# LAM & LDAP users login

## ScOut3R

Hey There!

I saw that LAM isn't in portage, but it looks really great. Do you know any admin package which is in portage and similar to LAM? I know phpldapadmin, but i'd like to use a different one.

[LAM problem solved, now it is an LDAP auth topic]Last edited by ScOut3R on Wed Dec 19, 2007 11:48 am; edited 1 time in total

----------

## tarpman

ldapadd(1)

ldapmodify(1)

np.

----------

## ScOut3R

By "similar to LAM" i meant a web interface, because the users won't be managed by the system administrator.

----------

## tekknokrat

I recently tried lam within ubuntu package and it always throws me out search results exceeded althoug slapd was configured to 10000. 

Sounds like something wired in config.

Did you tried "luma". It looks promising only some updating issues.

If you know the structure of your orga best is to get used to ldapadd, ldapdelete, ldapsearch.

----------

## ScOut3R

Finally i've setup lam and it works, at least i can manage users. Now i have some problem with client authentication through ldap.

----------

## tekknokrat

ok, my issue with lam is solved because i accidently uncommented the SIZELIMIT 12 in /etc/ldap/ldac.conf and lam is the only one who is reading this settings    :Rolling Eyes: 

but otherwise it does to much magic for me.

----------

## ScOut3R

I've setup az LDAP server so other linux workstations could authenticate users against it, but i have a little problem. Somehow i can't get the password out from LDAP. If i try to switch user from root (so - user) it works, and i can change permissiong to ldap users and groups, but i can't login with an ldap user.

The error says:

```
Dec 19 12:41:23 fileserver login[32581]: pam_ldap: error trying to bind as user "uid=probauser,ou=People,dc=[xxx],dc=[xxx]" (Invalid credentials)

```

Here's my slapd.conf:

```

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/lib64/openldap/openldap

# moduleload    back_shell.so

# moduleload    back_relay.so

# moduleload    back_passwd.so

# moduleload    back_null.so

# moduleload    back_monitor.so

# moduleload    back_meta.so

# moduleload    back_hdb.so

# moduleload    back_dnssrv.so

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        bdb

suffix          "dc=[xxx],dc=[xxx]"

checkpoint      32      30 # <kbyte> <min>

rootdn          "cn=Manager,dc=hotelmediterran,dc=hu"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

#rootpw         secret

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index   objectClass     eq

rootpw {SSHA}lDJetIpzsKbEO1Aw6z/AjYvycNVJzesH

access to *

        by * read

        by * auth

```

My /etc/ldap.conf

```

host localhost

base dc=[xxx],dc=[xxx]

port 389

pam_filter objectclass=posixAccount

pam_login_attribute uid

nss_base_passwd ou=People,dc=[xxx],dc=[xxx]?one

nss_base_shadow ou=People,dc=[xxx],dc=[xxx]?one

nss_base_group          ou=Group,dc=[xxx],dc=[xxx]?one

```

----------

## tekknokrat

 *Quote:*   

> uid=probauser,ou=People,dc=[xxx],dc=[xxx]

 

ist that the bind to ldap for the user you want to login with?

I would first try to set the bind credentials in /etc/ldap.conf to 

rootbinddn "cn=Manager,dc=hotelmediterran,dc=hu"

with the correct password in /etc/ldap.secret. Then try again and post your results.

If that doesnt work what shows 

```
getent passwd
```

 ?

How do you have pam_ldap, nss_ldap  nss_switch.conf configured.

My /etc/ldap.conf looks like this:

```
ssl off

suffix dc=th-domain,dc=lan

uri ldap://localhost

pam_password exop

nss_initgroups_ignoreusers root,openldap

bind_policy soft

bind_timelimit 15

rootbinddn cn=admin,dc=th-domain,dc=lan

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=peoples,dc=th-domain,dc=lan

nss_base_shadow ou=peoples,dc=th-domain,dc=lan

nss_base_group  ou=groups,dc=th-domain,dc=lan

nss_base_hosts  ou=hosts,dc=th-domain,dc=lan

scope one

```

its ubuntu but this file is imo identical

----------

## ScOut3R

I've solved the above mentioned problem. Getent passwd/group, id [user], chown,chmod works. So the system sees the ldap stored users, but i still have some problems with their passwords, because i can't do a normal login.

----------

## tekknokrat

can you change the password with passwd?

I had also problems with password but  solved them via configuration of the password section in pam.d conf

----------

## ScOut3R

 *tekknokrat wrote:*   

> can you change the password with passwd?
> 
> I had also problems with password but  solved them via configuration of the password section in pam.d conf

 

Nope, it says 

```
authentication token manipulation error
```

System-auth password section under pam.d:

```
password   sufficient   pam_ldap.so use_authtok use_first_pass

```

----------

## ScOut3R

Okay, the auth problem is solved. Now i have some performance and practical issues.

I use Ubuntu clients and they're really slow to respong on authentication. I see nothing particular in the logs.

The other issue is the /home directory. It is on the ldap server and exported rw,sync to the clients. When i try to login with a new users, the home directory can't be created, because of the permissions. Do you have any tricks to solve this?

----------

## ScOut3R

Performance problems resolved.  :Smile: 

Hopefully my last question is the following! I use an nfs mounted /home on the clients with pam_mkhomedir. The directory is created, but with wrong ownership. The group is correct, but the user is nobody, and i can set the correct group just from the server. Is there a workaround? This way the pam_mkhomedir is totally useless.

----------

## ScOut3R

UP!

----------

