openldap trouble

Craig White craigwhite at azapple.com
Wed Oct 26 14:22:28 UTC 2005 

On Wed, 2005-10-26 at 10:08 -0400, Yang Xiao wrote:
> Hi all,
> I'm running openldap-2.2.23-5 on FC4 with nss_ldap, I'm was able start
> the server and populate the db using smbldap-tool, ldapsearch works,
> smbldap-useradd works, but I can't seem to make name switch to work, I
> tried both "files ldap" and "compat ldap" for passwd/shadow/group, PAM
> system-auth seems to be ok. 
> I think I should be able to see the ldap users when I do "getent
> passwd", but this only shows  the passwd file content.
> please help!
>  
> Many thanks!
>  
> - Yang
>  
> #system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
> nullok 
> auth        sufficient    /lib/security/$ISA/pam_ldap.so
> use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
> 100 quiet
> account     [default=bad success=ok
> user_unknown=ignore] /lib/security/$ISA/pam_ldap.so 
> account     required      /lib/security/$ISA/pam_permit.so
> 
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok 
> password    required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> 
> #NSSWITCH
> 
> passwd:     compat ldap
> group:      compat ldap
> 
> hosts:      files dns
> networks:       files dns
> 
> services:   files ldap
> protocols:  files ldap
> rpc:            files
> ethers:         files
> netmasks:       files
> netgroup:   files ldap
> publickey:      files
> 
> bootparams:     files
> automount:  files ldap
> aliases:        files
> 
> shadow:     compat ldap
> 
> #/etc/ldap.conf
> 
> host: 127.0.0.1
> base dc=xxx,dc=com
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn cn=nssldap,ou=DSA,dc=xxx,dc=com
> 
> nss_base_passwd         ou=Users,dc=xxx,dc=com?one
> nss_base_passwd         ou=Computers,dc=xxx,dc=com?one
> nss_base_shadow         ou=Users,dc=xxx,dc=com?one
> nss_base_group          ou=Groups,dc=xxx,dc=com?one 
> 
> pam_password md5
> ssl no
----
it looks pretty good...

what happens when you try from command line?

ldapsearch -x -h 127.0.0.1 -D 'cn=nssldap,ou=DSA,dc=xxx,dc=com' \
-W '(objectclass=*)' |grep uid

does it list users? Obviously the password you use 'MUST' be the same
password you have in /etc/ldap.secret for this to simulate what you are
trying to do.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the fedora-list mailing list