HPE Community
Operating System - HP-UX
1834935 Members
2286 Online
110071 Solutions
New Discussion

LDAP-UX binding through libpam_ldap

 
SOLVED
Go to solution
Peter Kain
Advisor

‎04-02-2004 11:08 AM

‎04-02-2004 11:08 AM

LDAP-UX binding through libpam_ldap

When authenticating through libpam_ldap it's a two step process.

First an ldapsearch is performed using your uid from the login process which returns your DN.

Then you bind via that DN with the password you provide.

By using ldap search filters I should be able to login with any valid LDAP attribute.

For example I should be able to login both as
pete - uid attribute in ldap
pete@foo.com - mailLocalAddress attribute

Both will return the same DN when doing an ldap search.

Does anyone know if this can be configured with LDAP-UX. I'm working with the latest version 3.02.00.

Thanks
\Pete

0 Kudos
Reply
4 REPLIES 4
Nat Guyton
Advisor

‎04-06-2004 08:38 AM

‎04-06-2004 08:38 AM

Solution

Re: LDAP-UX binding through libpam_ldap

I can't guarantee anything, but I would experiment with /etc/opt/ldapux/default_profile_attr_rfc2307.ldif

and try changing:

attributemap: pam:uid=uid

to

attributemap: pam:uid=mail

and see if that works (you may need to re-run setup after doing this).

However, consider the fact that you can theoretically have two different DNs with the same email address - the uids (assuming you are using uid in the DN rather than cn) are guaranteed to be unique for a given base DN, while the email addresses are not.

Let me know if the above works out, though. Good luck!
Never underestimate the bandwidth of a station wagon filled with backup tapes
Reply
Nat Guyton
Advisor

‎04-06-2004 08:40 AM

‎04-06-2004 08:40 AM

Re: LDAP-UX binding through libpam_ldap

oops - use "uid=mailLocalAddress"
Never underestimate the bandwidth of a station wagon filled with backup tapes
Reply
Peter Kain
Advisor

‎04-08-2004 06:44 AM

‎04-08-2004 06:44 AM

Re: LDAP-UX binding through libpam_ldap

I tried this. I made my changes to
/etc/opt/ldapux/ldapux_client.ldif
attributeMap: pam:uid=mailLocalAddress

Ran create_profile_cache to update
/etc/opt/ldapux/ldapux_client.bin

display_profile_cache
...
Pluggable Authentication Module (PAM) service configuration
=============================================================
Attribute: is mapped to:
---------- -------------
name: mailLocalAddress
uid number: uidnumber
passwd: userpassword


But it doesn't work. I can bind but then it fails at the pam_acct_mgmt. Example with su.

$ su - 'pkain@csun.edu'
Password:
su: Unknown id: pkain@csun.edu

Apr 8 11:40:17 7E:rogue su: PAM_LDAP Entering pam_sm_authenticate ...
Apr 8 11:40:17 7E:rogue su: PAM_LDAP pam_sm_authenticate(su, pkain@csun.edu), flags = 0
Apr 8 11:40:20 7E:rogue su: PAM_LDAP auth-bind authenticate passed!
Apr 8 11:40:20 7E:rogue su: PAM_LDAP pam_sm_authenticate: set bind status (0)
Apr 8 11:40:20 7E:rogue su: PAM_LDAP 2nd auth_bind returns 0
Apr 8 11:40:20 7E:rogue su: PAM_LDAP pam_sm_authenticate: returning 0
Apr 8 11:40:20 7E:rogue su: pam_acct_mgmt: error No account present for user
Apr 8 11:40:20 7E:rogue su: pam_acct_mgmt: error No account present for user
Apr 8 11:40:20 7E:rogue su: pam_sm_setcred(): no module data
Apr 8 11:40:20 7E:rogue su: PAM_LDAP Entering pam_sm_setcred ...











0 Kudos
Reply
Pam Tuvul
New Member

‎08-06-2004 10:50 AM

‎08-06-2004 10:50 AM

Re: LDAP-UX binding through libpam_ldap

Hi Pete

Which attribute information did you use to login the unit before issusing "su" command.

pete (uid)

or

pete@csun.edu (mailLocal)

Thanks,

Pam
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.