public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] openldap: taking too much of time to authenticate
  @ 2006-08-28  8:39 99% ` bijayant kumar
  0 siblings, 0 replies; 1+ results
From: bijayant kumar @ 2006-08-28  8:39 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 3760 bytes --]

Hi Marc,
                       First of all i want to thank you for your response. I tried everything which  you have suggested to me, but unfortunately it didnot worked for me. It still taking 15 to 20 seconds to authenticate. Does it takes too much time or i am doing something wrong. Please help me. I am doing this from last 8 days. And one more thing i want to know, how would i know that user is authenticated via the ldap not the system.

Marc Blumentritt <M.Blumentritt@tu-braunschweig.de> wrote: bijayant kumar schrieb:
> Hi,
>        I have installed openldap on my gentoo-linux . My purpose is to use LDAP server for login authentication using PAM. slapd  is running fine. ldapsearch command is also running fine. But the problem is, it takes too much time to authenticate the user. My local system is server as well as the client. Please help me.  I followed  step by step  
> http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap2

[...]
> 
> access to *
> by dn="uid=root,ou=people,dc=kavach,dc=blr" write
> by users read
> by anonymous auth
> 
> access to attrs=userPassword,gecos,description,loginShell
> by self write

Your first access rule makes your second one obsolete, because * is for
everything. Therefore your second rule will never jump in. Take always
the rule with * as your last access rule.


> My  /etc/pam.d/system-auth  :--
> 
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
> 
> account     required      /lib/security/pam_unix.so
> account     sufficient    /lib/security/pam_ldap.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so

I'm no expert at all with pam rules, but your rules always have the unix
 rule before ldap rule. If you try login with a local account (not in
passwd), than perhaps you run in timeouts?

I have set up ldap on debian with the following pam rules:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
auth    required        pam_permit.so

account [success=1 default=ignore]      pam_unix.so
account required        pam_ldap.so
account required        pam_permit.so

password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_unix.so nullok obscure min=4 max=8 md5

session         optional        pam_ldap.so
session         required        pam_unix.so

The first rule of auth and account allows you to login even if ldap is
down: the rules check, if a local account exists; if yes jump to third
rule; if no jump to second rule.

Perhaps this can help you.

> Since my local system is also acting as a LDAP server, thats why every users who are in LDAP directory, they are in my system also.
Hm, this sounds a little bit wrong. Even if your LDAP server runs on
another system, the accounts saved in it are part of your system, if you
configure it that way (which you did with /etc/nsswitch.conf and
/etc/ldap.conf). They are not automatically in it, if you do not set
these files properly (which I think you did), local ldap or not.

Regards,
Marc


-- 
gentoo-user@gentoo.org mailing list



 Send instant messages to your online friends http://uk.messenger.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 4325 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2006-08-28  7:50     [gentoo-user] openldap: taking too much of time to authenticate Marc Blumentritt
2006-08-28  8:39 99% ` bijayant kumar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox