Fedora LDAP authentication failure

Jed Donnelley jed at nersc.gov
Wed Nov 10 23:49:52 UTC 2004 

At 02:21 PM 11/10/2004, Greg Dotts wrote:
>Greetings Guru's,
>
>I'm at my wits end attempting to configure LDAP authentication on my Fedora
>2 server.  I'm not new to Linux, but am new to directory management.
>Running debugs on slapd returns positive information when GQ is used to
>browse/change the directory, but when I attempt to login via console with
>any user other than root results in no contact with the LDAP server.  Root
>authenticates OK, but not via LDAP.
>
>Synopsis:
>
>OS=Fedora Core 2, fully updated via APT/Synaptic.
>Running current updates of openldap et al, nss_ldap, pam, and openssl.
>
>My LDAP server is working and searchable/writable locally using either GQ or
>standard openldap tools.  I have used the tools 'authconfig' and
>'system-config-authentication' to enable LDAP authentication and manually
>modified 'nsswitch.conf', and '/etc/pam.d/login and /etc/pam.d/system-auth'.
>
>It appears that PAM is not contacting the LDAP server for authentication.
>Does anyone have a suggestion as to why this may be?  I know this is a very
>open question, but I've struggled with this for about a week and spent
>several days searching the internet for answers.  I have followed many
>HOW-TO's and rebuilt my LDAP directory about a dozen times.  It appears the
>LDAP server is working fine, but no requests are being made from login to
>the LDAP server.
>
>Best regards to all,
>Greg

You should be able to verify whether or not your system is contacting the
LDAP server by looking at the LDAP logs on the server.  If there is no
contact then my guess is something in /etc/ldap.conf.  I don't know about
the tools you mentioned above as my configurations have been manual.

Here are a few lines to look for in your ldap.conf:

host ldap128.nersc.gov ldap2.nersc.gov ldap.nersc.gov <your names here of 
course>
(if you have this and the ssl stuff working and you have
network connectivity - no firewall blockages - then you
should at least see stuff showing up in the LDAP logs)

base ou=people,o=ldapsvc,dc=nersc,dc=gov
(which of course depends on your schema, which could
be an issue if all your automated stuff isn't working for you)

scope sub

pam_groupdn ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(ditto)

pam_member_attrubute memberUid
(ditto)

pam_password md5
(for us - your mileage may vary)

nss_base_shadow         ou=People,o=ldapsvc,dc=nersc,dc=gov
nss_base_group          ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov
(brings up the whole nsswitch business.  You should know that
nsswitch can essentially make the ldap content appear as if
it is in /etc/passwd /etc/group /etc/shadow - thereby working
very differently from PAM which authenticates - only, no
groups - separately through the various applications)

ssl start_tls
ssl on
(your mileage may vary)

Good luck!

--Jed http://www.nersc.gov/~jed/

More information about the Pam-list mailing list