[colug-432] chkpam
Travis Sidelinger
travissidelinger at gmail.com
Sun Sep 11 15:10:05 EDT 2011
No problem.
On Sun, Sep 11, 2011 at 2:46 PM, Matthew Gardlik, Ph.D. <
matt at mattgardlik.com> wrote:
> Hi Travis,
>
> With a little more tinkering, I was able to get groups to work. I modified
> my group entry to:
>
>
> dn: cn=admins,ou=groups,dc=**mattgardlik,dc=com,dc=root
> objectclass: posixGroup
> gidnumber: 2000
>
> cn: admins
> description: Administrators for mattgardlik.com.com.
> memberuid: mattgardlik
>
> and was able to "getenv group" to see the group:
>
> [root at MMG_GUEST_001 mattlinux]# getent group | grep mattgardlik
> admins:*:2000:mattgardlik
>
> Thank you again for all your help. I have appreciated it greatly. If I
> can ever be of help to you in the future, please do not hesitate to shoot me
> an email.
>
> Matt
>
> --
> Matthew M. Gardlik, Ph.D.
> Registered Patent Agent, Reg. No. 67,089
> 614-607-0710
> matt at mattgardlik.com
> http://www.mattgardlik.com/
>
> -------- Original Message --------
> Subject: Re: chkpam
> Date: Sun, 11 Sep 2011 12:53:16 -0400
> From: Matthew Gardlik, Ph.D. <matt at mattgardlik.com>
> To: Travis <travissidelinger at gmail.com>
>
> Travis,
>
> I was working on getting groups up and running this morning,
>
> I added the following lines to /etc/ldap.conf:
>
> # Group to enforce membership of
> pam_groupdn cn=admins,ou=groups,dc=**mattgardlik,dc=com,dc=root
> # Group member attribute
> pam_member_attribute member
>
> and added the following nodes to my LDAP directory:
>
> #groups entry
> dn: ou=groups,dc=mattgardlik,dc=**com,dc=root
> objectclass: organizationalunit
> ou: groups
> description: Groups for mattgardlik.com.
>
> #admins group
> dn: cn=admins,ou=groups,dc=**mattgardlik,dc=com,dc=root
> objectclass: groupofnames
> cn: admins
> description: Administrators for mattgardlik.com.com.
> member: uid=mattgardlik,ou=people,dc=**mattgardlik,dc=com,dc=root
>
> Unfortunately, when I run "getent groups", I don't see this new group:
>
> [root at MMG_GUEST_001 mattlinux]# getent group | grep admins
> [root at MMG_GUEST_001 mattlinux]#
>
> Any ideas about what I may have missed here?
>
> Matt
>
> On 9/9/11 11:24 PM, Travis wrote:
>
>> Yes, you need to creat separate objects for groups is ldap. groups have a
>> different objectclass.
>>
>> No, a user can only have one primary gid.
>>
>> Sent from my Samsung Intercept™
>>
>> "Matthew Gardlik, Ph.D."<matt at mattgardlik.com> wrote:
>>
>> I hadn't, but "getent passwd" looks good, however, there is no entry
>>> when I run "getent group":
>>>
>>> [mattlinux at MMG_GUEST_001 ~]$ getent passwd | grep mattgardlik
>>> mattgardlik:*:2000:2000:**Matthew Gardlik, Ph.D.:/home/mattgardlik:/bin/
>>> **bash
>>>
>>> [mattlinux at MMG_GUEST_001 ~]$ getent group | grep mattgardlik
>>> [mattlinux at MMG_GUEST_001 ~]$
>>>
>>> I hadn't thought too much about groups just yet. I simply set both uid
>>> and gid to 2000. How do you handle groups in LDAP? Do you need to
>>> create a separate node for the group? Can a user have more than one gid
>>> in their entry to belong to more than one group?
>>>
>>>
>>>
>>> On 9/9/11 6:49 AM, Travis Sidelinger wrote:
>>>
>>>> Have checked name services with the "getent passwd" and "getent groups"
>>>> command.
>>>>
>>>> On Thu, Sep 8, 2011 at 8:13 PM, Matthew Gardlik, Ph.D.
>>>> <matt at mattgardlik.com<mailto:m**att at mattgardlik.com<matt at mattgardlik.com>>>
>>>> wrote:
>>>>
>>>> It looks like I did install pam_ldap when I was setting things up.
>>>>
>>>> I was just able to authenticate against the LDAP database:
>>>>
>>>> [root at MMG_GUEST_001 pam]# ./chkpam -u mattgardlik -s system-auth -v
>>>> -a
>>>> Username: mattgardlik
>>>> Pam Service: system-auth
>>>> Authenicating the user:
>>>> Password:
>>>> Status: Success
>>>> The user is authenticated.
>>>> Authorizing the user:
>>>> Status: Success
>>>> The user account is active and permitted to access the system.
>>>> Closing PAM session:
>>>>
>>>> I was also able to login via ssh using the LDAP credentials via ssh:
>>>>
>>>> [mattlinux at macbook ~]$ ssh mattgardlik at 192.168.1.12
>>>> <mailto:mattgardlik at 192.168.1.**12 <mattgardlik at 192.168.1.12>>
>>>> mattgardlik at 192.168.1.12<**mailto:mattgardlik at 192.168.1.**12<mattgardlik at 192.168.1.12>>'s
>>>> password:
>>>> Last login: Thu Sep 8 19:48:24 2011 from 192.168.1.2
>>>> Could not chdir to home directory /home/mattgardlik: No such file or
>>>> directory
>>>>
>>>>
>>>> I even was able to create my own "service" called check-user
>>>>
>>>> [root at MMG_GUEST_001 pam]# more /etc/pam.d/check-user
>>>> #added entries by me to attempt LDAP authentication
>>>> auth sufficient pam_ldap.so
>>>> account sufficient pam_ldap.so use_first_pass
>>>> password sufficient pam_ldap.so use_authtok
>>>>
>>>> and authenticate against this "service":
>>>>
>>>> [root at MMG_GUEST_001 pam]# ./chkpam -u mattgardlik -s check-user -v
>>>> -a
>>>> Username: mattgardlik
>>>> Pam Service: check-user
>>>> Authenicating the user:
>>>> Password:
>>>> Status: Success
>>>> The user is authenticated.
>>>> Authorizing the user:
>>>> Status: Success
>>>> The user account is active and permitted to access the system.
>>>> Closing PAM session:
>>>>
>>>> Thank you again for all your help. I really do appreciate it. I
>>>> have been playing with OpenLDAP on and off for a while, and it feels
>>>> satisfying to finally get it to work.
>>>>
>>>> I think you were correct when you said there was no black magic
>>>> involved. It has, however, reaffirmed my observation that setting
>>>> up things like this is always the most difficult the first time you
>>>> do it. After learning by stumbling through it the first time, it
>>>> becomes easier the next time.
>>>>
>>>> Thank you!
>>>>
>>>> Matt
>>>>
>>>>
>>>>
>>>> On 9/8/11 2:59 PM, Travis Sidelinger wrote:
>>>>
>>>> Matthew,
>>>>
>>>> I'm actually setting up a RHEL5 host right now. Make sure you
>>>> have
>>>> installed "yum install pam_ldap"
>>>>
>>>> On Thu, Sep 8, 2011 at 1:11 PM, Matthew Gardlik, Ph.D.
>>>> <matt at mattgardlik.com<mailto:m**att at mattgardlik.com<matt at mattgardlik.com>
>>>> >
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>>>
>>>> wrote:
>>>>
>>>> I must have missed the makefile when I looked at your
>>>> webpage. It
>>>> compiles fine here using the makefile you provided. It
>>>> looks like I
>>>> forgot to link to the pam_misc library.
>>>>
>>>> Thank you,
>>>>
>>>> Matt
>>>>
>>>>
>>>> On 9/8/11 1:00 PM, Travis Sidelinger wrote:
>>>>
>>>> Yes, I suggest using Redhat's authconfig to configure
>>>> PAM+LDAP.
>>>>
>>>> It will update your /etc/ldap.conf, /etc/nsswitch.conf,
>>>> and
>>>> /etc/pam.d/*
>>>> files.
>>>>
>>>> The /etc/nsswitch.conf files the "switch" you are
>>>> looking for.
>>>>
>>>> Also, I see Brian posted to the Colug list a reply.
>>>> Brian is a
>>>> great
>>>> ldap resource too.
>>>>
>>>> pamchk?? Oh wow, that's old stuff. I'd have to take a
>>>> look
>>>> again. All
>>>> that stuff needs cleaned up.... I'll have to take a
>>>> look. Hum...
>>>> pamchk seems find here (Linux raistlin
>>>> 2.6.40.3-0.fc15.x86_64 #1
>>>> SMP Tue
>>>> Aug 16 04:10:59 UTC 2011 x86_64 x86_64 x86_64
>>>> GNU/Linux). Did
>>>> you build
>>>> it with the Makefile? See Makefile here...
>>>>
>>>> ##############################**____##################
>>>> # Makefile for: chkpam
>>>> # Programmer: Travis Sidelinger
>>>> # Date: 2005May14
>>>>
>>>> ## Variables ##
>>>> CC = gcc
>>>> CFLAGS = -DUSE_PAM -g -Wall
>>>> LDFLAGS = -ldl -lpam -lpam_misc
>>>>
>>>> ## Main ##
>>>>
>>>> all: chkpam
>>>>
>>>> chkpam: chkpam.o
>>>> $(CC) -o chkpam chkpam.o $(LDFLAGS)
>>>>
>>>> chkpam.o: chkpam.c
>>>> $(CC) -c chkpam.c $(CFLAGS)
>>>>
>>>> clean:
>>>> rm -f chkpam.o chkpam core.*
>>>> ##############################**____##################
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Sep 7, 2011 at 8:07 PM, Matthew Gardlik, Ph.D.
>>>> <matt at mattgardlik.com<mailto:m**att at mattgardlik.com<matt at mattgardlik.com>
>>>> >
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>>
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>>>**
>>>> __>
>>>> wrote:
>>>>
>>>> Hi Travis,
>>>>
>>>> I had a few more questions for you if you don't
>>>> mind. I ran
>>>> across
>>>> a webpage that suggested running "authconfig -test"
>>>> to see
>>>> how PAM
>>>> is configured. The relevant portion of the output
>>>> is shown
>>>> below:
>>>>
>>>> [root at MMG_GUEST_001 pam]# authconfig --test
>>>> . . .
>>>> pam_ldap is disabled
>>>>
>>>> LDAP+TLS is disabled
>>>> LDAP server = "ldap://127.0.0.1/
>>>> <http://127.0.0.1/> <http://127.0.0.1/>
>>>> <http://127.0.0.1/>"
>>>>
>>>> LDAP base DN = "dc=root"
>>>> . . .
>>>>
>>>> I'm running a virtual instance of CentOS 5.6. Do I
>>>> need to
>>>> flip a
>>>> switch somewhere to enable ldap? Or, how does
>>>> authconfig
>>>> determine
>>>> which methods are enabled? I thought I had
>>>> configured
>>>> /etc/ldap.conf, but maybe I need to enable ldap
>>>> somewhere else
>>>> before the config file is looked at?
>>>>
>>>> I noticed a program you wrote called chkpam when
>>>> looking at your
>>>> website. I thought it might be useful to me as I
>>>> played
>>>> with PAM
>>>> and LDAP. I ran into a few problems though.
>>>>
>>>> When compiling, I got the following errors:
>>>>
>>>> [root at MMG_GUEST_001 pam]# g++ -c main-old.cpp
>>>> main-old.cpp: In function ‘int main(int, char**)’:
>>>> main-old.cpp:68: error: invalid conversion from
>>>> ‘void*’ to
>>>> ‘char*’
>>>> main-old.cpp:74: error: invalid conversion from
>>>> ‘void*’ to
>>>> ‘char*’
>>>>
>>>> So, I cast the return values from malloc as char*:
>>>>
>>>> [root at MMG_GUEST_001 pam]# diff main-old.cpp
>>>> main.cpp
>>>> 68c68
>>>> < username = malloc(sizeof(optarg));
>>>> ---
>>>> > username = (char*) malloc(sizeof(optarg));
>>>> 74c74
>>>> < pam_service = malloc(sizeof(optarg));
>>>> ---
>>>> > pam_service = (char*)
>>>> malloc(sizeof(optarg));
>>>>
>>>>
>>>> It then compiled. However, when I tried to link to
>>>> libpam,
>>>> I get:
>>>>
>>>> [root at MMG_GUEST_001 pam]# g++ -o main main.o -lpam
>>>> main.o:(.data+0x0): undefined reference to
>>>> `misc_conv'
>>>> collect2: ld returned 1 exit status
>>>>
>>>> Am I linking incorrectly? It looks like misc_conv
>>>> is a
>>>> structure
>>>> defined in the pam headers. I'm not quite sure what
>>>> I'm
>>>> doing wrong
>>>> here.
>>>>
>>>>
>>>> --
>>>> Matthew M. Gardlik, Ph.D.
>>>> Registered Patent Agent, Reg. No. 67,089
>>>> 614-607-0710<tel:614-607-0710> <tel:614-607-0710
>>>> <tel:614-607-0710>> <tel:614-607-0710<tel:614-607-0710>
>>>>
>>>> <tel:614-607-0710<tel:614-607-0710>>>
>>>> matt at mattgardlik.com<mailto:ma**tt at mattgardlik.com<matt at mattgardlik.com>
>>>> >
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>>
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>
>>>> <mailto:matt at mattgardlik.com<**mailto:matt at mattgardlik.com>>>
>>>>
>>>>
>>>> http://www.mattgardlik.com/
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "A careful reading of history clearly demonstrates ...
>>>> that people don't read history carefully.”
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "A careful reading of history clearly demonstrates ...
>>>> that people don't read history carefully.”
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "A careful reading of history clearly demonstrates ...
>>>> that people don't read history carefully.”
>>>>
>>>>
--
"A careful reading of history clearly demonstrates ...
that people don't read history carefully.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20110911/86d5de71/attachment-0001.html
More information about the colug-432
mailing list