[tac_plus] Tac_plus integration with LDAP (Suse issues)

Javier Sánchez Romero javier.sanchezr at satec.es
Fri Sep 14 15:23:02 UTC 2012 

Hi there!

I'm a newbie with PAM and I'm trying to integrate TACACS+ with a LDAP server. I've followed the great shrubbery tutorials for a Red Hat Installation but I need this integration in a Suse enviroment. 

When I check the /var/log/messages I can see several issues about PAM, but this issues are related with a libraries installed in the system. I don't know why the libraries are not found.

/var/log/messages
Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /lib64/libnsl.so.1)
Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: /lib64/security/pam_ldap.so
Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to dlopen(/lib64/security/pam_unix2.so): /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /lib64/libnsl.so.1)
Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: /lib64/security/pam_unix2.so
Sep 14 17:00:01 /usr/sbin/cron[30615]: Module is unknown


This is my scenario:

Suse 11 64 bits
Modules installed: pam modules (devel, local, ldap, krb5 and 32 bits), nss_ldap, openldap, glibc and sasl. And the rest of the system packages

/etc/pam.d/tac_plus
----------------------------
auth        required      pam_env.so debug
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet debug
auth        sufficient    pam_ldap.so use_first_pass debug
auth        required      pam_deny.so debug

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so


/etc/nsswitch.conf
--------------------------
passwd: files ldap
group:  files ldap
shadow: files ldap

hosts:          files dns
networks:       files

services:       db files
protocols:      db files
rpc:            db files
ethers:         db files
netmasks:       files
netgroup:       nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files


/etc/ldap.conf
--------------------
host x.x.x.x
base dc=x,dc=x,dc=x
ldap_version 3
binddn xxxx at x.x
bindpw xxx
port 389

nss_base_passwd OU=xx,?sub
nss_base_shadow OU=xx,?sub

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User

nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFUPassword

nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName

pam_filter objectclass=user
pam_password ad


/lib/security
-----------------
pam_access.so        pam_exec.so       pam_krb5          pam_mail.so       pam_permit.so     pam_shells.so      pam_tty_audit.so     pam_userdb.so
pam_ck_connector.so  pam_faildelay.so  pam_krb5.so       pam_make.so       pam_pwcheck.so    pam_smbpass.so     pam_umask.so         pam_warn.so
pam_cracklib.so      pam_filter.so     pam_krb5afs.so    pam_mkhomedir.so  pam_pwhistory.so  pam_stress.so      pam_unix.so          pam_wheel.so
pam_cryptpass.so     pam_ftp.so        pam_lastlog.so    pam_motd.so       pam_rhosts.so     pam_succeed_if.so  pam_unix2.so         pam_xauth.so
pam_debug.so         pam_group.so      pam_limits.so     pam_mount.so      pam_rootok.so     pam_tally.so       pam_unix_acct.so
pam_deny.so          pam_homecheck.so  pam_listfile.so   pam_namespace.so  pam_securetty.so  pam_tally2.so      pam_unix_auth.so
pam_echo.so          pam_issue.so      pam_localuser.so  pam_nologin.so    pam_selinux.so    pam_time.so        pam_unix_passwd.so
pam_env.so           pam_keyinit.so    pam_loginuid.so   pam_opie.so       pam_sepermit.so   pam_timestamp.so   pam_unix_session.so

/lib64/security
--------------------
pam_access.so        pam_exec.so       pam_keyinit.so   pam_localuser.so  pam_nologin.so    pam_securetty.so   pam_tally2.so     pam_unix_auth.so
pam_ck_connector.so  pam_faildelay.so  pam_krb5         pam_loginuid.so   pam_opie.so       pam_selinux.so     pam_time.so       pam_unix_passwd.so
pam_cracklib.so      pam_filter        pam_krb5.so      pam_mail.so       pam_permit.so     pam_sepermit.so    pam_timestamp.so  pam_unix_session.so
pam_cryptpass.so     pam_filter.so     pam_krb5afs.so   pam_make.so       pam_pwcheck.so    pam_shells.so      pam_tty_audit.so  pam_userdb.so
pam_debug.so         pam_ftp.so        pam_lastlog.so   pam_mkhomedir.so  pam_pwhistory.so  pam_smbpass.so     pam_umask.so      pam_warn.so
pam_deny.so          pam_group.so      pam_ldap.so      pam_motd.so       pam_rhosts.so     pam_stress.so      pam_unix.so       pam_wheel.so
pam_echo.so          pam_homecheck.so  pam_limits.so    pam_mount.so      pam_rootok.so     pam_succeed_if.so  pam_unix2.so      pam_xauth.so
pam_env.so           pam_issue.so      pam_listfile.so  pam_namespace.so  pam_rpasswd.so    pam_tally.so       pam_unix_acct.so

Anybody have a solution for this?
Thanks a lot in advance

Kind regards
Javi

More information about the tac_plus mailing list