I'm trying to authenticate users against an Apple Open Directory server.
My client init command (successfully works):
ldapclient manual -a domainName=what.loc -a authenticationMethod=simple -a defaultSearchBase=dc=what,dc=loc
-a serviceSearchDescriptor=passwd:cn=users,dc=what,dc=loc -a serviceSearchDescriptor=group:cn=groups,dc=what,dc=loc
-a defaultServerList=ldap.what.loc -a serviceSearchDescriptor=shadow:cn=users,dc=what,dc=loc
-a proxyDN=cn=diradmin,cn=users,dc=what,dc=loc -a proxyPassword=secret
My pam.conf:
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ldaplist can find the stuff...
box-r> ldaplist -l passwd cable
dn: uid=cable,cn=users,dc=what,dc=loc
uid: cable
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
givenName: Pat
uidNumber: 500
homeDirectory: /home/cable
sn: Cable
gidNumber: 10
loginShell: /bin/bash
userPassword: {crypt}cryptedpw
cn: Pat Cable
apple-generateduid: stuff
mail: cable@what.loc
What am I doing wrong? rhosts auth works, su to the user works, automount works fine, but when i try logging in direct i get this message:
Sep 23 12:13:11 box login: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Edited by: pcable on Sep 23, 2008 9:25 AM (added full error message)
Edited by: pcable on Sep 23, 2008 9:27 AM