Hi!

I try to configure Slackware 9.1 to use PAM-Modules for user
authentication against a LDAP directory service.

Until now I've installed OpenLDAP 2.2.??, Linux-PAM 0.77, pam_ldap and
nss_ldap. I've recompiled shadow (utils like passwd, login, useradd, ...)
with pam support.

Right now i'm able to login as a user whose account-information is stored
in LDAP. This works well.

But I can't add, remove or modify user account with useradd, userdel etc.
I've tried several configurations in my /etc/pam.d/ files, but it just
doesn't work. 'useradd test' for example gives an error like 'chauthtok
failed' or something like this. Anyway, the user is added to /etc/passwd
- but NOT in LDAP. Why???? What did I do wrong? Or can't I use the normal
"useradd" distributed with shadow to manage users in LDAP?

Maybe there's also a misconfiguration in my slapd.conf's 'access'
section.

Can anyone post his/her configuration of following files:
/etc/ldap.conf
/etc/openldap/slapd.conf
/etc/pam.d/* (shadow, useradd, other, ...)

Greets,

Marco.

P.S: Excuse my english, it's not my native language. I try to do my best.

Marco Genise <marco.genise@fernuni-hagen.de> wrote:
> "useradd" distributed with shadow to manage users in LDAP?

ANY program that uses (or changes) /etc/passwd, /etc/shadow etc will
have to be recompiled for PAM support. This includes not onlu useradd/del
but i.e also the graphical login managers (xdm/kdm/gdm), and probably
quite a few of the internet daemons (sshd, logind, etc.).

And see the remarks Pat made about PAM (aka SCAM) in the openssh 3.7.1
upgrade, there is a reason it isn't there in standard Slackware......
--
************************************************** ******************
** Eef Hartman, Delft University of Technology, dept. EWI/TWA **
** e-mail: E.J.M.Hartman@math.tudelft.nl, fax: +31-15-278 7295 **
** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands **
************************************************** ******************

Eef Hartman <E.J.M.Hartman@math.tudelft.nl> wrote in news:bnljcc$ln3$1
@news.tudelft.nl:

> ANY program that uses (or changes) /etc/passwd, /etc/shadow etc will
> have to be recompiled for PAM support.

Yes, I know - I wrote I recompiled shadow with pam support. useradd is part
of shadow.

> And see the remarks Pat made about PAM (aka SCAM) in the openssh 3.7.1
> upgrade, there is a reason it isn't there in standard Slackware......

I already read the remarks. The reason I want to install / configure / use
pam is just for testing purposes. I won't use it in any production
environement.

So back to my problem. As I recompiled shadow (including useradd etc.) with
pam support I just don't know how to solve my problem. There seems to be an
error in my configuration files in /etc/pam.d/.

Perhaps someone already did include pam into slackware and can tell me of
his / her experiences.

thx

Marco.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-10-28, Marco Genise <marco.genise@fernuni-hagen.de> wrote:
>
> I try to configure Slackware 9.1 to use PAM-Modules for user
> authentication against a LDAP directory service.

It's not required to use PAM to authenticate against an LDAP server.
Search the $AOLSFAQ (in my .sig). for LDAP.

> Until now I've installed OpenLDAP 2.2.??, Linux-PAM 0.77, pam_ldap and
> nss_ldap. I've recompiled shadow (utils like passwd, login, useradd, ...)
> with pam support.
>
> Right now i'm able to login as a user whose account-information is stored
> in LDAP. This works well.
>
> But I can't add, remove or modify user account with useradd, userdel etc.

It's doubtful anyone in the newsgroup has dealt with PAM, but instead
why not just use the LDAP tools to modify account information? Is there
a compelling reason to continue to use useradd and friends?

> P.S: Excuse my english, it's not my native language. I try to do my best.

You did better than many native English speakers.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/npoqhVcNCxZ5ID8RAjXiAJwPv+nAF7OtEg9qEVvjlf0a0P6/1gCfSYnC
Lf2PmCeV738R+MSE/fL0oO0=
=qPHM
-----END PGP SIGNATURE-----

Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote in
news:gn5mnb.uug.ln@goaway.wombat.san-francisco.ca.us:

> It's not required to use PAM to authenticate against an LDAP server.
> Search the $AOLSFAQ (in my .sig). for LDAP.

Thanks, I've already read this. I already managed to authenticate against
an LDAP server using nss_ldap.

> It's doubtful anyone in the newsgroup has dealt with PAM, but instead
> why not just use the LDAP tools to modify account information? Is
> there a compelling reason to continue to use useradd and friends?

No, there's no reason to continue using useradd etc. But as I installed PAM
for testing purposes and I just want to learn how it's working, it would be
nice to know how i can configure useradd to work with pam.

> You did better than many native English speakers.

Thanks ...

Marco Genise <marco.genise@fernuni-hagen.de> wrote in
news:bnlg8p$12gh49$1@ID-212368.news.uni-berlin.de:

Ok guys, here my acutal status:

I can authenticate against ldap. That's ok.

I can change user's password with 'passwd' even if this account is stored
in ldap.

I can NOT add a user with 'useradd'. Here's the output:

#useradd test
useradd: PAM chauthtok failed

Anyone got a hint?


Greetings,

Marco.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 28 Oct 2003 18:04:41 GMT, Marco Genise
<marco.genise@fernuni-hagen.de> wrote:

> #useradd test
> useradd: PAM chauthtok failed
>
> Anyone got a hint?

Here is a hint:

"One final note: The shadow file (and useradd, for that matter) require
a password field, or else they will return a 'PAM chauthtok failed'
error. Also, the shadow file affects many of the other programs in the
shadow suite (chfn, chage, groupdel, userdel, etc.). These programs
interface with PAM as 'shadow' instead of their own program name."

from: http://linuxfromscratch.org/pipermai...ay/000785.html

Looks like you need to pass the -p password parameter to useradd.

Good luck,
Bryan

--
Give a man a fish, he owes you one fish.
Teach a man to fish, and you give up your monopoly on fisheries.
- Proprietary Software 101
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/nrrJZHkU/XQom+8RAsNBAJkBx8cUmLq4J8hGF2umEaxsxImrKwCffDVl
1EifNqIBooGWRh4jUXMUKGc=
=/NDe
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-10-28, Marco Genise <marco.genise@fernuni-hagen.de> wrote:
>
> No, there's no reason to continue using useradd etc. But as I installed PAM
> for testing purposes and I just want to learn how it's working, it would be
> nice to know how i can configure useradd to work with pam.

Okey-day. Best of luck to you! Sorry we couldn't be more
helpful. I would certainly suggest a linux-pam forum, as well, since
perhaps they know more about how useradd is supposed to work with PAM.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/nrtihVcNCxZ5ID8RAkMCAJ9Eyq9uyHJRoyGCxs2fa5OtPgd8rQ CffE5P
bBtdD+Rukib0A8xmiOeQe0w=
=ul5S
-----END PGP SIGNATURE-----

On Tue, 28 Oct 2003 12:00:48 +0000, Marco Genise wrote:

> Eef Hartman <E.J.M.Hartman@math.tudelft.nl> wrote in news:bnljcc$ln3$1
> @news.tudelft.nl:
>
>> ANY program that uses (or changes) /etc/passwd, /etc/shadow etc will
>> have to be recompiled for PAM support.
>
> Yes, I know - I wrote I recompiled shadow with pam support. useradd is part
> of shadow.

You might have to edit `/etc/nscd.conf'.
man nscd.conf

>> And see the remarks Pat made about PAM (aka SCAM) in the openssh 3.7.1
>> upgrade, there is a reason it isn't there in standard Slackware......
>
> I already read the remarks. The reason I want to install / configure / use
> pam is just for testing purposes.

If you're testing - and (re)compiling - suff anyways, have a look at
KerberosV for authentication as well. I posted a SlackBuild script for
Heimdal in another NG (a while ago) which might help setting that up:
<http://google.nl/groups?selm=pan.2003.09.15.10.31.12.174696%40deskt op.local&rnum=3>

Also, following links are good (IMO):
<http://www.ofb.net/~jheiss/krbldap/>
<http://www.hut.fi/cc/docs/kerberos/>

> I won't use it in any production environement.

Hey, it still beats the crap out of some other often used systems (ie: SAM).

[snip]

> Perhaps someone already did include pam into slackware and can tell me of
> his / her experiences.

I only used PAM on RH and such (bloatware), have a look here though:
<http://www.imaginator.com/~simon/ldap/>

> thx

HTH.

--
-Menno.

Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote in

> Okey-day. Best of luck to you! Sorry we couldn't be more
> helpful. I would certainly suggest a linux-pam forum, as well, since
> perhaps they know more about how useradd is supposed to work with PAM.

Doesn't matter, nobody is perfect ...

I've found a linux-pam forum yesterday, but I still ran out of time to post
there.

But as I just like this forum here, I think I'll stay and participate.

Marco.