[linux-network] openldap

---------

New Message Reply About this list Date view Thread view Subject view Author view Attachment view

From: Fuat Altun (faltun@iso.org.tr)
Date: Mon 22 Dec 2003 - 07:17:18 EST

  • Next message: Zafer BAHADIR: "[linux-network] Re: [freebsd] ipfilter + transparent proxy sorunu"

    Merhabalar,
    Mandrake 9.2 uzerinde openldap ile ugrasiyorum.

    Amacim ldap kullanarak kullanici auth. yapmak.

     

    Bu konuda bir kac sorum olacak.

     

    1- passwd komutu ile password degistirince sadece ldap server uzerindeki
    password degisiyor. Ancak ldap serveri stop edip shadow dosyasindaki
    passwordu passwd komutu ile degistirebiliyorum. Ne yapabilirim?

     

    2- ldap serveri stop ettigimde shadow fileindaki degere hic bakmadan sisteme
    login olmami engelliyor. Oysa passwd ve shadow dosyalarinda girmek istedigim
    account mevcut. Yani ldap server stop olunca hic bir sekilde login
    olamiyorum.

     

    3- Kullandigim dagitimin kullandigi, passwordu encrypt veya hash etme
    yapisini (md5 des ....) nereden gorebilirim. Mandrake muhtemelen md5
    kullaniyor.

    Oysa openldap icin referans olarak kullandigim dokumanda hash icin asagidaki
    gibi yapi onerilmisti.

    password-hash {crypt}

    password-crypt-salt-format "$1$%.8s"

    Bu dogru yapimi?

     

    4- x kullanicisinin passwordu shadow dosyasinda
    ($1$jyQZDCCe$TeMv081EkIZbcrgEoBKxM.) olarak gozukuyor. Plain text hali
    "fuat"

    Fakat bu passwordu tekrardan degitirip yine "fuat" yaptigim zaman bu hash
    kodu degisiyor. Bu nasil oluyor? İkiside plain text olarak "fuat" ama hasah
    kodlari farkli?

     

    Şimdiden tesekkurler.

    Conf. Dosyalarimi asagidaki gibi.

     

     

     

    --------------------------------/etc/openldap/slapd.conf--------------------
    ----------

    ................

    ................

    pidfile /var/run/ldap/slapd.pid

    argsfile /var/run/ldap/slapd.args

     

    modulepath /usr/lib/openldap

    #moduleload back_dnssrv.la

    #moduleload back_ldap.la

    #moduleload back_passwd.la

    #moduleload back_sql.la

     

    # SASL config

    #sasl-host ldap.example.com

     

    # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem

    # and uncomment the following lines.

    #TLSRandFile /dev/random

    #TLSCipherSuite HIGH:MEDIUM:+SSLv2

    TLSCertificateFile /etc/ssl/openldap/ldap.pem

    TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem

    #TLSCACertificatePath /etc/ssl/openldap/

    TLSCACertificateFile /etc/ssl/openldap/ldap.pem

    #TLSVerifyClient 0

     

     

     

    database ldbm

    suffix "dc=mylan,dc=net"

    rootdn "cn=root,dc=mylan,dc=net"

     

     

    rootpw {MD5}a2LsnCOtDE3guPdGjj/FFw==

     

    directory /var/lib/ldap

     

    index objectClass,uid,uidNumber,gidNumber eq

    index cn,mail,surname,givenname eq,subinitial

     

    # logging

    loglevel 256

     

    # Basic ACL

    access to attr=userPassword

            by self write

            by anonymous auth

            by dn="uid=root,ou=People,dc=example,dc=com" write

            by * none

     

    access to *

            by dn="uid=root,ou=People,dc=example,dc=com" write

            by * read

     

    password-hash {crypt}

    password-crypt-salt-format "$1$%.8s"

     

    --------------------------------/etc/openldap/slapd.conf--------------------
    ----------

     

     

     

     

    --------------------------------/etc/pam.d/passwd.conf----------------------
    --------

     

    #%PAM-1.0

    auth sufficient /lib/security/pam_ldap.so

    auth required /lib/security/pam_pwdb.so shadow nullok

     

    account sufficient /lib/security/pam_ldap.so

    account required /lib/security/pam_pwdb.so

     

    password required /lib/security/pam_cracklib.so retry=3 minlen=4
    dcredit=0 ucredit=0

    password required /lib/security/pam_pwdb.so use_authtok nullok md5
    shadow

    password sufficient /lib/security/pam_ldap.so use_authtok

     

    --------------------------------/etc/pam.d/passwd.conf----------------------
    --------

     

     

     

     

    --------------------------------/etc/pam.d/sys-auth.conf--------------------
    ----------

     

    auth required /lib/security/pam_env.so

    auth sufficient /lib/security/pam_pwdb.so likeauth nullok

    auth sufficient /lib/security/pam_ldap.so use_first_pass

    auth required /lib/security/pam_deny.so

     

    account required /lib/security/pam_unix.so

    account [default=bad success=ok user_unknown=ignore service_err=ignore
    system_err=ignore] /lib/security/pam_ldap.so

     

    password required /lib/security/pam_cracklib.so retry=3 minlen=2
    dcredit=0 ucredit=0

    password sufficient /lib/security/pam_unix.so nullok use_authtok md5
    shadow

    password sufficient /lib/security/pam_ldap.so use_authtok

    password required /lib/security/pam_deny.so

     

    session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
    umask=0022

    session required /lib/security/pam_limits.so

    session required /lib/security/pam_unix.so

    session optional /lib/security/pam_ldap.so

     

    --------------------------------/etc/pam.d/sys-auth.conf--------------------
    ----------

     

     

    --------------------------------/etc/ldap.conf------------------------------

     

     

    host 127.0.0.1

     

    base dc=mylan,dc=net

    ldap_version 3

    scope one

    Filter to AND with uid=%s

    pam_filter objectclass=posixaccount

     

    # The user ID attribute (defaults to uid)

    pam_login_attribute uid

     

    # Search the root DSE for the password policy (works

    # with Netscape Directory Server)

    #pam_lookup_policy yes

     

    # Group to enforce membership of

    #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

     

    # Group member attribute

    pam_member_attribute gid

     

    pam_password md5

     

    # RFC2307bis naming contexts

    # Syntax:

    # nss_base_XXX base?scope?filter

    # where scope is {base,one,sub}

    # and filter is a filter to be &'d with the

    # default filter.

    # You can omit the suffix eg:

    # nss_base_passwd ou=People,

    # to append the default base DN but this

    # may incur a small performance impact.

    nss_base_passwd ou=People,dc=mylan,dc=net?one

    nss_base_shadow ou=People,dc=mylan,dc=net?one

    nss_base_group ou=Group,dc=mylan,dc=net?one

    nss_base_hosts ou=Hosts,dc=mylan,dc=net?one

    ssl off

    --------------------------------/etc/ldap.conf------------------------------

     

     

    -------------------------------------------nsswitch.conf--------------------
    --------------------------------------

     

    passwd: files ldap

    shadow: files ldap

    group: files ldap

     

    #hosts: db files nisplus nis dns

    hosts: files ldap dns

     

    # Example - obey only what nisplus tells us...

    #services: nisplus [NOTFOUND=return] files

    #networks: nisplus [NOTFOUND=return] files

    #protocols: nisplus [NOTFOUND=return] files

    #rpc: nisplus [NOTFOUND=return] files

    #ethers: nisplus [NOTFOUND=return] files

    #netmasks: nisplus [NOTFOUND=return] files

     

    bootparams: nisplus [NOTFOUND=return] files

     

    ethers: files

    netmasks: files

    networks: files

    protocols: files

    rpc: files

    services: files

     

    netgroup: nisplus

     

    publickey: nisplus

     

    automount: files nisplus

    aliases: files nisplus

     

    -------------------------------------------nsswitch.conf--------------------
    --------------------------------------

     

  • Next message: Zafer BAHADIR: "[linux-network] Re: [freebsd] ipfilter + transparent proxy sorunu"
    New Message Reply About this list Date view Thread view Subject view Author view Attachment view

    ---------

    Bu arsiv hypermail 2.1.6 tarafindan uretilmistir.