[Fedora-directory-users] Account Expiration Warning
Jamie McKnight
warthog at warthogsolutions.com
Wed Dec 21 19:09:59 UTC 2005
>
> >
> > in /etc/ldap.conf, and that your pam stack is set up for pam_ldap
> > authentication. Also, if you are using a proxy agent, the proxy agent
> > must not be able to see the userPassword attribute, or you will end up
> > authenticating via pam_unix, and not pam_ldap.
>
> This could be the problem. I am using a proxy and not sure how to test
> what you are saying. If I do an ldasearch such as:
>
> ldapsearch -x -ZZ '(uid=tulsa)'
>
> then that should bind via the entries in ldap.conf hence use the
> config'd proxy, correct? Then if that search shows a userPassword then
> that would confirm pam_unix usage? Not sure how to stop it if it is
> using pam_unix?
>
That's correct, if you can do a ldapsearch and bind as the proxyagent
and you see the userPassword attribute returned, then the directory
server has an ACI that allows read for your proxy agent of the
userPassword attribute. You can just remove that ACI and it should at
that point not return the userPassword field, and pam_ldap
authentication would take place then.
For example:
ldapsearch -x -h ldapsrv -D "cn=proxyid,dc=blah" -W -b
"ou=people,dc=blah" uid=tulsa
Where -D is the id listed as proxyagent in ldap.conf, and the password
supplied is for that id. If userPassword is returned then you know what
is going on.
If this is not what is happening, check and make sure you don't have
rootbinddn and /etc/ldap.secret set up. If it is actually binding as
your rootdn then that is what it could be as well.
Jamie
More information about the Fedora-directory-users
mailing list