[tac_plus] Tac_plus integration with LDAP (Suse issues)
Antonio Ojea Garcia
antonio.ojea.garcia at gmail.com
Mon Oct 1 19:04:07 UTC 2012
Have you compiled it with PAM support?
Does the /lib64/security/pam_ldap.so and /lib64/security/pam_unix2.so files
exists?
Thanks
2012/9/14 Javier Sánchez Romero <javier.sanchezr at satec.es>
> Hi there!
>
> I'm a newbie with PAM and I'm trying to integrate TACACS+ with a LDAP
> server. I've followed the great shrubbery tutorials for a Red Hat
> Installation but I need this integration in a Suse enviroment.
>
> When I check the /var/log/messages I can see several issues about PAM, but
> this issues are related with a libraries installed in the system. I don't
> know why the libraries are not found.
>
> /var/log/messages
> Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to
> dlopen(/lib64/security/pam_ldap.so): /lib64/libc.so.6: version `GLIBC_2.14'
> not found (required by /lib64/libnsl.so.1)
> Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module:
> /lib64/security/pam_ldap.so
> Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to
> dlopen(/lib64/security/pam_unix2.so): /lib64/libc.so.6: version
> `GLIBC_2.14' not found (required by /lib64/libnsl.so.1)
> Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module:
> /lib64/security/pam_unix2.so
> Sep 14 17:00:01 /usr/sbin/cron[30615]: Module is unknown
>
>
> This is my scenario:
>
> Suse 11 64 bits
> Modules installed: pam modules (devel, local, ldap, krb5 and 32 bits),
> nss_ldap, openldap, glibc and sasl. And the rest of the system packages
>
> /etc/pam.d/tac_plus
> ----------------------------
> auth required pam_env.so debug
> auth sufficient pam_unix.so nullok try_first_pass debug
> auth requisite pam_succeed_if.so uid >= 500 quiet debug
> auth sufficient pam_ldap.so use_first_pass debug
> auth required pam_deny.so debug
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
>
> /etc/nsswitch.conf
> --------------------------
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
> hosts: files dns
> networks: files
>
> services: db files
> protocols: db files
> rpc: db files
> ethers: db files
> netmasks: files
> netgroup: nis
> publickey: files
>
> bootparams: files
> automount: files nis
> aliases: files
>
>
> /etc/ldap.conf
> --------------------
> host x.x.x.x
> base dc=x,dc=x,dc=x
> ldap_version 3
> binddn xxxx at x.x
> bindpw xxx
> port 389
>
> nss_base_passwd OU=xx,?sub
> nss_base_shadow OU=xx,?sub
>
> nss_map_objectclass posixAccount User
> nss_map_objectclass shadowAccount User
>
> nss_map_attribute uid sAMAccountName
> nss_map_attribute userPassword msSFUPassword
>
> nss_map_attribute homeDirectory msSFUHomeDirectory
> nss_map_objectclass posixGroup Group
> nss_map_attribute uniqueMember member
> nss_map_attribute cn sAMAccountName
> pam_login_attribute sAMAccountName
>
> pam_filter objectclass=user
> pam_password ad
>
>
> /lib/security
> -----------------
> pam_access.so pam_exec.so pam_krb5 pam_mail.so
> pam_permit.so pam_shells.so pam_tty_audit.so pam_userdb.so
> pam_ck_connector.so pam_faildelay.so pam_krb5.so pam_make.so
> pam_pwcheck.so pam_smbpass.so pam_umask.so pam_warn.so
> pam_cracklib.so pam_filter.so pam_krb5afs.so pam_mkhomedir.so
> pam_pwhistory.so pam_stress.so pam_unix.so pam_wheel.so
> pam_cryptpass.so pam_ftp.so pam_lastlog.so pam_motd.so
> pam_rhosts.so pam_succeed_if.so pam_unix2.so pam_xauth.so
> pam_debug.so pam_group.so pam_limits.so pam_mount.so
> pam_rootok.so pam_tally.so pam_unix_acct.so
> pam_deny.so pam_homecheck.so pam_listfile.so pam_namespace.so
> pam_securetty.so pam_tally2.so pam_unix_auth.so
> pam_echo.so pam_issue.so pam_localuser.so pam_nologin.so
> pam_selinux.so pam_time.so pam_unix_passwd.so
> pam_env.so pam_keyinit.so pam_loginuid.so pam_opie.so
> pam_sepermit.so pam_timestamp.so pam_unix_session.so
>
> /lib64/security
> --------------------
> pam_access.so pam_exec.so pam_keyinit.so pam_localuser.so
> pam_nologin.so pam_securetty.so pam_tally2.so pam_unix_auth.so
> pam_ck_connector.so pam_faildelay.so pam_krb5 pam_loginuid.so
> pam_opie.so pam_selinux.so pam_time.so pam_unix_passwd.so
> pam_cracklib.so pam_filter pam_krb5.so pam_mail.so
> pam_permit.so pam_sepermit.so pam_timestamp.so pam_unix_session.so
> pam_cryptpass.so pam_filter.so pam_krb5afs.so pam_make.so
> pam_pwcheck.so pam_shells.so pam_tty_audit.so pam_userdb.so
> pam_debug.so pam_ftp.so pam_lastlog.so pam_mkhomedir.so
> pam_pwhistory.so pam_smbpass.so pam_umask.so pam_warn.so
> pam_deny.so pam_group.so pam_ldap.so pam_motd.so
> pam_rhosts.so pam_stress.so pam_unix.so pam_wheel.so
> pam_echo.so pam_homecheck.so pam_limits.so pam_mount.so
> pam_rootok.so pam_succeed_if.so pam_unix2.so pam_xauth.so
> pam_env.so pam_issue.so pam_listfile.so pam_namespace.so
> pam_rpasswd.so pam_tally.so pam_unix_acct.so
>
> Anybody have a solution for this?
> Thanks a lot in advance
>
> Kind regards
> Javi
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20121001/e0db8ee1/attachment.html>
More information about the tac_plus
mailing list