* Re: [gentoo-user] openldap: taking too much of time to authenticate
@ 2006-08-28 8:39 99% ` bijayant kumar
0 siblings, 0 replies; 1+ results
From: bijayant kumar @ 2006-08-28 8:39 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3760 bytes --]
Hi Marc,
First of all i want to thank you for your response. I tried everything which you have suggested to me, but unfortunately it didnot worked for me. It still taking 15 to 20 seconds to authenticate. Does it takes too much time or i am doing something wrong. Please help me. I am doing this from last 8 days. And one more thing i want to know, how would i know that user is authenticated via the ldap not the system.
Marc Blumentritt <M.Blumentritt@tu-braunschweig.de> wrote: bijayant kumar schrieb:
> Hi,
> I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me. I followed step by step
> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2
[...]
>
> access to *
> by dn="uid=root,ou=people,dc=kavach,dc=blr" write
> by users read
> by anonymous auth
>
> access to attrs=userPassword,gecos,description,loginShell
> by self write
Your first access rule makes your second one obsolete, because * is for
everything. Therefore your second rule will never jump in. Take always
the rule with * as your last access rule.
> My /etc/pam.d/system-auth :--
>
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
> account sufficient /lib/security/pam_ldap.so
>
> password required /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/pam_ldap.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_ldap.so
I'm no expert at all with pam rules, but your rules always have the unix
rule before ldap rule. If you try login with a local account (not in
passwd), than perhaps you run in timeouts?
I have set up ldap on debian with the following pam rules:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
password sufficient pam_ldap.so use_first_pass use_authtok
password required pam_unix.so nullok obscure min=4 max=8 md5
session optional pam_ldap.so
session required pam_unix.so
The first rule of auth and account allows you to login even if ldap is
down: the rules check, if a local account exists; if yes jump to third
rule; if no jump to second rule.
Perhaps this can help you.
> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also.
Hm, this sounds a little bit wrong. Even if your LDAP server runs on
another system, the accounts saved in it are part of your system, if you
configure it that way (which you did with /etc/nsswitch.conf and
/etc/ldap.conf). They are not automatically in it, if you do not set
these files properly (which I think you did), local ldap or not.
Regards,
Marc
--
gentoo-user@gentoo.org mailing list
Send instant messages to your online friends http://uk.messenger.yahoo.com
[-- Attachment #2: Type: text/html, Size: 4325 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2006-08-28 7:50 [gentoo-user] openldap: taking too much of time to authenticate Marc Blumentritt
2006-08-28 8:39 99% ` bijayant kumar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox