pam_ldap timeout problem

Hi All!

Last weekend the computer on which my LDAP server runs
crashed, and it became impossible to login on any other Linux
system in the network, even with a local (root) account.

My network contains two physically different LDAP servers,
and when I bring down the ldap-software on one server, the rest
of the computers in the network immediately start using the other
ldap-server, because TCP/IP (on the first server) denies the connection
made to the LDAP-port.

However, when I turn off the first LDAP server's computer, TCP/IP
is no longer able to deny an attempt to make a connection to the LDAP port,
and I suspect the pam_ldap module (on a random client PC) to start waiting
for ages before it eventually moves to the second server (it does move,
but really, it takes very long, and I suspect these delays to accumulate).

Does anybody know if what I suspect is right, does the pam_ldap module
wait very long when a connection-attempt is not immediately denied?
And, if so, does anybody know a remedy?

Many thanks in advance!

Maarten Buiter

PS: this is my /etc/pam.d/system-auth, my pam.conf follows:

#%PAM-1.0
# This file is auto-generated.

Re: pam_ldap timeout problem

On Tue, 2003-04-01 at 08:03, Maarten Buiter wrote:

> However, when I turn off the first LDAP server's computer, TCP/IP
> is no longer able to deny an attempt to make a connection to the LDAP port,
> and I suspect the pam_ldap module (on a random client PC) to start waiting
> for ages before it eventually moves to the second server (it does move,
> but really, it takes very long, and I suspect these delays to accumulate).

Is the first ldap server on the other side of a router from the
clients?  As soon as your arp cache for the IP address times out you
should get a quick failure when you attempt to contact a host that is
down. Individual hosts typically have fast timeout on their arp cache
but routers might keep a dead entry for 20 minutes.  If it is a Cisco
you can use the command 'clear arp' to make it realize the address
is unreachable.

---
  Les Mikesell
    les <at> futuresource.com

Re: pam_ldap timeout problem

pam_ldap/eDirectory password change fails.

Hello,

I am using eDirectory 8.7 and pam_ldap successfully to authenticate
users.

But as root I can not change user passwords (whereas user I can change
my own password):

root <at> dhcp233~# passwd foo
Changing password for user foo.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
LDAP password information update failed: Unknown error

passwd: Permission denied

Syslog tells me:

Jun 16 07:50:12 dhcp233 passwd(pam_unix)[969]: user "foo" does not exist
in /etc/passwd or NIS
Jun 16 07:50:22 dhcp233 passwd[969]: pam_ldap: ldap_modify_s DSA is
unwilling to perform

ldap.conf:

host 127.0.0.1

# The distinguished name of the search base.
base ou=stuttgart,o=acme

binddn cn=root,ou=stuttgart,o=acme
bindpw *****
rootbinddn cn=admin,o=acme

scope sub

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

pam_password nds

ssl no

system-auth:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0
077
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

If I create a ldif file:

dn: cn=foo,ou=stuttgart,o=acme
changetype: modify
userPassword: foobar

and use ldapmodify:

ldapmodify -x -D cn=root,ou=stuttgart,o=acme -w ****** -v < /tmp/foo

it works. 

Any ideas?

regards
	Stefan
--

-- 
--------------------------------------------------------------------
Stefan Völkel                            stefan.voelkel <at> millenux.com
Millenux GmbH                              mobile: +49.170.79177.17
Lilienthalstraße 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
     -= linux without limits -=- http://linux.zSeries.org/ =-

Re: IP address of remote host

On Tue, 2003-01-14 at 16:42, Jim Potter wrote:
> Hi All, 
Hi,

>    I've been trying to write a PAM module that checks users against
> the list of users currently logged on to Samba, and I can't find any
> good way of getting the IP address of the host they are loggin in from
> - PAM_RHOST returns the hostname rather than an IP address. 
>    Is there a PAM_ITEM or anything with the IP address in?

I am interested in this too, since I want to write a one time password
pam module, that will only work from some ip addresses.

The idea is to allow users logging in from the lan to use their standard
password and force those coming from the wan to use otp's

regards
	Stefan

--

-- 
--------------------------------------------------------------------
Stefan Völkel                            stefan.voelkel <at> millenux.com
Millenux GmbH                              mobile: +49.170.79177.17
Lilienthalstraße 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
     -= linux without limits -=- http://linux.zSeries.org/ =-

Re: IP address of remote host

On 1 Apr 2003, Stefan Voelkel wrote:

> >    I've been trying to write a PAM module that checks users against
> > the list of users currently logged on to Samba, and I can't find any
> > good way of getting the IP address of the host they are loggin in from
> > - PAM_RHOST returns the hostname rather than an IP address. 
> >    Is there a PAM_ITEM or anything with the IP address in?
> 
> I am interested in this too, since I want to write a one time password
> pam module, that will only work from some ip addresses.
> 
> The idea is to allow users logging in from the lan to use their standard
> password and force those coming from the wan to use otp's

PAM_RHOST is the correct item however the data it contains is subject to 
the application rather than PAM.

When dealing with this here (with Apache and mod_auth_pam) I simply 
patched to mod_auth_pam to supply the IP address rather than host name. 

The problem stems from the fact that both are valid data for PAM_RHOST.

I think you could use the pam_rhosts_auth.so module for this with the 
/etc/hosts.equiv file however that feels really kludgy to me and would 
probably lead to confusion.

Jason Clifford
--

-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/			Sign up now

mod_auth_pam problems

I am trying to get mod_auth_pam v1.1.1 to run on Apache 1.3.27 and
RedHat 8.0 and having a few problems.

I got the module to compile and finally got it so it works, sort of.

The first problem is that I am trying to grant and deny access to 
directories using system groups and it doesn't seem to work. It is
allowing _any_ authenticated user in.

The second problem is that I want to have it use the Apache passwd
and group files if the user is not in the system files. This doesn't
seem to work at all.

The relevant section of my httpd.conf file looks like this:

<Directory /home/public/col>
   Options Indexes FollowSymLinks MultiViews
   ## turn on auth_pam
   AuthPAM_Enabled on
   ## turn on fall through
   AuthPAM_FallThrough on
   AuthType Basic
   AuthName "elmo.ibsys.com"
   AuthUserFile /usr/local/apache/User_File
   AuthGroupFile /usr/local/apache/Group_File
   require group col
</Directory>

My /etc/pam.d/httpd file looks like this:
#%PAM-1.0
auth       required      /lib/security/pam_stack.so service=system-auth
account    required      /lib/security/pam_stack.so service=system-auth 

There is a 'col' group in the /etc/group file with one user in it.
However I can authenticate and get into the directory as any user in
the /etc/passwd file.

I also have a user in the Apache user and group files that does not exist
as a system user and they can not authenticate at all.

Suggestions?
--
Timothy W. Foreman   ~   System Administrator   ~   tforeman <at> ibsys.com
Internet Broadcasting Systems ~ (651) 365-4181 ~ http://www.ibsys.com/
--
"I swear to god, if people treated their cars they way they treat their 
 computers, half the cars on the road would be covered in bumper stickers 
 advertising porno, and their trunks would be filled with rotting garbage."
 --Christian Wagner in the Scary Devil Monastery

Re: pam_ldap/eDirectory password change fails.

I've been trying to get eDirectory 8.7 & pam_ldap to work for a while. 
I am able to authenticate, but I still have to have entries in 
/etc/passwd file for my users, did you get it to work without having to 
put user entries in the /etc/passwd file?

Stefan Voelkel wrote:
> Hello,
> 
> I am using eDirectory 8.7 and pam_ldap successfully to authenticate
> users.
> 
> But as root I can not change user passwords (whereas user I can change
> my own password):
> 
> root <at> dhcp233~# passwd foo
> Changing password for user foo.
> New password:
> BAD PASSWORD: it is based on a dictionary word
> Retype new password:
> LDAP password information update failed: Unknown error
> 
> passwd: Permission denied
> 
> Syslog tells me:
> 
> Jun 16 07:50:12 dhcp233 passwd(pam_unix)[969]: user "foo" does not exist
> in /etc/passwd or NIS
> Jun 16 07:50:22 dhcp233 passwd[969]: pam_ldap: ldap_modify_s DSA is
> unwilling to perform
> 
> ldap.conf:
> 
> host 127.0.0.1
> 
> # The distinguished name of the search base.
> base ou=stuttgart,o=acme
> 
> binddn cn=root,ou=stuttgart,o=acme
> bindpw *****
> rootbinddn cn=admin,o=acme
> 
> scope sub
> 
> # Filter to AND with uid=%s
> pam_filter objectclass=posixaccount
> 
> # The user ID attribute (defaults to uid)
> pam_login_attribute uid
> 
> pam_password nds
> 
> ssl no
> 
> 
> system-auth:
> 
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
> 
> account     required      /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shado
> w
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0
> 077
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
> 
> 
> If I create a ldif file:
> 
> dn: cn=foo,ou=stuttgart,o=acme
> changetype: modify
> userPassword: foobar
> 
> 
> and use ldapmodify:
> 
> ldapmodify -x -D cn=root,ou=stuttgart,o=acme -w ****** -v < /tmp/foo
> 
> 
> it works. 
> 
> Any ideas?
> 
> regards
> 	Stefan

--

-- 
John T. Stucki                                          Work Address:
Network Administrator, IT Department                    40 West 4th 
Street - Room 515
Stern School of Business, New York University           New York, NY  10012
E-mail: jstucki <at> stern.nyu.edu                           Phone: 212.998.0160
Web: http://www.stern.nyu.edu/~jstucki                  Fax: 212.995.4236

Re: pam_ldap/eDirectory password change fails.

On Thu, 2003-04-03 at 19:09, John Stucki wrote:
> I've been trying to get eDirectory 8.7 & pam_ldap to work for a while. 
> I am able to authenticate, but I still have to have entries in 
> /etc/passwd file for my users, did you get it to work without having to 
> put user entries in the /etc/passwd file?

Yes. Check your nsswitch.conf, ldap.conf, and pam.d/whatever. There are
LDAP Howtos on the net, that explain all those things.

> Stefan Voelkel wrote:
> > Hello,
> > 
> > I am using eDirectory 8.7 and pam_ldap successfully to authenticate
> > users.
> > 
> > But as root I can not change user passwords (whereas user I can change
> > my own password):

It seems that pam_password nds in ldap.conf causes the trouble, at least
with the pam version redhat 7.3 ships.

eDirectory does have a userPassword attribute, but does not export it.
In pam_ldap.c around line 2377 it is tried to delete the attribute and
then reset it. The deletion failes. We are looking into a pam_password
edir patch and checking if pam_password clear works.

regards
	Stefan
--

-- 
--------------------------------------------------------------------
Stefan Völkel                            stefan.voelkel <at> millenux.com
Millenux GmbH                              mobile: +49.170.79177.17
Lilienthalstraße 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
     -= linux without limits -=- http://linux.zSeries.org/ =-

PAM module with C++

Hi,

Is it possible to make a PAM module using C++. If yes, what I need to do?

Thanks,

Wanner.
--

-- 
|--------------------------------|
| Wanner  Vinicius Fagundes Lima |
|  Ciencia da Computacao - UFLA  |
|      Linux User # 227651       |
|        ICQ # 14495104          |
|   www.comp.ufla.br/~wanner     |
|--------------------------------|