Am 17.06.2011 14:29, schrieb Ralf Haferkamp:
Hi,
I used the following configuration in the past and migrating an old system to 11.4. But there I just don't get it to work anymore.
pure-ftpd is started through xinetd:
server_args = -E -A -l pam
/etc/pam.d/pure-ftpd: #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_ldap.so auth required pam_shells.so #auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session Hm, why don't you setup pam_ldap in /etc/pam.d/common-auth? Do just want to allow ftps logins via LDAP and nothing else? And wouldn't you need to add pam_ldap to the "account" section as well (this depends of course on
Am Freitag 17 Juni 2011, 12:50:10 schrieb Wolfgang Rosenauer: the contents of "/etc/pam.d/common-account") ?
The users in the LDAP database only use ftp and imap/pop3 and therefore I only change those. (The mailserver configuration is not yet ready so I cannot verify if it works for them). I don't need the features of the account section and haven't had it configured on the previous version. Still I tried to use pam_ldap for it but nothing changed.
nss_ldap and openldap apparently work correctly but when I try to log in over ftp it always fails. I can bind with the same user credentials to ldap (tested via ldapsearch).
I get the following output in /var/log/messages:
pure-ftpd: PAM audit_log_acct_message() failed: Operation not permitted pure-ftpd: (?@localhost) [WARNING] Authentication failed for user [xxx]
The same setup worked with an earlier version of openSUSE without any issues. What can I do to debug this further or are there any ideas what's going wrong already? Just a wild guess, but do you have apparmor running? Propably some apparmor profile is getting into your way. Check /var/log/audit/audit.log
audit.log is empty so it doesn't look like the issue. I have a "loglevel any" log of openldap (just not sending it to the whole list) if you think it could help but then again I think the ldap server is not the issue here (given I can authenticate against ldap using ldapsearch). Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org