However, I never can get authenticated on the server via the client. I
just get invalid credentials, which is complaining about the password.
IBM won't help with the client config, took a few days to get them to
tell me I had to install the ibm client for it to work.. Only client
I could find was the sdk, but it seems to put 2 of the 3 rpms listed.
IBM said that was okay-
Needed
* Base client: idsldap-cltbase60-6.0.0-2.i386.rpm
* 32-bit client: idsldap-clt32bit60-6.0.0-2.i386.rpm
* Java client: idsldap-cltjava60-6.0.0-2.i386.rpm
Have:
idsldap-cltbase60-6.0.0-0
idsldap-clt32bit60-6.0.0-0
It may be a problem with the config, we are using pam for authentication--
(edited out commented files for space)
host pacs2
ldap_version 3
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_sasl_mech DIGEST-MD5
ssl no
base cn=users,ou=visn20,o=vha
The system-auth file from /etc/pam.d
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
the nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files
the /etc/openldap/ldap.conf
HOST pacs2
BASE cn=users,ou=vhapug,o=vha
the /opt/ibm/ldap/V6.0/etc/ibmldap.conf
plugin sasl CRAM-MD5 idsldap_plugin_sasl_cram-md5
ldap_plugin_init
plugin sasl GSSAPI idsldap_plugin_ibm_gsskrb
ldap_plugin_init
plugin sasl DIGEST-MD5 idsldap_plugin_sasl_digest-md5
ldap_plugin_init
the idsmlink has been run with -i 32
so all the links are there.
I also posted the ibmslapd.conf at:
http://www.mundine.net/ibmslapd.conf
There is also an output from the openldap ldsearch command to view
the directory tree alittle easier....
http://www.mundine.net/ldapsearch.out
I haven't enabled the password policy yet, but will do so. There is an
entry for encyption, aes256, aes128, etc... Is this only if I enable
SSL or TSL? Neither will be enabled at the beginning, of course this
could be the problem. So I'm not sure if its the client, server or both??
Any help in understanding why I can get authentication to work would
be *GREATLY* appreciated.
have you try looking at
http://www-128.ibm.com/developerworks/eserver/articles/LinuxIBMDirectory.html
?
Though it is meant for v5.1, I suppose it can be adapted to v6...
HTH,
Christian
I can get the authentication to work, but enabling the password policy,
it does nothing. I'm wondering if there is something else I need to
enable on the client side to make this work right.
#pam_lookup_policy yes
stanza from the ldap.conf file. Perhaps this will help; but I am afraid
PADL has designed their PAM-LDAP module against Netscape's specs...
HTH,
Christian
host pacs2
ldap_version 3
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_sasl_mech DIGEST-MD5
ssl no
base cn=users,ou=visn20,o=vha
This is all I have in the ldap.conf
Nothing here would cause it not respond to password policy.. Possibly
something is missing?
I'll try puttin pam_lookup_policy yes just for the heck of it....
We also just found that redhat workstation V4 keeps telling us it could
not assign the group to the user... Now thats strange..
What version of TDS are you running? You may want to ensure you're
running the latests versions and fixpack levels of the product. Some
issues related to password policy have been corrected in past fixpacks,
although I am not certain they are relevant to your case.
When you use an LDAP client, can you authenticate succesfully to the
directory?
Christian
Was told that they had no intention on creating pam modules. I find this
odd, as it is a requirement for it to work right, on any linux platform,
not too mention that AIX will and can use them as well...
can you please open a ticket with AIX or TDS support on that matter?
This looks strabge to me - I never heard of problems related to password
policies and PAM.
Thanks,
Christian
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes
Here's the most helpful link I have found so far:
http://directory.fedora.redhat.com/wiki/Howto:PAM#Enforcing_password_policy
Searching for pam_lookup_policy, ppolicy (the Open LDAP passowrd policy
overlay), or something along those lines might find more info.
Let me know if that works. I'll see if someone around here knows where to
stash such tidbits, or already knew that.
John McMeeking