Re: [K12OSN] LDAP/PAM Authentifaction errors on K12LTSP.

[Brian Fahrlander <kilroy kamakiriad com>]

On Thu, 2003-04-10 at 10:59, Quentin Hartman wrote:
> Martin-
>          I have been working on getting LDAP/Samba/PAM going in my district 
> as well. It can be a bear, no? I am hardly an expert, but a quick look at 
> your log file snippet and configs suggest a couple of ideas:
> 
> 1- First, it looks like you have the LDAP server running on the machine you 
> are trying to log onto. Correct? It looks like pam-ldap is failing to 
> connect. Is the ldap server started? Do you have firewall rules blocking 
> that port? Did you manually configure the PAM authentication stuff? If so, 
> try using the redhat utility "authconfig", that will make sure you make no 
> mistakes, but the config looks good to me.
> 
> 2- You seem to have been trying to authenticate as root to the ldap 
> directory. Are you sure you added the root user to the directory? As a side 
> note, it seems to be generally considered to be a bad idea to put root in 
> ldap. It adds an extra point of exposure for root credentials, and that's 
> bad security practice.


    Just a little hint here.   I've not managed to get LDAP working for
authentication working...but some of my research has turned up some
interesting...well...facts?

    Instance one: a couple of days ago I read something by one of the
co-authors of LDAP.  He was quite stern in his warning that LDAP is just
a directory...not a fileserver, not a dns host, and not authentication
tools.  Had this been the only instance of this information, I probably
would have chalked it up to jealousy of the progress his project has
grown into....but he was very clear on this fact.  (Maybe I can find
that page again...)

    Instance two: I was looking for information on how to go about
setting up a 10,000-user email system.  I didn't want to have to evolve
something into the right tool for the job.  He, too, was quite certain
about not using LDAP to authenticate; that Kerebos was the proper way to
go.

    Maybe both of these people knew nothing...maybe it's something
else...but as for me, I'm looking for some Kerebos information now...

-- 
------------------------------------------------------------------------
Brian Fahrlander                             Linux Zealot, Conservative,
Evansville, IN                                             and Technomad
ICQ 5119262                       http://www.kamakiriad.com/aboutme.html
                                   LinPhone: brian aquila kamakiriad com
------------------------------------------------------------------------
Linux: it's all about choice and better software.      Live free or die.
------------------------------------------------------------------------