LDAP authentication on FC3

[Nigel Wade]

Mark wrote:
> Hi,
> 
> I have a problem using LDAP on FC3 for authentication and login.
> 
> So far it worked on FC1 without problem, but the same ldap.conf, nsswitch.conf and system-auth won't work under FC3.
> 
> ldap.conf looks like this:
> 
> base dc=mydomain,dc=com
> host 192.168.1.20
> pam_password md5
> ssl yes
> 
> 
> This gives me the following messages in /var/log/message:
> Jun 12 23:48:27 infra1 sshd(pam_unix)[2716]: check pass; user unknown
> Jun 12 23:48:27 infra1 sshd[2716]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> Jun 12 23:48:27 infra1 sshd[2716]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> 
> 
> Changing the host parameter in ldap.conf to
> URI ldaps://192.168.1.20
> 
> then gives me a different error message:
> Jun 12 23:54:37 infra1 sshd(pam_unix)[2732]: check pass; user unknown
> Jun 12 23:54:37 infra1 sshd(pam_unix)[2732]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.29
> 
> nscd is NOT running
> Also, I disabled SELINUX
> 
> At the same time, finger and groups commands work, I can also pull up the record using ldapsearch...
> 
> Any ideas what could be the problem?
> 
> Thanks,
> 
> MARK
> 

Don't forget that ldapsearch and nss_ldap/pam_ldap use different copies of 
ldap.conf. One uses /etc/ldap.conf and the other uses 
/etc/openldap/ldap.conf (can't remember which offhand). Make sure both are 
updated correctly, or symlink them. Also, at some stage PAM attempts to bind 
as the rootbinddn using the password in /etc/ldap.secret. Is that setup?

I'd try getting the system working without SSL to begin with (if that's an 
option). At least then you can monitor the network traffic to see what's 
happening. Once LDAP works you can re-introduce the encryption.

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555