Model clarification - was: RE: Fedora LDAP authentication failure

Jed Donnelley jed at nersc.gov
Thu Nov 11 20:11:22 UTC 2004 

At 05:08 PM 11/10/2004, Greg Dotts wrote:
>Problem solved!  Thanks to all for the advice, suggestions, and links.
>
>The solution, as usual, was very simple.  Although, I have to express my
>disappointment that neither of the following points was ever stated in the
>dozens of documents I've recently referenced in my search for a solution.
>
>First -  There are two 'ldap.conf' files located on my server.  I don't know
>if this is true for all *nix servers.  The first of which is installed by
>OpenLDAP at '/etc/openldap/ldap.conf' and the other installed by PAM at
>'/etc/ldap.conf'.  I was unaware of the existence of the PAM
>'/etc/ldap.conf' file, which was part of the problem.  It is well documented
>and requires modification to work correctly.  I spend many hours messing
>around with /etc/openldap/ldap.conf' which in the end was fine with the
>basic entries of HOST, BASE, and BINDDN.

I thought I'd take this opportunity to clarify my understanding of the model
used by some of this LDAP software.

My understanding is that the distinction between the above two mentioned
ldap.conf files is that:

/etc/openldap/ldap.conf  is the configuration for the openldap *server*

and

/etc/ldap.conf  is the configuration for ldap *client* access, including
                       PAM and the NSS libraries.

If you are only accessing an LDAP server remotely as a client (and not
setting up a local server for caching or whatever), then you don't need
the /etc/openldap/ldap.conf  file configured at all.  We have some systems
that have a local running openldap server and some without, so I'm
pretty confident both approaches work.  In general we've been using
a local server for caching only in instances where we have large numbers
of local accesses likely to the server.  Otherwise we've been accessing
a shared server instance that's local to a LAN segment.  I'd be interested
to hear what others are doing in this regard.  Of course I realize this is
more LDAP related than PAM related, but since it came up on this list
in the context of this thread I thought I'd mention it here.

Also, with regard to:

>Second - There needs to exist '/etc/ldap.secret' containing the password to
>bind with the LDAP server which is used by ldap clients.  This file did not
>exist on my server until a few minutes ago after I created it.

I'm guessing you need this secret only because you're running a local
instance of openldap that needs to synchronize with a remote server.
In most of our client installations we don't need such a "secret" file,
which of course seems a bit of a worry from a security viewpoint.

--Jed http://www.nersc.gov/~jed/

More information about the Pam-list mailing list