[Fedora-directory-users] problems with pam ldap ?
Nalin Dahyabhai
nalin at redhat.com
Thu May 29 16:16:05 UTC 2008
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> I'm using the fedora directory server for centralized authentication ,
> and i have made users with posix account and i put them in ou=People
> like this :
[snip]
> # Server1, Groups, pol.ro
> dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> description: group for users that have access on server 1
> objectClass: top
> objectClass: groupofuniquenames
> uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> cn: Server1
[snip]
> and my ldap.conf looks like this :
>
> URI ldap://lacatzel.pol.ro
> port=389
> BASE dc=pol,dc=ro
> host lacatzel.pol.ro
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> scope sub
> bind_policy soft
> #pam_password exop
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute memberUid
> pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
[snip]
The combination of the pam_groupdn and pam_member_attribute settings you
have here instructs pam_ldap to check for the user's DN among the values
for the group object's "memberUid" attribute, but the user's DN is
stored in the "uniqueMember" attribute. Try changing that (or
removing it, because "pam_member_attribute uniquemember" is the
default).
But if that were the only problem, I'd expect that none of your users
would be able to log in. You should probably double-check that your PAM
configuration is able to deny users entry when pam_ldap's account
management function (which is the part that checks group membership)
returns a failure.
HTH,
Nalin
More information about the Fedora-directory-users
mailing list