Model clarification - was: RE: Fedora LDAP authentication failure

Tay, Gary Gary_Tay at platts.com
Fri Nov 12 02:28:06 UTC 2004


>> /etc/openldap/ldap.conf  is the configuration for the openldap
*server*
>> and
>> /etc/ldap.conf  is the configuration for ldap *client* access,
including
>>                       PAM and the NSS libraries.

GT: Not true.

GT: $ETC_OPENLDAP/ldap.conf is the configuration file for ALL OpenLDAP
LDAP Clients including the "local" client at the OpenLDAP Server end.
The location of $ETC_OPENLDAP is configured by "./configure", default is
/usr/local/etc/openldap, some distro like RH set it to /etc/openldap.
See "man ldap.conf"

GT: /etc/ldap.conf is the configuration file for NSS_LDAP/PAM_LDAP
usually, again configurable by "./configure", most distros do not have
"man" pages for NSS_LDAP/PAM_LDAP's ldap.conf but there is a well
commented sample from PADL in the source tarball. 

GT: NSS_LDAP provides nss_ldap.so and affects the /etc/nsswitch.conf
name service switch w.r.t. LDAP service , PAM_LDAP provides pam_ldap.so
LDAP auth modules for /etc/pam.conf and/or /etc/pam.d/*.

GT: Yes /etc/ldap.secret is for "rootdn" binding and RECOMMENDED NOT
needed at LDAP Clients' end for security reason.

If I am incorrect please could someone correct me.

Gary

-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Jed Donnelley
Sent: Friday, November 12, 2004 4:11 AM
To: Pluggable Authentication Modules
Cc: Nick Balthaser
Subject: Model clarification - was: RE: Fedora LDAP authentication
failure


At 05:08 PM 11/10/2004, Greg Dotts wrote:
>Problem solved!  Thanks to all for the advice, suggestions, and links.
>
>The solution, as usual, was very simple.  Although, I have to express 
>my disappointment that neither of the following points was ever stated 
>in the dozens of documents I've recently referenced in my search for a 
>solution.
>
>First -  There are two 'ldap.conf' files located on my server.  I don't

>know if this is true for all *nix servers.  The first of which is 
>installed by OpenLDAP at '/etc/openldap/ldap.conf' and the other 
>installed by PAM at '/etc/ldap.conf'.  I was unaware of the existence 
>of the PAM '/etc/ldap.conf' file, which was part of the problem.  It is

>well documented and requires modification to work correctly.  I spend 
>many hours messing around with /etc/openldap/ldap.conf' which in the 
>end was fine with the basic entries of HOST, BASE, and BINDDN.

I thought I'd take this opportunity to clarify my understanding of the
model used by some of this LDAP software.

My understanding is that the distinction between the above two mentioned
ldap.conf files is that:

/etc/openldap/ldap.conf  is the configuration for the openldap *server*

and

/etc/ldap.conf  is the configuration for ldap *client* access, including
                       PAM and the NSS libraries.

If you are only accessing an LDAP server remotely as a client (and not
setting up a local server for caching or whatever), then you don't need
the /etc/openldap/ldap.conf  file configured at all.  We have some
systems that have a local running openldap server and some without, so
I'm pretty confident both approaches work.  In general we've been using
a local server for caching only in instances where we have large numbers
of local accesses likely to the server.  Otherwise we've been accessing
a shared server instance that's local to a LAN segment.  I'd be
interested to hear what others are doing in this regard.  Of course I
realize this is more LDAP related than PAM related, but since it came up
on this list in the context of this thread I thought I'd mention it
here.

Also, with regard to:

>Second - There needs to exist '/etc/ldap.secret' containing the 
>password to bind with the LDAP server which is used by ldap clients.  
>This file did not exist on my server until a few minutes ago after I 
>created it.

I'm guessing you need this secret only because you're running a local
instance of openldap that needs to synchronize with a remote server. In
most of our client installations we don't need such a "secret" file,
which of course seems a bit of a worry from a security viewpoint.

--Jed http://www.nersc.gov/~jed/  

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com https://www.redhat.com/mailman/listinfo/pam-list




More information about the Pam-list mailing list