F16 ldap client cannot login

chrismcdonald · #1 14th November 2011, 12:55 PM

Hi,

If i do a simple F16 install, and then use the config wizard to talk to my ldap server (on a separate host), I dont seem to be able to login using an LDAP account. I can login as root and su to an ldap account successfully however.

To be sure that I wasnt doing something stupid and to ensure that LDAP is working ok, I created another F15 install in the same way, configured it up to use the same ldap server as the F16 client before, and my client can login using the same LDAP account just fine. So nothing wrong with my ldap server.

Is there something new for LDAP in F16 I am missing or is this a defect perhaps?

(My ldap client configuration uses a TLS certificate which I download each install. I connect using ldap rather than ldaps.)

All suggestions welcome.

thanks

chris

bueas · #2 28th November 2011, 04:50 PM

I have a similar problem with F16 and LDAP authentication as well even though i found a work around.

I strictky use ldaps with a proxy account via binddn and bindpw directives in the /etc/pam_ldap.conf file . My LDAP server is on a separate machine and runs openldap.

The LDAP proxy account (in F15 where the same settings worked) had read access to all posix related attributes EXCEPT userPassword. Only the owner of the ldap account has access to their userPassword attribute. This worked fine in F15, however in F16 the same settings failed. I was able to get around it after lots of troubleshooting by giving the LDAP proxy account read access to the userPassword attribute, and authentication started working.

So it appears something changed in pam_ldap between F15 and F16 that now requires the ldap proxy account to have read access to all userPassword attributes.

BeetIeguese · #3 21st January 2012, 05:29 PM

Hi Chris,

Firstly, I'm aware that this thread is getting a bit outdated, but perhaps someone else might find this useful?

I ran into a similar problem just now, and tracked it down to that in Fedora 16 they've increased the min-UID check in /etc/pam.d/password-auth and /etc/pam.d/system-auth to 1000 (instead of 500). This caused all my ldap users, which has UIDs starting from 500, to be unable to authenticate.

Either you have to increase all UIDs in you LDAP to >1000, or lower the uid check in /etc/pam.d/password-auth and /etc/pam.d/system-auth to 500. ie.
FROM: auth requisite pam_succeed_if.so uid >= 1000 quiet
TO: auth requisite pam_succeed_if.so uid >= 500 quiet

/ P

chrismcdonald · #4 1st February 2012, 04:15 PM

Thanks betelgeuse for the reply. Sorry for my delay only I have been on holiday.

I had not yet worked out what the problem was, and to be honest, rather than trying to fix it, I'd just continued using older versions of Fedora for now.

I have tried out changing the 2 files and reducing the min uid to 500 as you suggest and now authentication is working fine.

So thanks very much for find this and responding to my question - I really appreciate this.

c