ldap auth with nss_ldap on FC4
Uno Engborg
uno at webworks.se
Sun Jun 26 19:19:53 UTC 2005
Daniel Chénard wrote:
>Hi everybody!
>
>I wanna know if i'm alone to have detect a little problem with the ldap
>auth?
>
>in /etc/ldap.conf, if I use rootbinddn for my proxyageant, that doesn't
>seem to work but that work with binddn and bindpw. My
>file /etc/ldap.secret mode is 0600 owner is root.root
>
>tx for your answer
>
>
>
>
>
Yes, I have similar problems. I can use LDAP to authenticate users but
they can't change
password.
My /etc/ldap.conf looks like this:
host 127.0.0.1
base dc=my-domain,dc=com
#rootbinddn cn=Manager,dc=my-domain,dc=com
pam_login_attribute uid
pam_member_attribute memberUid
pam_password md5
nss_base_passwd ou=People,dc=my-domain,dc=com?one
nss_base_shadow ou=People,dc=my-domain,dc=com?one
nss_base_group ou=Group,dc=my-domain,dc=com?one
ssl no
If I uncomment the rootbinddn line, authentication fails.
The problem seams to be on the PAM side. I have no problem using
the LDAP server running on FC4 to authenticate users on FC3
machines, appart from being authenticated they can also change their
passwords and root can change password of any user.
The /etc/openldap/slapd.conf looks like this:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
database bdb
password-hash {MD5}
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
My /etc/ldap.secret is readable and writable by the user ldap, and only
by that user.
This worked perfectly with the same settings on FC3. Any idea what have
changed?
Regards
Uno Engborg
More information about the fedora-list
mailing list