Password Problems on a Linux LDAP client bound to Mac OS X LDAP server

Michael Peek peek at tiem.utk.edu
Wed Jan 7 11:06:38 UTC 2009 

Michael Peek wrote:
> Hi gurus,
>
> I have a problem where I need to bind an ubuntu client to an existing 
> Mac OS X LDAP server.  I have the ubuntu box binding but I've got a 
> problem with passwords.  If I use crypt passwords on the server then 
> the user can log in to the linux box just fine.  But this causes 
> problems for the mac user, so what I want to do is use the default 
> Open Directory type of password.  But if I use OD passwords then the 
> users can no longer log in to the linux boxes: "Permission denied".
>
> I know of others who have managed to get this to work, but I haven't 
> figured it out yet.  I figure it's a setting somewhere in either the 
> LDAP client configuration or in ubuntu's PAM configuration.
>
> Anyone have  a clue they could lend me?
>
> Thanks for your help,
>
> Michael
>
Problem solved.  It's a PAM thing.  The solution is to edit 
/etc/pam.d/common-* and make the following changes:

diff -u -r save/etc/pam.d/common-account src/etc/pam.d/common-account
--- save/etc/pam.d/common-account    2009-01-06 16:12:10.000000000 -0500
+++ src/etc/pam.d/common-account    2009-01-06 16:10:46.000000000 -0500
@@ -7,3 +7,4 @@
 # only deny service to users whose accounts are expired in /etc/shadow.
 #
 account    required    pam_unix.so
+account [default=bad success=ok user_unknown=ignore] pam_ldap.so
diff -u -r save/etc/pam.d/common-auth src/etc/pam.d/common-auth
--- save/etc/pam.d/common-auth    2009-01-06 16:12:15.000000000 -0500
+++ src/etc/pam.d/common-auth    2009-01-06 16:10:46.000000000 -0500
@@ -7,5 +7,6 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
-auth    requisite    pam_unix.so nullok_secure
+auth    sufficient    pam_unix.so nullok_secure
+auth    sufficient pam_ldap.so use_first_pass
 auth    optional    pam_smbpass.so migrate missingok
diff -u -r save/etc/pam.d/common-password src/etc/pam.d/common-password
--- save/etc/pam.d/common-password    2009-01-06 16:12:18.000000000 -0500
+++ src/etc/pam.d/common-password    2009-01-06 16:10:46.000000000 -0500
@@ -21,7 +21,8 @@
 #
 # See the pam_unix manpage for other options.
 
-password   requisite   pam_unix.so nullok obscure md5
+password  sufficient  pam_unix.so nullok obscure md5
+password    sufficient     pam_ldap.so use_authtok
 
 # Alternate strength checking for password. Note that this
 # requires the libpam-cracklib package to be installed.
diff -u -r save/etc/pam.d/common-session src/etc/pam.d/common-session
--- save/etc/pam.d/common-session    2009-01-06 16:12:07.000000000 -0500
+++ src/etc/pam.d/common-session    2009-01-06 16:10:46.000000000 -0500
@@ -6,4 +6,5 @@
 # at the start and end of sessions of *any* kind (both interactive and
 # non-interactive).  The default is pam_unix.
 #
+session optional    pam_ldap.so
 session    required    pam_unix.so

Michael

More information about the ubuntu-users mailing list