In data giovedì 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto: : > Hi all, > I configured nss & pam in order to make LDAP authentication. In order to > have a proper authentication and attributes retrieving I added also ccreds > and nss_updatedb modifying /etc/pam.d/system-auth for the first and > /etc/nsswithch for both: > > /etc/pam.d/system-auth: > > auth [success=done default=ignore] pam_unix.so > nullok_secure try_first_pass debug > auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so > use_first_pass > auth [default=done] > pam_ccreds.so action=validate use_first_pass > auth [default=done] > pam_ccreds.so action=store > auth [default=bad] > pam_ccreds.so action=update > > account [user_unknown=ignore authinfo_unavail=ignore default=done] > pam_unix.so debug > account [user_unknown=ignore authinfo_unavail=ignore default=done] > pam_ldap.so debug > account required > pam_permit.so > > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 > ocredit=2 try_first_pass retry=3 > password sufficient pam_unix.so try_first_pass use_authtok > nullok md5 shadow > password sufficient pam_ldap.so use_authtok use_first_pass > password required pam_deny.so > > session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session required pam_limits.so > session required pam_env.so > session required pam_unix.so > session optional pam_permit.so > session optional pam_ldap.so > > # /etc/nsswitch.conf: > # $Header: > /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 > 2006/09/29 23:52:23 vapier Exp $ > > passwd: files ldap [NOTFOUND=return] db > shadow: files ldap > group: files ldap [NOTFOUND=return] db > > #passwd: files ldap > #shadow: files ldap > #group: files ldap > > # passwd: db files nis > # shadow: db files nis > # group: db files nis > > hosts: files dns > networks: files dns > > services: db files > protocols: db files > rpc: db files > ethers: db files > netmasks: files > netgroup: files ldap > bootparams: files > > automount: files ldap > aliases: files > > sudoers: ldap files > > the problem is that, when the connection to the ldap server is down, I > can't login: > > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user > unknown > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= > Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't > contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP > server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server > - Server is unavailable > Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR > `UNKNOWN', User not known to the underlying authentication module > > from the last line above it seems like the credentials were not cached or > the nss switch doesn't use the db service for the passwd and shadow > database. > > Is there someone that has a working configuration in order to have the > cached credentials systems working properly ? > > Regards > Giampiero The problem was due to a missing sys-libs/nss-db ebuild. This one provide the needed NSS module for using Berkeley Databases as a naming service by glibc (actually the same used by nss-updatedb).
Now everything works well. Bye all Giampiero P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss- updatedb ebuild...
