From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GHbxp-0003AW-HN for garchives@archives.gentoo.org; Mon, 28 Aug 2006 07:55:21 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7S7rFGh000288; Mon, 28 Aug 2006 07:53:15 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7S7ox7e014006 for ; Mon, 28 Aug 2006 07:51:00 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 5608E64731 for ; Mon, 28 Aug 2006 07:50:59 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10245-01 for ; Mon, 28 Aug 2006 07:50:57 +0000 (UTC) Received: from rzcomm22.rz.tu-bs.de (rzcomm22.rz.tu-bs.de [134.169.9.68]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 2B5A964735 for ; Mon, 28 Aug 2006 07:50:55 +0000 (UTC) Received: from [134.169.78.222] (retsina.ihf.ing.tu-bs.de [134.169.78.222]) by rzcomm22.rz.tu-bs.de (8.13.6.20060614/8.13.6) with ESMTP id k7S7oq0x003337 for ; Mon, 28 Aug 2006 09:50:52 +0200 (envelope-from M.Blumentritt@tu-braunschweig.de) Message-ID: <44F2A05C.8060202@tu-braunschweig.de> Date: Mon, 28 Aug 2006 09:50:52 +0200 From: Marc Blumentritt User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] openldap: taking too much of time to authenticate References: <6O59c-3tf-19@gated-at.bofh.it> In-Reply-To: <6O59c-3tf-19@gated-at.bofh.it> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-1.961 required=5.5 tests=[AWL=0.638, BAYES_00=-2.599] X-Spam-Score: -1.961 X-Spam-Level: X-Archives-Salt: 5e0fb9cb-c599-4898-97d1-8caacdb98e1a X-Archives-Hash: 45ab8b084324523b1d8025512e488199 bijayant kumar schrieb: > Hi, > I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step > http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2 [...] > > access to * > by dn="uid=root,ou=people,dc=kavach,dc=blr" write > by users read > by anonymous auth > > access to attrs=userPassword,gecos,description,loginShell > by self write Your first access rule makes your second one obsolete, because * is for everything. Therefore your second rule will never jump in. Take always the rule with * as your last access rule. > My /etc/pam.d/system-auth :-- > > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth sufficient /lib/security/pam_ldap.so use_first_pass > auth required /lib/security/pam_deny.so > > account required /lib/security/pam_unix.so > account sufficient /lib/security/pam_ldap.so > > password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 > password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow > password sufficient /lib/security/pam_ldap.so use_authtok > password required /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > session optional /lib/security/pam_ldap.so I'm no expert at all with pam rules, but your rules always have the unix rule before ldap rule. If you try login with a local account (not in passwd), than perhaps you run in timeouts? I have set up ldap on debian with the following pam rules: auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass auth required pam_permit.so account [success=1 default=ignore] pam_unix.so account required pam_ldap.so account required pam_permit.so password sufficient pam_ldap.so use_first_pass use_authtok password required pam_unix.so nullok obscure min=4 max=8 md5 session optional pam_ldap.so session required pam_unix.so The first rule of auth and account allows you to login even if ldap is down: the rules check, if a local account exists; if yes jump to third rule; if no jump to second rule. Perhaps this can help you. > Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also. Hm, this sounds a little bit wrong. Even if your LDAP server runs on another system, the accounts saved in it are part of your system, if you configure it that way (which you did with /etc/nsswitch.conf and /etc/ldap.conf). They are not automatically in it, if you do not set these files properly (which I think you did), local ldap or not. Regards, Marc -- gentoo-user@gentoo.org mailing list