[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora LDAP authentication failure



At 02:21 PM 11/10/2004, Greg Dotts wrote:
Greetings Guru's,

I'm at my wits end attempting to configure LDAP authentication on my Fedora
2 server.  I'm not new to Linux, but am new to directory management.
Running debugs on slapd returns positive information when GQ is used to
browse/change the directory, but when I attempt to login via console with
any user other than root results in no contact with the LDAP server.  Root
authenticates OK, but not via LDAP.

Synopsis:

OS=Fedora Core 2, fully updated via APT/Synaptic.
Running current updates of openldap et al, nss_ldap, pam, and openssl.

My LDAP server is working and searchable/writable locally using either GQ or
standard openldap tools.  I have used the tools 'authconfig' and
'system-config-authentication' to enable LDAP authentication and manually
modified 'nsswitch.conf', and '/etc/pam.d/login and /etc/pam.d/system-auth'.

It appears that PAM is not contacting the LDAP server for authentication.
Does anyone have a suggestion as to why this may be?  I know this is a very
open question, but I've struggled with this for about a week and spent
several days searching the internet for answers.  I have followed many
HOW-TO's and rebuilt my LDAP directory about a dozen times.  It appears the
LDAP server is working fine, but no requests are being made from login to
the LDAP server.

Best regards to all,
Greg

You should be able to verify whether or not your system is contacting the LDAP server by looking at the LDAP logs on the server. If there is no contact then my guess is something in /etc/ldap.conf. I don't know about the tools you mentioned above as my configurations have been manual.

Here are a few lines to look for in your ldap.conf:

host ldap128.nersc.gov ldap2.nersc.gov ldap.nersc.gov <your names here of course>
(if you have this and the ssl stuff working and you have
network connectivity - no firewall blockages - then you
should at least see stuff showing up in the LDAP logs)


base ou=people,o=ldapsvc,dc=nersc,dc=gov
(which of course depends on your schema, which could
be an issue if all your automated stuff isn't working for you)

scope sub

pam_groupdn ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(ditto)

pam_member_attrubute memberUid
(ditto)

pam_password md5
(for us - your mileage may vary)

nss_base_shadow         ou=People,o=ldapsvc,dc=nersc,dc=gov
nss_base_group          ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(brings up the whole nsswitch business.  You should know that
nsswitch can essentially make the ldap content appear as if
it is in /etc/passwd /etc/group /etc/shadow - thereby working
very differently from PAM which authenticates - only, no
groups - separately through the various applications)

ssl start_tls
ssl on
(your mileage may vary)

Good luck!

--Jed http://www.nersc.gov/~jed/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]