[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Model clarification - was: RE: Fedora LDAP authentication failure



At 05:08 PM 11/10/2004, Greg Dotts wrote:
Problem solved! Thanks to all for the advice, suggestions, and links.

The solution, as usual, was very simple.  Although, I have to express my
disappointment that neither of the following points was ever stated in the
dozens of documents I've recently referenced in my search for a solution.

First -  There are two 'ldap.conf' files located on my server.  I don't know
if this is true for all *nix servers.  The first of which is installed by
OpenLDAP at '/etc/openldap/ldap.conf' and the other installed by PAM at
'/etc/ldap.conf'.  I was unaware of the existence of the PAM
'/etc/ldap.conf' file, which was part of the problem.  It is well documented
and requires modification to work correctly.  I spend many hours messing
around with /etc/openldap/ldap.conf' which in the end was fine with the
basic entries of HOST, BASE, and BINDDN.

I thought I'd take this opportunity to clarify my understanding of the model used by some of this LDAP software.

My understanding is that the distinction between the above two mentioned
ldap.conf files is that:

/etc/openldap/ldap.conf is the configuration for the openldap *server*

and

/etc/ldap.conf  is the configuration for ldap *client* access, including
                      PAM and the NSS libraries.

If you are only accessing an LDAP server remotely as a client (and not
setting up a local server for caching or whatever), then you don't need
the /etc/openldap/ldap.conf  file configured at all.  We have some systems
that have a local running openldap server and some without, so I'm
pretty confident both approaches work.  In general we've been using
a local server for caching only in instances where we have large numbers
of local accesses likely to the server.  Otherwise we've been accessing
a shared server instance that's local to a LAN segment.  I'd be interested
to hear what others are doing in this regard.  Of course I realize this is
more LDAP related than PAM related, but since it came up on this list
in the context of this thread I thought I'd mention it here.

Also, with regard to:

Second - There needs to exist '/etc/ldap.secret' containing the password to
bind with the LDAP server which is used by ldap clients.  This file did not
exist on my server until a few minutes ago after I created it.

I'm guessing you need this secret only because you're running a local instance of openldap that needs to synchronize with a remote server. In most of our client installations we don't need such a "secret" file, which of course seems a bit of a worry from a security viewpoint.

--Jed http://www.nersc.gov/~jed/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]