Scalix 11 community - Password auth w/ pam_ldap OpenLDAP

[fozzmoo]

Good day. I have learned SO much about Scalix lately, it is crazy.

I'm setting Scalix up for a client. We have Scalix 11 community-edition set up on a server running 64-bit Fedora Core 6. This server is also a Samba server and the client wants single sign on capability, so we set up OpenLDAP and omldapsync (agreement 13). With much hairpulling, squinting, and turning our heads sideways, we figured out how to make that work and now have users exporting from OpenLDAP and showing up in the SAC as premium users. Yay!

Problem: Password authentication does not work.

I have followed the instructions in the "Using OpenLDAP for password management" wiki page pretty much to the letter. I had to replace /lib/security with /lib64/security for the pam_ldap.so lines, but otherwise, I'm using those instructions verbatim.

When I run sxpamauth to test authentication, I get a very discouraging message:

Code: Select all

sxpamauth -vvv USERNAME
pam_start_om("pamcheck", "USERNAME")
pam_authenticate()
pam_authenticate: Module is unknown

Not authenticated: Module is unknown

Not a very nice message, I don't think.

Here are the contents of the /var/opt/ml/s/sys/pam.d/pamcheck:

Code: Select all

auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth    required om_om2authid
auth    required /lib64/security/pam_ldap.so
account required /lib64/security/pam_ldap.so
password required om_om2authid
password required /lib64/security/pam_ldap.so
session required /lib64/security/pam_ldap.so

Could someone please offer some tidbits of information to guide me in the right direction here? I'm, frankly, beginning to get slightly weary of being constantly reacquainted with Brick Wall.

[peerkesezuuker]

Hi fozzmoo,

Is the requiered module existing in /lib64/security/ ( try ls /lib64/security ), if not try installing them. (http://rpm.pbone.net for searching rpm's)
I have been hasseling with ldap authetication a while, and the sollution for me was replacing the content's of pamcheck, omslapdeng, smtpd.auth and ual.remote (they al reside in ~/sys/pam.d folder) with this :

Code: Select all

auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password required om_auth
session required om_auth

I know this means ldap authentication will use the scalix modules instead of the system one's ( it has some disadvantages i have read somewhere, but i don't know what ..)

It work's fine for me.

Gr. Peer

[fozzmoo]

peerkesezuuker,

It works! I understand what's going on here and I'm also curious about using om_ldap instead of pam_ldap. Hopefully some knowledgeable Scalix entity will come enlighten us (and others) about it.

[peerkesezuuker]

Glad to be of some help fozzmoo.
I found the above sollution somewhere on this forum, but i can't seem to find it any more.
Indeed someone of the scalix pro's can shine their light on on this.

Gr. Peer