[FC3] LDAP Authentication

Chris Stark cstark at hawaii.edu
Sat Dec 11 06:54:00 UTC 2004


Hi everyone,

I've got an issue that I've been wrestling with for a couple of days, 
and I have still had no luck. I searched google, the archives, and all 
of my books. Nothing. I suppose it could be a bug, but I'd like some 
feedback before I submit a report.

I have just installed FC3 on a machine that previously had FC1. I am 
trying to use OpenLDAP server to manage the user accounts, as I had done 
previously with FC1. It worked perfectly before the upgrade.

To make a long story a bit shorter, I transferred the LDAP directory's 
contents using an LDIF dump file, as to avoid any database version issues.

This seems to have worked because one of my PHP web applications can 
authenticate against the server using TLS without a glitch. Also desktop 
apps like thunderbird's addressbook return all of the entries using 
LDAPS. Both TLS and SSL work without issue, and I can even execute 
successful ldapsearch queries from the server's command-line.

However, the server itself does not recognize the LDAP server as a 
source for accounts; getent passwd or group only returns /etc/passwd and 
/etc/group values. All of the previous home directories have numeric 
values for their user and group owner permissions.

Sorry if this is long. Here's the appropriate snippets from my config 
files. Please let me know if you see anything obviously wrong. Also, any 
troubleshooting tips would be much appreciated.

Aloha,
Chris Stark

(example.com is for illustrative purposes)

-----------------------
# /etc/openldap/ldap.conf

URI             ldap://example.com
BASE            dc=example,dc=com
TLS_CACERT      /etc/ssl/certs/cacert/cacert.pem
TLS_REQCERT     allow

------------------------
# /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

disallow bind_anon
security ssf=1 update_ssf=112 simple_bind=112

password-hash   {MD5}
pidfile /var/run/slapd.pid

TLSCACertificateFile    /etc/ssl/certs/cacert/cacert.pem
TLSCertificateFile      /etc/ssl/certs/ldap/ldap-cert.pem
TLSCertificateKeyFile   /etc/ssl/certs/ldap/ldap-key.pem

access to attr=userPassword
         by self write
         by anonymous auth
         by dn="cn=Manager,dc=example,dc=com" write
         by * none

access to attrs=sambaLmPassword,sambaNtPassword
         by dn="cn=Manager,dc=example,dc=com" write
         by * none

access to dn=cn=Manager,dc=example,dc=com attr=entry
         by self write
         by dn="cn=Manager,dc=example,dc=com" write
         by * none

access to *
         by users read
         by self write
         by dn="cn=Manager,dc=example,dc=com" write
         by * none

database        ldbm
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          secret
directory       /var/lib/ldap
mode            0700
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

cachesize       2000
loglevel        296

------------------------
# /etc/ldap.conf

base dc=example,dc=com
uri ldap://example.com/
ldap_version 3

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5

nss_base_passwd         ou=users,dc=example,dc=com?one
nss_base_shadow         ou=users,dc=example,dc=com?one
nss_base_group          ou=groups,dc=example,dc=com?one

ssl start_tls
tls_checkpeer no




More information about the fedora-list mailing list