No problem.<br><br><div class="gmail_quote">On Sun, Sep 11, 2011 at 2:46 PM, Matthew Gardlik, Ph.D. <span dir="ltr"><<a href="mailto:matt@mattgardlik.com">matt@mattgardlik.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi Travis,<br>
<br>
With a little more tinkering, I was able to get groups to work. I modified my group entry to:<div class="im"><br>
<br>
dn: cn=admins,ou=groups,dc=<u></u>mattgardlik,dc=com,dc=root<br></div>
objectclass: posixGroup<br>
gidnumber: 2000<div class="im"><br>
cn: admins<br>
description: Administrators for <a href="http://mattgardlik.com.com" target="_blank">mattgardlik.com.com</a>.<br></div>
memberuid: mattgardlik<br>
<br>
and was able to "getenv group" to see the group:<br>
<br>
[root@MMG_GUEST_001 mattlinux]# getent group | grep mattgardlik<br>
admins:*:2000:mattgardlik<br>
<br>
Thank you again for all your help. I have appreciated it greatly. If I can ever be of help to you in the future, please do not hesitate to shoot me an email.<br>
<br>
Matt<br><font color="#888888">
<br>
-- <br></font><div class="im">
Matthew M. Gardlik, Ph.D.<br>
Registered Patent Agent, Reg. No. 67,089<br>
<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a><br>
</div><div class="im"><a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><br>
<a href="http://www.mattgardlik.com/" target="_blank">http://www.mattgardlik.com/</a><br>
<br></div><div><div></div><div class="h5">
-------- Original Message --------<br>
Subject: Re: chkpam<br>
Date: Sun, 11 Sep 2011 12:53:16 -0400<br>
From: Matthew Gardlik, Ph.D. <<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>><br>
To: Travis <<a href="mailto:travissidelinger@gmail.com" target="_blank">travissidelinger@gmail.com</a>><br>
<br>
Travis,<br>
<br>
I was working on getting groups up and running this morning,<br>
<br>
I added the following lines to /etc/ldap.conf:<br>
<br>
# Group to enforce membership of<br>
pam_groupdn cn=admins,ou=groups,dc=<u></u>mattgardlik,dc=com,dc=root<br>
# Group member attribute<br>
pam_member_attribute member<br>
<br>
and added the following nodes to my LDAP directory:<br>
<br>
#groups entry<br>
dn: ou=groups,dc=mattgardlik,dc=<u></u>com,dc=root<br>
objectclass: organizationalunit<br>
ou: groups<br>
description: Groups for <a href="http://mattgardlik.com" target="_blank">mattgardlik.com</a>.<br>
<br>
#admins group<br>
dn: cn=admins,ou=groups,dc=<u></u>mattgardlik,dc=com,dc=root<br>
objectclass: groupofnames<br>
cn: admins<br>
description: Administrators for <a href="http://mattgardlik.com.com" target="_blank">mattgardlik.com.com</a>.<br>
member: uid=mattgardlik,ou=people,dc=<u></u>mattgardlik,dc=com,dc=root<br>
<br>
Unfortunately, when I run "getent groups", I don't see this new group:<br>
<br>
[root@MMG_GUEST_001 mattlinux]# getent group | grep admins<br>
[root@MMG_GUEST_001 mattlinux]#<br>
<br>
Any ideas about what I may have missed here?<br>
<br>
Matt<br>
<br>
On 9/9/11 11:24 PM, Travis wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yes, you need to creat separate objects for groups is ldap. groups have a different objectclass.<br>
<br>
No, a user can only have one primary gid.<br>
<br>
Sent from my Samsung Intercept™<br>
<br>
"Matthew Gardlik, Ph.D."<<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I hadn't, but "getent passwd" looks good, however, there is no entry<br>
when I run "getent group":<br>
<br>
[mattlinux@MMG_GUEST_001 ~]$ getent passwd | grep mattgardlik<br>
mattgardlik:*:2000:2000:<u></u>Matthew Gardlik, Ph.D.:/home/mattgardlik:/bin/<u></u>bash<br>
<br>
[mattlinux@MMG_GUEST_001 ~]$ getent group | grep mattgardlik<br>
[mattlinux@MMG_GUEST_001 ~]$<br>
<br>
I hadn't thought too much about groups just yet. I simply set both uid<br>
and gid to 2000. How do you handle groups in LDAP? Do you need to<br>
create a separate node for the group? Can a user have more than one gid<br>
in their entry to belong to more than one group?<br>
<br>
<br>
<br>
On 9/9/11 6:49 AM, Travis Sidelinger wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Have checked name services with the "getent passwd" and "getent groups"<br>
command.<br>
<br>
On Thu, Sep 8, 2011 at 8:13 PM, Matthew Gardlik, Ph.D.<br>
<<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">m<u></u>att@mattgardlik.com</a>>> wrote:<br>
<br>
It looks like I did install pam_ldap when I was setting things up.<br>
<br>
I was just able to authenticate against the LDAP database:<br>
<br>
[root@MMG_GUEST_001 pam]# ./chkpam -u mattgardlik -s system-auth -v -a<br>
Username: mattgardlik<br>
Pam Service: system-auth<br>
Authenicating the user:<br>
Password:<br>
Status: Success<br>
The user is authenticated.<br>
Authorizing the user:<br>
Status: Success<br>
The user account is active and permitted to access the system.<br>
Closing PAM session:<br>
<br>
I was also able to login via ssh using the LDAP credentials via ssh:<br>
<br>
[mattlinux@macbook ~]$ ssh <a href="mailto:mattgardlik@192.168.1.12" target="_blank">mattgardlik@192.168.1.12</a><br>
<mailto:<a href="mailto:mattgardlik@192.168.1.12" target="_blank">mattgardlik@192.168.1.<u></u>12</a>><br>
<a href="mailto:mattgardlik@192.168.1.12" target="_blank">mattgardlik@192.168.1.12</a><<u></u>mailto:<a href="mailto:mattgardlik@192.168.1.12" target="_blank">mattgardlik@192.168.1.<u></u>12</a>>'s password:<br>
Last login: Thu Sep 8 19:48:24 2011 from 192.168.1.2<br>
Could not chdir to home directory /home/mattgardlik: No such file or<br>
directory<br>
<br>
<br>
I even was able to create my own "service" called check-user<br>
<br>
[root@MMG_GUEST_001 pam]# more /etc/pam.d/check-user<br>
#added entries by me to attempt LDAP authentication<br>
auth sufficient pam_ldap.so<br>
account sufficient pam_ldap.so use_first_pass<br>
password sufficient pam_ldap.so use_authtok<br>
<br>
and authenticate against this "service":<br>
<br>
[root@MMG_GUEST_001 pam]# ./chkpam -u mattgardlik -s check-user -v -a<br>
Username: mattgardlik<br>
Pam Service: check-user<br>
Authenicating the user:<br>
Password:<br>
Status: Success<br>
The user is authenticated.<br>
Authorizing the user:<br>
Status: Success<br>
The user account is active and permitted to access the system.<br>
Closing PAM session:<br>
<br>
Thank you again for all your help. I really do appreciate it. I<br>
have been playing with OpenLDAP on and off for a while, and it feels<br>
satisfying to finally get it to work.<br>
<br>
I think you were correct when you said there was no black magic<br>
involved. It has, however, reaffirmed my observation that setting<br>
up things like this is always the most difficult the first time you<br>
do it. After learning by stumbling through it the first time, it<br>
becomes easier the next time.<br>
<br>
Thank you!<br>
<br>
Matt<br>
<br>
<br>
<br>
On 9/8/11 2:59 PM, Travis Sidelinger wrote:<br>
<br>
Matthew,<br>
<br>
I'm actually setting up a RHEL5 host right now. Make sure you have<br>
installed "yum install pam_ldap"<br>
<br>
On Thu, Sep 8, 2011 at 1:11 PM, Matthew Gardlik, Ph.D.<br>
<<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">m<u></u>att@mattgardlik.com</a>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>>>> wrote:<br>
<br>
I must have missed the makefile when I looked at your<br>
webpage. It<br>
compiles fine here using the makefile you provided. It<br>
looks like I<br>
forgot to link to the pam_misc library.<br>
<br>
Thank you,<br>
<br>
Matt<br>
<br>
<br>
On 9/8/11 1:00 PM, Travis Sidelinger wrote:<br>
<br>
Yes, I suggest using Redhat's authconfig to configure<br>
PAM+LDAP.<br>
<br>
It will update your /etc/ldap.conf, /etc/nsswitch.conf, and<br>
/etc/pam.d/*<br>
files.<br>
<br>
The /etc/nsswitch.conf files the "switch" you are<br>
looking for.<br>
<br>
Also, I see Brian posted to the Colug list a reply.<br>
Brian is a<br>
great<br>
ldap resource too.<br>
<br>
pamchk?? Oh wow, that's old stuff. I'd have to take a look<br>
again. All<br>
that stuff needs cleaned up.... I'll have to take a<br>
look. Hum...<br>
pamchk seems find here (Linux raistlin<br>
2.6.40.3-0.fc15.x86_64 #1<br>
SMP Tue<br>
Aug 16 04:10:59 UTC 2011 x86_64 x86_64 x86_64<br>
GNU/Linux). Did<br>
you build<br>
it with the Makefile? See Makefile here...<br>
<br>
##############################<u></u>____##################<br>
# Makefile for: chkpam<br>
# Programmer: Travis Sidelinger<br>
# Date: 2005May14<br>
<br>
## Variables ##<br>
CC = gcc<br>
CFLAGS = -DUSE_PAM -g -Wall<br>
LDFLAGS = -ldl -lpam -lpam_misc<br>
<br>
## Main ##<br>
<br>
all: chkpam<br>
<br>
chkpam: chkpam.o<br>
$(CC) -o chkpam chkpam.o $(LDFLAGS)<br>
<br>
chkpam.o: chkpam.c<br>
$(CC) -c chkpam.c $(CFLAGS)<br>
<br>
clean:<br>
rm -f chkpam.o chkpam core.*<br>
##############################<u></u>____##################<br>
<br>
<br>
<br>
<br>
On Wed, Sep 7, 2011 at 8:07 PM, Matthew Gardlik, Ph.D.<br>
<<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">m<u></u>att@mattgardlik.com</a>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>>>><u></u>__><br>
wrote:<br>
<br>
Hi Travis,<br>
<br>
I had a few more questions for you if you don't<br>
mind. I ran<br>
across<br>
a webpage that suggested running "authconfig -test"<br>
to see<br>
how PAM<br>
is configured. The relevant portion of the output<br>
is shown<br>
below:<br>
<br>
[root@MMG_GUEST_001 pam]# authconfig --test<br>
. . .<br>
pam_ldap is disabled<br>
<br>
LDAP+TLS is disabled<br>
LDAP server = "ldap://<a href="http://127.0.0.1/" target="_blank">127.0.0.1/</a><br>
<<a href="http://127.0.0.1/" target="_blank">http://127.0.0.1/</a>> <<a href="http://127.0.0.1/" target="_blank">http://127.0.0.1/</a>><br>
<<a href="http://127.0.0.1/" target="_blank">http://127.0.0.1/</a>>"<br>
<br>
LDAP base DN = "dc=root"<br>
. . .<br>
<br>
I'm running a virtual instance of CentOS 5.6. Do I<br>
need to<br>
flip a<br>
switch somewhere to enable ldap? Or, how does authconfig<br>
determine<br>
which methods are enabled? I thought I had configured<br>
/etc/ldap.conf, but maybe I need to enable ldap<br>
somewhere else<br>
before the config file is looked at?<br>
<br>
I noticed a program you wrote called chkpam when<br>
looking at your<br>
website. I thought it might be useful to me as I played<br>
with PAM<br>
and LDAP. I ran into a few problems though.<br>
<br>
When compiling, I got the following errors:<br>
<br>
[root@MMG_GUEST_001 pam]# g++ -c main-old.cpp<br>
main-old.cpp: In function ‘int main(int, char**)’:<br>
main-old.cpp:68: error: invalid conversion from<br>
‘void*’ to<br>
‘char*’<br>
main-old.cpp:74: error: invalid conversion from<br>
‘void*’ to<br>
‘char*’<br>
<br>
So, I cast the return values from malloc as char*:<br>
<br>
[root@MMG_GUEST_001 pam]# diff main-old.cpp main.cpp<br>
68c68<br>
< username = malloc(sizeof(optarg));<br>
---<br>
> username = (char*) malloc(sizeof(optarg));<br>
74c74<br>
< pam_service = malloc(sizeof(optarg));<br>
---<br>
> pam_service = (char*) malloc(sizeof(optarg));<br>
<br>
<br>
It then compiled. However, when I tried to link to<br>
libpam,<br>
I get:<br>
<br>
[root@MMG_GUEST_001 pam]# g++ -o main main.o -lpam<br>
main.o:(.data+0x0): undefined reference to `misc_conv'<br>
collect2: ld returned 1 exit status<br>
<br>
Am I linking incorrectly? It looks like misc_conv is a<br>
structure<br>
defined in the pam headers. I'm not quite sure what I'm<br>
doing wrong<br>
here.<br>
<br>
<br>
--<br>
Matthew M. Gardlik, Ph.D.<br>
Registered Patent Agent, Reg. No. 67,089<br>
<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a><tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a>> <tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a><br>
<tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a>>> <tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a><tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a>><br>
<br>
<tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a><tel:<a href="tel:614-607-0710" value="+16146070710" target="_blank">614-607-0710</a>>>><br>
<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">ma<u></u>tt@mattgardlik.com</a>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>><br>
<mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a><<u></u>mailto:<a href="mailto:matt@mattgardlik.com" target="_blank">matt@mattgardlik.com</a>>>><br>
<br>
<br>
<a href="http://www.mattgardlik.com/" target="_blank">http://www.mattgardlik.com/</a><br>
<br>
<br>
<br>
<br>
--<br>
"A careful reading of history clearly demonstrates ...<br>
that people don't read history carefully.”<br>
<br>
<br>
<br>
<br>
--<br>
"A careful reading of history clearly demonstrates ...<br>
that people don't read history carefully.”<br>
<br>
<br>
<br>
<br>
--<br>
"A careful reading of history clearly demonstrates ...<br>
that people don't read history carefully.”<br>
<br>
</blockquote></blockquote></blockquote>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>"A careful reading of history clearly demonstrates ...<br>that people don't read history carefully.”<br><br>