ldap auth with nss_ldap on FC4
Gordon Messmer
yinyang at eburg.com
Sun Jun 26 19:50:18 UTC 2005
Uno Engborg wrote:
> Yes, I have similar problems. I can use LDAP to authenticate users but
> they can't change
> password.
I used the "system-config-authentication" tool (actually, its equivalent
during the installation) to configure LDAP user info and authentication,
which works as it should.
> If I uncomment the rootbinddn line, authentication fails.
You normally don't need it, so I'd suggest that you use the included
config tools to set up a working client configuration, and then decide
whether or not you have a need for that option.
> The /etc/openldap/slapd.conf looks like this:
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> allow bind_v2
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> access to *
> by self write
> by users read
> by anonymous auth
Whoa... Hold up there. If you let users write to their uid and gid
attributes, "Bad Things(tm)" can happen. Be specific about what you
want users to be able to change, do not use wildcards for write access.
> My /etc/ldap.secret is readable and writable by the user ldap, and only
> by that user.
If you want to pursue gettting "rootbinddn" working after using the
config tools, that file should be owned and readable only by root.
> This worked perfectly with the same settings on FC3. Any idea what have
> changed?
I'm not sure, but selinux might be preventing root from reading files
that it doesn't own.
More information about the fedora-list
mailing list