From: Fuat Altun (faltun@iso.org.tr)
Date: Mon 22 Dec 2003 - 07:17:18 EST
Merhabalar,
Mandrake 9.2 uzerinde openldap ile ugrasiyorum.
Amacim ldap kullanarak kullanici auth. yapmak.
Bu konuda bir kac sorum olacak.
1- passwd komutu ile password degistirince sadece ldap server uzerindeki
password degisiyor. Ancak ldap serveri stop edip shadow dosyasindaki
passwordu passwd komutu ile degistirebiliyorum. Ne yapabilirim?
2- ldap serveri stop ettigimde shadow fileindaki degere hic bakmadan sisteme
login olmami engelliyor. Oysa passwd ve shadow dosyalarinda girmek istedigim
account mevcut. Yani ldap server stop olunca hic bir sekilde login
olamiyorum.
3- Kullandigim dagitimin kullandigi, passwordu encrypt veya hash etme
yapisini (md5 des ....) nereden gorebilirim. Mandrake muhtemelen md5
kullaniyor.
Oysa openldap icin referans olarak kullandigim dokumanda hash icin asagidaki
gibi yapi onerilmisti.
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
Bu dogru yapimi?
4- x kullanicisinin passwordu shadow dosyasinda
($1$jyQZDCCe$TeMv081EkIZbcrgEoBKxM.) olarak gozukuyor. Plain text hali
"fuat"
Fakat bu passwordu tekrardan degitirip yine "fuat" yaptigim zaman bu hash
kodu degisiyor. Bu nasil oluyor? İkiside plain text olarak "fuat" ama hasah
kodlari farkli?
Şimdiden tesekkurler.
Conf. Dosyalarimi asagidaki gibi.
--------------------------------/etc/openldap/slapd.conf--------------------
----------
................
................
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
#moduleload back_dnssrv.la
#moduleload back_ldap.la
#moduleload back_passwd.la
#moduleload back_sql.la
# SASL config
#sasl-host ldap.example.com
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
#TLSRandFile /dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
#TLSCACertificatePath /etc/ssl/openldap/
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0
database ldbm
suffix "dc=mylan,dc=net"
rootdn "cn=root,dc=mylan,dc=net"
rootpw {MD5}a2LsnCOtDE3guPdGjj/FFw==
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
# logging
loglevel 256
# Basic ACL
access to attr=userPassword
by self write
by anonymous auth
by dn="uid=root,ou=People,dc=example,dc=com" write
by * none
access to *
by dn="uid=root,ou=People,dc=example,dc=com" write
by * read
password-hash {crypt}
password-crypt-salt-format "$1$%.8s"
--------------------------------/etc/openldap/slapd.conf--------------------
----------
--------------------------------/etc/pam.d/passwd.conf----------------------
--------
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3 minlen=4
dcredit=0 ucredit=0
password required /lib/security/pam_pwdb.so use_authtok nullok md5
shadow
password sufficient /lib/security/pam_ldap.so use_authtok
--------------------------------/etc/pam.d/passwd.conf----------------------
--------
--------------------------------/etc/pam.d/sys-auth.conf--------------------
----------
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_pwdb.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 minlen=2
dcredit=0 ucredit=0
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
--------------------------------/etc/pam.d/sys-auth.conf--------------------
----------
--------------------------------/etc/ldap.conf------------------------------
host 127.0.0.1
base dc=mylan,dc=net
ldap_version 3
scope one
Filter to AND with uid=%s
pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
pam_member_attribute gid
pam_password md5
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=mylan,dc=net?one
nss_base_shadow ou=People,dc=mylan,dc=net?one
nss_base_group ou=Group,dc=mylan,dc=net?one
nss_base_hosts ou=Hosts,dc=mylan,dc=net?one
ssl off
--------------------------------/etc/ldap.conf------------------------------
-------------------------------------------nsswitch.conf--------------------
--------------------------------------
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files ldap dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
-------------------------------------------nsswitch.conf--------------------
--------------------------------------