example,dc=com]
pam_passthru-plugin - <= handled (error 1 - Operations error)


In the ldapserver service file, I use the config=/pathtofile arg to
pam_ldap.so that points to a specific ldap.conf config file for this
action. In that I put the hostname, the port, the pam_login_attribute
etc...I have also tried putting the master server params in the
/etc/ldap.conf instead of a config file.

Looks like this
auth sufficient /lib/security/pam_ldap.so config=/pathtoldap.conf
account optional /lib/security/pam_ldap.so


(error 1- operations error) is vague..Need it more verbose than this,
I will have to try logging more.

There does not appear to be a pluginarg attribute like with the PTA
plugin that allows you to specify the LDAP URL so I am not sure how to
specify the destination server using PAM PTA..The doc says to use the
pam service file which is why I tried what I did above.

I would like to know if anyone is familiar with the code and can tell
me if the service file (ldapserver)can hold ldap.conf like params or
is it merely for specifying auth, account, session, and password
parameters?

Thanks again

>
> -Prashanth
>
> ----------------------------
> Hey thanks man.
>
> I have PAM PTA *with krb working fine as well..
> However..I am trying to pass through to another LDAP server, how can i
> go about doing that? The base of the tree on the other LDAP server is
> different i want to use it to authenticate the accounts. The other
> tree has the equivalent of the uid attribute in a different attribute.
> I think my service file (ldapserver) is off. *Anyone have PAM PTA to
> another LDAP server working? An example perhaps?
> I am getting operations errors trying to use PAM PTA. I know the
> passwords are correct so I am doing something incorrectly.
>
> pam_passthru-plugin - => pam_passthru_bindpreop
> pam_passthru-plugin - pam msg [0] = 1 Password:
> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
> Permission denied)
> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
> *pam_passthru-plugin - <= handled (error 1 - Operations error)
>
> Thanks again
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-30-2010, 05:41 PM
Techie
 
Default Documentation for pam pass

On Fri, Mar 26, 2010 at 2:55 PM, Techie <techchavez@gmail.com> wrote:
> 2010/3/26 Prashanth Sundaram <psundaram@wgen.net>:
>>
>> Hi,
>>
>> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>>
>> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
>> nsslapd-pluginEnabled: on
>> pamSecure: FALSE
>> pamExcludeSuffix: o=NetscapeRoot
>> pamExcludeSuffix: cn=config
> Thanks again,
> My file looks like yours except I have pamSecure because I need that
> layer of security. It works with the krb Pass through. I have disabled
> it for testing(secure that is) to try passing through to LDAP.
>>
>> I don’t think the PTA will work against some other attribute which has same
>> value as ‘uid’. You may have to hack the filters under the hood to be able
>> to achieve that.
> Well supposedly the pam_login_attribute can be passed through the
> config files to the correct attribute. This is according to the PAM
> PTA docs unless I have misunderstood.
>>
>> My first guess:
>> If you use PAM-PTA, you still need some PAM module to specify the stack to
>> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
>> define the translation of uid attribute to new attribute. I don’t know if
>> this is do-able.
> I am using ldapserver as the service file , in this I have pam_ldap as
> the auth module pointing to a config file that specifies the attribute
> map.(See below)
>>
>> Can you post some logs, which will tell where the block is. How are you
>> specifying the master ldap server(server to authenticate)?
> Here is the failing block for PAM PTA..Looks like PAMS misconfigured
> but looks right.
> pam_passthru-plugin - => pam_passthru_bindpreop
> pam_passthru-plugin - pam msg [0] = 1 Password:
> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
> Permission denied)
> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
> pam_passthru-plugin - <= handled (error 1 - Operations error)
>
>
> In the ldapserver service file, I use the config=/pathtofile arg to
> pam_ldap.so that points to a specific ldap.conf config file for this
> action. In that I put the hostname, the port, the *pam_login_attribute
> etc...I have also tried putting the master server params in the
> /etc/ldap.conf instead of a config file.
>
> Looks like this
> auth * *sufficient */lib/security/pam_ldap.so *config=/pathtoldap.conf
> account *optional * */lib/security/pam_ldap.so
>
>
> (error 1- operations error) is vague..Need it more verbose than this,
> I will have to try logging more.
>
> There does not appear to be a pluginarg attribute like with the PTA
> plugin that allows you to specify the LDAP URL so I am not sure how to
> specify the destination server using PAM PTA..The doc says to use the
> pam service file which is why I tried what I did above.
>
> I would like to know if anyone is familiar with the code and can tell
> me if the service file (ldapserver)can hold ldap.conf like params or
> is it merely for specifying auth, account, session, and password
> parameters?
>
> Thanks again
>
>>
>> -Prashanth
>>
>> ----------------------------
>> Hey thanks man.
>>
>> I have PAM PTA *with krb working fine as well..
>> However..I am trying to pass through to another LDAP server, how can i
>> go about doing that? The base of the tree on the other LDAP server is
>> different i want to use it to authenticate the accounts. The other
>> tree has the equivalent of the uid attribute in a different attribute.
>> I think my service file (ldapserver) is off. *Anyone have PAM PTA to
>> another LDAP server working? An example perhaps?
>> I am getting operations errors trying to use PAM PTA. I know the
>> passwords are correct so I am doing something incorrectly.
>>
>> pam_passthru-plugin - => pam_passthru_bindpreop
>> pam_passthru-plugin - pam msg [0] = 1 Password:
>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>> Permission denied)
>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>> *pam_passthru-plugin - <= handled (error 1 - Operations error)
>>
>> Thanks again

Let me try one last time here..
I am trying to Pam Pass through auth from one FDS server to
another..So basically use a remote server for only auth info similar
to a kerberos pass through, but use the account info from the local
ldap server.. This is what PAM PTA does with kerberos, I just want to
use another LDAP server as the authentication source instead of
kerberos. This has proven difficult to do.
I have read the documentaion on PTA and PAM PTA. I have tried various
things to get this going. Does not seem to want to cooperate.

Firstly I have two FDS servers..one that has my account info or
authorization info for the users. And then I have an existing LDAP
server with the password information that I want to use for
authenticating..The RDN is the same so I just want to pass through the
password similar to PAM PTA with Kerberos. I cannot get this to work..

My question: is it possible to pass through authentication to LDAP
instead of Kerberos with 389?

Secondly I have tried using the PTA plugin (not PAM PTA) by setting
the ldap url and suffix in the pluginarg attribute of the local server
with the LDAP accounts..The pluginarg url contains the url of the LDAP
server with the authentication info I need. (The RDNs are the same on
each server) This works to a point. I can bind to the local LDAP
server with the credentials belonging the suffix I specify in the
pluginarg attribute of the PTA plugin. I can search the directory with
this method.. However I cannot use this method in a ssh session or
desktop session to login to a client workstation.

My question: Is it possible to strictly use the PTA plugin to grab
authentication credentials from the remote LDAP server specified in
pluginarg and use the account/authorization of the local ldap server
to facilitae login sessions?
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-30-2010, 05:52 PM
Rich Megginson
 
Default Documentation for pam pass

Techie wrote:
> On Fri, Mar 26, 2010 at 2:55 PM, Techie <techchavez@gmail.com> wrote:
>
>> 2010/3/26 Prashanth Sundaram <psundaram@wgen.net>:
>>
>>> Hi,
>>>
>>> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>>>
>>> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
>>> nsslapd-pluginEnabled: on
>>> pamSecure: FALSE
>>> pamExcludeSuffix: o=NetscapeRoot
>>> pamExcludeSuffix: cn=config
>>>
>> Thanks again,
>> My file looks like yours except I have pamSecure because I need that
>> layer of security. It works with the krb Pass through. I have disabled
>> it for testing(secure that is) to try passing through to LDAP.
>>
>>> I don’t think the PTA will work against some other attribute which has same
>>> value as ‘uid’. You may have to hack the filters under the hood to be able
>>> to achieve that.
>>>
>> Well supposedly the pam_login_attribute can be passed through the
>> config files to the correct attribute. This is according to the PAM
>> PTA docs unless I have misunderstood.
>>
>>> My first guess:
>>> If you use PAM-PTA, you still need some PAM module to specify the stack to
>>> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
>>> define the translation of uid attribute to new attribute. I don’t know if
>>> this is do-able.
>>>
>> I am using ldapserver as the service file , in this I have pam_ldap as
>> the auth module pointing to a config file that specifies the attribute
>> map.(See below)
>>
>>> Can you post some logs, which will tell where the block is. How are you
>>> specifying the master ldap server(server to authenticate)?
>>>
>> Here is the failing block for PAM PTA..Looks like PAMS misconfigured
>> but looks right.
>> pam_passthru-plugin - => pam_passthru_bindpreop
>> pam_passthru-plugin - pam msg [0] = 1 Password:
>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>> Permission denied)
>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>> pam_passthru-plugin - <= handled (error 1 - Operations error)
>>
>>
>> In the ldapserver service file, I use the config=/pathtofile arg to
>> pam_ldap.so that points to a specific ldap.conf config file for this
>> action. In that I put the hostname, the port, the pam_login_attribute
>> etc...I have also tried putting the master server params in the
>> /etc/ldap.conf instead of a config file.
>>
>> Looks like this
>> auth sufficient /lib/security/pam_ldap.so config=/pathtoldap.conf
>> account optional /lib/security/pam_ldap.so
>>
>>
>> (error 1- operations error) is vague..Need it more verbose than this,
>> I will have to try logging more.
>>
>> There does not appear to be a pluginarg attribute like with the PTA
>> plugin that allows you to specify the LDAP URL so I am not sure how to
>> specify the destination server using PAM PTA..The doc says to use the
>> pam service file which is why I tried what I did above.
>>
>> I would like to know if anyone is familiar with the code and can tell
>> me if the service file (ldapserver)can hold ldap.conf like params or
>> is it merely for specifying auth, account, session, and password
>> parameters?
>>
>> Thanks again
>>
>>
>>> -Prashanth
>>>
>>> ----------------------------
>>> Hey thanks man.
>>>
>>> I have PAM PTA with krb working fine as well..
>>> However..I am trying to pass through to another LDAP server, how can i
>>> go about doing that? The base of the tree on the other LDAP server is
>>> different i want to use it to authenticate the accounts. The other
>>> tree has the equivalent of the uid attribute in a different attribute.
>>> I think my service file (ldapserver) is off. Anyone have PAM PTA to
>>> another LDAP server working? An example perhaps?
>>> I am getting operations errors trying to use PAM PTA. I know the
>>> passwords are correct so I am doing something incorrectly.
>>>
>>> pam_passthru-plugin - => pam_passthru_bindpreop
>>> pam_passthru-plugin - pam msg [0] = 1 Password:
>>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>>> Permission denied)
>>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>>> pam_passthru-plugin - <= handled (error 1 - Operations error)
>>>
>>> Thanks again
>>>
>
> Let me try one last time here..
> I am trying to Pam Pass through auth from one FDS server to
> another..So basically use a remote server for only auth info similar
> to a kerberos pass through, but use the account info from the local
> ldap server.. This is what PAM PTA does with kerberos, I just want to
> use another LDAP server as the authentication source instead of
> kerberos. This has proven difficult to do.
> I have read the documentaion on PTA and PAM PTA. I have tried various
> things to get this going. Does not seem to want to cooperate.
>
> Firstly I have two FDS servers..one that has my account info or
> authorization info for the users. And then I have an existing LDAP
> server with the password information that I want to use for
> authenticating..The RDN is the same so I just want to pass through the
> password similar to PAM PTA with Kerberos. I cannot get this to work..
>
> My question: is it possible to pass through authentication to LDAP
> instead of Kerberos with 389?
>
> Secondly I have tried using the PTA plugin (not PAM PTA) by setting
> the ldap url and suffix in the pluginarg attribute of the local server
> with the LDAP accounts..The pluginarg url contains the url of the LDAP
> server with the authentication info I need. (The RDNs are the same on
> each server) This works to a point. I can bind to the local LDAP
> server with the credentials belonging the suffix I specify in the
> pluginarg attribute of the PTA plugin. I can search the directory with
> this method.. However I cannot use this method in a ssh session or
> desktop session to login to a client workstation.
>
> My question: Is it possible to strictly use the PTA plugin to grab
> authentication credentials from the remote LDAP server specified in
> pluginarg and use the account/authorization of the local ldap server
> to facilitae login sessions?
>
No. With regular pta (that is, not pam pta) none of the data can exist
on the local machine. pta was not designed for the purpose you describe.

pam pta going through pam ldap probably won't work either, because 389
uses mozldap and pam_ldap uses openldap, and the two APIs cannot exist
in the same process space.

If you're feeling adventurous, you could attempt to build 389-ds-base
with openldap, but some of the SSL stuff won't work, neither will some
of the LDIF processing (which might be a non-starter for you).
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-30-2010, 06:54 PM
Techie
 
Default Documentation for pam pass

On Tue, Mar 30, 2010 at 10:52 AM, Rich Megginson <rmeggins@redhat.com> wrote:
> Techie wrote:
>> On Fri, Mar 26, 2010 at 2:55 PM, Techie <techchavez@gmail.com> wrote:
>>
>>> 2010/3/26 Prashanth Sundaram <psundaram@wgen.net>:
>>>
>>>> Hi,
>>>>
>>>> Here’s how my PAM PTA looks like. But id on;t think it is of much use.
>>>>
>>>> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
>>>> nsslapd-pluginEnabled: on
>>>> pamSecure: FALSE
>>>> pamExcludeSuffix: o=NetscapeRoot
>>>> pamExcludeSuffix: cn=config
>>>>
>>> Thanks again,
>>> My file looks like yours except I have pamSecure because I need that
>>> layer of security. It works with the krb Pass through. I have disabled
>>> it for testing(secure that is) to try passing through to LDAP.
>>>
>>>> I don’t think the PTA will work against some other attribute which has same
>>>> value as ‘uid’. You may have to hack the filters under the hood to be able
>>>> to achieve that.
>>>>
>>> Well supposedly the pam_login_attribute can be passed through the
>>> config files to the correct attribute. This is according to the PAM
>>> PTA docs unless I have misunderstood.
>>>
>>>> My first guess:
>>>> If you use PAM-PTA, you still need some PAM module to specify the stack to
>>>> be used for PTA. So you need ‘ldapserver01’ file enabled and there you
>>>> define the translation of uid attribute to new attribute. I don’t know if
>>>> this is do-able.
>>>>
>>> I am using ldapserver as the service file , in this I have pam_ldap as
>>> the auth module pointing to a config file that specifies the attribute
>>> map.(See below)
>>>
>>>> Can you post some logs, which will tell where the block is. How are you
>>>> specifying the master ldap server(server to authenticate)?
>>>>
>>> Here is the failing block for PAM PTA..Looks like PAMS misconfigured
>>> but looks right.
>>> pam_passthru-plugin - => pam_passthru_bindpreop
>>> pam_passthru-plugin - pam msg [0] = 1 Password:
>>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>>> Permission denied)
>>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>>> pam_passthru-plugin - <= handled (error 1 - Operations error)
>>>
>>>
>>> In the ldapserver service file, I use the config=/pathtofile arg to
>>> pam_ldap.so that points to a specific ldap.conf config file for this
>>> action. In that I put the hostname, the port, the *pam_login_attribute
>>> etc...I have also tried putting the master server params in the
>>> /etc/ldap.conf instead of a config file.
>>>
>>> Looks like this
>>> auth * *sufficient */lib/security/pam_ldap.so *config=/pathtoldap.conf
>>> account *optional * */lib/security/pam_ldap.so
>>>
>>>
>>> (error 1- operations error) is vague..Need it more verbose than this,
>>> I will have to try logging more.
>>>
>>> There does not appear to be a pluginarg attribute like with the PTA
>>> plugin that allows you to specify the LDAP URL so I am not sure how to
>>> specify the destination server using PAM PTA..The doc says to use the
>>> pam service file which is why I tried what I did above.
>>>
>>> I would like to know if anyone is familiar with the code and can tell
>>> me if the service file (ldapserver)can hold ldap.conf like params or
>>> is it merely for specifying auth, account, session, and password
>>> parameters?
>>>
>>> Thanks again
>>>
>>>
>>>> -Prashanth
>>>>
>>>> ----------------------------
>>>> Hey thanks man.
>>>>
>>>> I have PAM PTA *with krb working fine as well..
>>>> However..I am trying to pass through to another LDAP server, how can i
>>>> go about doing that? The base of the tree on the other LDAP server is
>>>> different i want to use it to authenticate the accounts. The other
>>>> tree has the equivalent of the uid attribute in a different attribute.
>>>> I think my service file (ldapserver) is off. *Anyone have PAM PTA to
>>>> another LDAP server working? An example perhaps?
>>>> I am getting operations errors trying to use PAM PTA. I know the
>>>> passwords are correct so I am doing something incorrectly.
>>>>
>>>> pam_passthru-plugin - => pam_passthru_bindpreop
>>>> pam_passthru-plugin - pam msg [0] = 1 Password:
>>>> pam_passthru-plugin - Error from PAM during pam_authenticate (6:
>>>> Permission denied)
>>>> pam_passthru-plugin - Unknown PAM error [Permission denied] for user
>>>> id [test_user], bind DN [uid=test_user,dc=example,dc=com]
>>>> *pam_passthru-plugin - <= handled (error 1 - Operations error)
>>>>
>>>> Thanks again
>>>>
>>
>> Let me try one last time here..
>> I am trying to Pam Pass through auth from one FDS server to
>> another..So basically use a remote server for only auth info similar
>> to a kerberos pass through, but use the account info from the local
>> ldap server.. This is what PAM PTA does with kerberos, I just want to
>> use another LDAP server as the authentication source instead of
>> kerberos. This has proven difficult to do.
>> I have read the documentaion on PTA and PAM PTA. I have tried various
>> things to get this going. Does not seem to want to cooperate.
>>
>> Firstly I have two FDS servers..one that has my account info or
>> authorization info for the users. And then I have an existing LDAP
>> server with the password information that I want to use for
>> authenticating..The RDN is the same so I just want to pass through the
>> password similar to PAM PTA with Kerberos. I cannot get this to work..
>>
>> My question: *is it possible to pass through authentication to LDAP
>> instead of Kerberos with 389?
>>
>> Secondly I have tried using the PTA plugin (not PAM PTA) by setting
>> the ldap url and suffix in the pluginarg attribute of the local server
>> with the LDAP accounts..The pluginarg url contains the url of the LDAP
>> server with the authentication info I need. (The RDNs are the same on
>> each server) This works to a point. I can bind to the local LDAP
>> server with the credentials belonging the suffix I specify in the
>> pluginarg attribute of the PTA plugin. I can search the directory with
>> this method.. *However I cannot use this method in a ssh session or
>> desktop session to login to a client workstation.
>>
>> My question: Is it possible to strictly use the PTA plugin to grab
>> authentication credentials from the remote LDAP server specified in
>> pluginarg and use the account/authorization of the local ldap server
>> to facilitae login sessions?
>>
> No. *With regular pta (that is, not pam pta) none of the data can exist
> on the local machine. *pta was not designed for the purpose you describe.
Thanks I figured as much but PTA(not PAM PTA) gave me some hope as it
let me bind and search, but ultimately threw operations errors when
trying to log on. This is the answer I needed, I can move on.
>
> pam pta going through pam ldap probably won't work either, because 389
> uses mozldap and pam_ldap uses openldap, and the two APIs cannot exist
> in the same process space.
Ok that makes some sense.. I can stop chasing my tail now. I have a
solution in mind using kerberos with 389 and this will solidify that
direction.
>
> If you're feeling adventurous, you could attempt to build 389-ds-base
> with openldap, but some of the SSL stuff won't work, neither will some
> of the LDIF processing (which might be a non-starter for you).
Me adventurous, nah, I have enough trouble building Samba.

Thanks again for these answers.
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:10 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org