[FC3] LDAP Authentication
Chris Stark
cstark at hawaii.edu
Sat Dec 11 06:54:00 UTC 2004
Hi everyone,
I've got an issue that I've been wrestling with for a couple of days,
and I have still had no luck. I searched google, the archives, and all
of my books. Nothing. I suppose it could be a bug, but I'd like some
feedback before I submit a report.
I have just installed FC3 on a machine that previously had FC1. I am
trying to use OpenLDAP server to manage the user accounts, as I had done
previously with FC1. It worked perfectly before the upgrade.
To make a long story a bit shorter, I transferred the LDAP directory's
contents using an LDIF dump file, as to avoid any database version issues.
This seems to have worked because one of my PHP web applications can
authenticate against the server using TLS without a glitch. Also desktop
apps like thunderbird's addressbook return all of the entries using
LDAPS. Both TLS and SSL work without issue, and I can even execute
successful ldapsearch queries from the server's command-line.
However, the server itself does not recognize the LDAP server as a
source for accounts; getent passwd or group only returns /etc/passwd and
/etc/group values. All of the previous home directories have numeric
values for their user and group owner permissions.
Sorry if this is long. Here's the appropriate snippets from my config
files. Please let me know if you see anything obviously wrong. Also, any
troubleshooting tips would be much appreciated.
Aloha,
Chris Stark
(example.com is for illustrative purposes)
-----------------------
# /etc/openldap/ldap.conf
URI ldap://example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ssl/certs/cacert/cacert.pem
TLS_REQCERT allow
------------------------
# /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
disallow bind_anon
security ssf=1 update_ssf=112 simple_bind=112
password-hash {MD5}
pidfile /var/run/slapd.pid
TLSCACertificateFile /etc/ssl/certs/cacert/cacert.pem
TLSCertificateFile /etc/ssl/certs/ldap/ldap-cert.pem
TLSCertificateKeyFile /etc/ssl/certs/ldap/ldap-key.pem
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=example,dc=com" write
by * none
access to attrs=sambaLmPassword,sambaNtPassword
by dn="cn=Manager,dc=example,dc=com" write
by * none
access to dn=cn=Manager,dc=example,dc=com attr=entry
by self write
by dn="cn=Manager,dc=example,dc=com" write
by * none
access to *
by users read
by self write
by dn="cn=Manager,dc=example,dc=com" write
by * none
database ldbm
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
mode 0700
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
cachesize 2000
loglevel 296
------------------------
# /etc/ldap.conf
base dc=example,dc=com
uri ldap://example.com/
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password md5
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group ou=groups,dc=example,dc=com?one
ssl start_tls
tls_checkpeer no
More information about the fedora-list
mailing list