Re: [gentoo-user] openldap: taking too much of time to authenticate

[Marc Blumentritt <M.Blumentritt@tu-braunschweig.de>]

bijayant kumar schrieb:
> Hi,
>        I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd  is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me.  I followed  step by step  
> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2

[...]
> 
> access to *
> by dn="uid=root,ou=people,dc=kavach,dc=blr" write
> by users read
> by anonymous auth
> 
> access to attrs=userPassword,gecos,description,loginShell
> by self write

Your first access rule makes your second one obsolete, because * is for
everything. Therefore your second rule will never jump in. Take always
the rule with * as your last access rule.


> My  /etc/pam.d/system-auth  :--
> 
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
> 
> account     required      /lib/security/pam_unix.so
> account     sufficient    /lib/security/pam_ldap.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so

I'm no expert at all with pam rules, but your rules always have the unix
 rule before ldap rule. If you try login with a local account (not in
passwd), than perhaps you run in timeouts?

I have set up ldap on debian with the following pam rules:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
auth    required        pam_permit.so

account [success=1 default=ignore]      pam_unix.so
account required        pam_ldap.so
account required        pam_permit.so

password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_unix.so nullok obscure min=4 max=8 md5

session         optional        pam_ldap.so
session         required        pam_unix.so

The first rule of auth and account allows you to login even if ldap is
down: the rules check, if a local account exists; if yes jump to third
rule; if no jump to second rule.

Perhaps this can help you.

> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also.
Hm, this sounds a little bit wrong. Even if your LDAP server runs on
another system, the accounts saved in it are part of your system, if you
configure it that way (which you did with /etc/nsswitch.conf and
/etc/ldap.conf). They are not automatically in it, if you do not set
these files properly (which I think you did), local ldap or not.

Regards,
Marc


-- 
gentoo-user@gentoo.org mailing list