ldap auth with nss_ldap on FC4

Uno Engborg uno at webworks.se
Sun Jun 26 19:19:53 UTC 2005


Daniel Chénard wrote:

>Hi everybody!
>
>I wanna know if i'm alone to have detect a little problem with the ldap
>auth? 
>
>in /etc/ldap.conf, if I use rootbinddn for my proxyageant, that doesn't
>seem to work but that work with binddn and bindpw. My
>file /etc/ldap.secret mode is 0600 owner is root.root
>
>tx for your answer
>
>
>
>  
>
Yes, I have similar problems. I can use LDAP to authenticate users but 
they can't change
password.

My /etc/ldap.conf looks like this:

host 127.0.0.1
base dc=my-domain,dc=com
#rootbinddn cn=Manager,dc=my-domain,dc=com
pam_login_attribute uid
pam_member_attribute memberUid
pam_password md5
nss_base_passwd ou=People,dc=my-domain,dc=com?one
nss_base_shadow ou=People,dc=my-domain,dc=com?one
nss_base_group          ou=Group,dc=my-domain,dc=com?one
ssl no


If I uncomment the rootbinddn line, authentication fails.
The problem seams to be on the PAM side. I have no problem using
the LDAP server running on FC4 to authenticate users on FC3
machines, appart from being authenticated they can also change their
passwords and root can change password of any user.


The /etc/openldap/slapd.conf looks like this:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
        by self write
        by users read
        by anonymous auth
database        bdb
password-hash {MD5}
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
rootpw          secret
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub


My /etc/ldap.secret is readable and writable by the user ldap, and only 
by that user.


This worked perfectly with the same settings on FC3. Any idea what have 
changed?


Regards
Uno Engborg





More information about the fedora-list mailing list