[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Forced 'shadowaccount' objectclass?



Hi, I'm trying to get PAM and OpenLDAP to work. I have currently
some users on the LDAP directory and they can make login on
our hosts. However, attempting to solve the 'segmentation fault'
problem, I did an update to latest pam, nss_ldap and openldap
RPMs from RH, and the same users are now unable to login.

Going back to previous setup and looking at the ldap logs, I
see that clients are using the filter I put on the lapd.conf
file (objectclass=ACCOUNT)(host=PERSEUS):

SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))"
SRCH base="DC=SOME,DC=ORG"
filter="(&(&(objectclass=ACCOUNT)(host=PERSEUS))(uid=GROUCHO))"
BIND dn="UID=GROUCHO,OU=ACCOUNTS,DC=SOME,DC=ORG" method=128
SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))"
SRCH base="DC=SOME,DC=ORG"
filter="(&(objectclass=SHADOWACCOUNT)(uid=GROUCHO))"
SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))"
SRCH base="DC=SOME,DC=ORG"
filter="(&(objectclass=POSIXGROUP)(memberuid=GROUCHO))"
SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))"

AFAIK, it seems that the server is looking for some objectclasses
we don't have, but even although we don't have posixgroups or shadow
accounts, user Groucho can login.

However, with newer packages, our filter doesn't show on the logs.
Instead, after looking for the shadow account, the user is rejected.
Does it mean that we are now forced to use a shadowaccount objectclass
for all accounts? Is such a behaviour configurable somewhere? We have a
very simple schema for those accounts and I'd prefer keep it so. Any help
or pointers about it?

TIA,
José A.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []