Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can't get linux client to authenticate

25 views
Skip to first unread message

Jeff Mundine

unread,
Jun 29, 2006, 3:18:14 AM6/29/06
to
I am having a massive problem here--
V6.0
I think the IBM Tivoli Directory server is config'd right.
Its just setup for basic linux client authentication. User template
has posixAccount, SimpleAuthObject, and shadowAccount.

However, I never can get authenticated on the server via the client. I
just get invalid credentials, which is complaining about the password.

IBM won't help with the client config, took a few days to get them to
tell me I had to install the ibm client for it to work.. Only client
I could find was the sdk, but it seems to put 2 of the 3 rpms listed.
IBM said that was okay-
Needed
* Base client: idsldap-cltbase60-6.0.0-2.i386.rpm
* 32-bit client: idsldap-clt32bit60-6.0.0-2.i386.rpm
* Java client: idsldap-cltjava60-6.0.0-2.i386.rpm
Have:
idsldap-cltbase60-6.0.0-0
idsldap-clt32bit60-6.0.0-0

It may be a problem with the config, we are using pam for authentication--
(edited out commented files for space)

host pacs2
ldap_version 3
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_sasl_mech DIGEST-MD5
ssl no
base cn=users,ou=visn20,o=vha


The system-auth file from /etc/pam.d

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so


the nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files


the /etc/openldap/ldap.conf

HOST pacs2
BASE cn=users,ou=vhapug,o=vha

the /opt/ibm/ldap/V6.0/etc/ibmldap.conf


plugin sasl CRAM-MD5 idsldap_plugin_sasl_cram-md5
ldap_plugin_init
plugin sasl GSSAPI idsldap_plugin_ibm_gsskrb
ldap_plugin_init
plugin sasl DIGEST-MD5 idsldap_plugin_sasl_digest-md5
ldap_plugin_init

the idsmlink has been run with -i 32
so all the links are there.

I also posted the ibmslapd.conf at:

http://www.mundine.net/ibmslapd.conf

There is also an output from the openldap ldsearch command to view
the directory tree alittle easier....

http://www.mundine.net/ldapsearch.out

I haven't enabled the password policy yet, but will do so. There is an
entry for encyption, aes256, aes128, etc... Is this only if I enable
SSL or TSL? Neither will be enabled at the beginning, of course this
could be the problem. So I'm not sure if its the client, server or both??

Any help in understanding why I can get authentication to work would
be *GREATLY* appreciated.

Christian Chateauvieux

unread,
Jun 29, 2006, 4:46:21 AM6/29/06
to
Jeff,

have you try looking at
http://www-128.ibm.com/developerworks/eserver/articles/LinuxIBMDirectory.html
?
Though it is meant for v5.1, I suppose it can be adapted to v6...

HTH,

Christian

us...@domain.invalid

unread,
Jul 4, 2006, 12:39:14 AM7/4/06
to
Thx Christian this helped me with a few clues, but most ended up being
with pam setup. Of course I've now landed with another issue.

I can get the authentication to work, but enabling the password policy,
it does nothing. I'm wondering if there is something else I need to
enable on the client side to make this work right.

Christian Chateauvieux

unread,
Jul 4, 2006, 4:29:13 AM7/4/06
to
Though I haven't tested this, you might give a try to uncommenting the

#pam_lookup_policy yes

stanza from the ldap.conf file. Perhaps this will help; but I am afraid
PADL has designed their PAM-LDAP module against Netscape's specs...

HTH,

Christian

Jeff Mundine

unread,
Jul 5, 2006, 12:40:10 AM7/5/06
to
Well... I would, but that line isn't in my ldap.conf file at all.

host pacs2
ldap_version 3
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_sasl_mech DIGEST-MD5
ssl no
base cn=users,ou=visn20,o=vha

This is all I have in the ldap.conf

Nothing here would cause it not respond to password policy.. Possibly
something is missing?
I'll try puttin pam_lookup_policy yes just for the heck of it....

Jeff Mundine

unread,
Jul 5, 2006, 6:29:28 PM7/5/06
to
Nothing changes.. The password policy doesn't even take affect. Its
really strange. I have it set to require a password change on first
login or password reset, but I can log in over and over again without
it ever doing anything...

We also just found that redhat workstation V4 keeps telling us it could
not assign the group to the user... Now thats strange..

Christian Chateauvieux

unread,
Jul 11, 2006, 1:31:50 PM7/11/06
to
Very strange indeed.

What version of TDS are you running? You may want to ensure you're
running the latests versions and fixpack levels of the product. Some
issues related to password policy have been corrected in past fixpacks,
although I am not certain they are relevant to your case.

When you use an LDAP client, can you authenticate succesfully to the
directory?

Christian

us...@domain.invalid

unread,
Dec 14, 2006, 6:52:01 PM12/14/06
to
I know it's a little late, but this could help someone else out there....
Our problem was not with simple authentication, that will work, it was
with implementation of the password policy.
Apparently, IBM never wrote the necessary PAM modules for it to use
the password policies.
IBM would have to come up with these, since they replace all of the ldap
libraries, and the normal pam ldap modules won't work.

Was told that they had no intention on creating pam modules. I find this
odd, as it is a requirement for it to work right, on any linux platform,
not too mention that AIX will and can use them as well...

Christian Chateauvieux

unread,
Dec 19, 2006, 3:08:51 PM12/19/06
to
Hello,

can you please open a ticket with AIX or TDS support on that matter?
This looks strabge to me - I never heard of problems related to password
policies and PAM.

Thanks,

Christian

us...@domain.invalid

unread,
Dec 28, 2006, 5:32:44 PM12/28/06
to
Yeah, when we started this several months ago, we went all the way to
the developers on the issue, not to mention several duty managers and
product engineers.
We found that the AIX team had written proper PAM modules for TDS, but
none made for linux. Most had never even heard of PAM. No idea how much
further that progressed. We proferred the log failures indicating a
problem, not too mention anything else they required. Of course, the
end response was they did not support linux.... Go figure

jmc...@us.ibm.com

unread,
Dec 31, 2006, 3:19:52 PM12/31/06
to
I have found reference to a pam_lookup_policy setting in the PAM ldap.conf
file. When set to yes, PAM_LDAP is supposed to use the password policy
control, which enables it to be informed of password expiration and other
password policy information.

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

Here's the most helpful link I have found so far:

http://directory.fedora.redhat.com/wiki/Howto:PAM#Enforcing_password_policy
Searching for pam_lookup_policy, ppolicy (the Open LDAP passowrd policy
overlay), or something along those lines might find more info.

Let me know if that works. I'll see if someone around here knows where to
stash such tidbits, or already knew that.

John McMeeking

0 new messages