[Date Prev][Date Next] [Chronological] [Thread] [Top]

nss/pam w/ openLDAP



Hi,

I am trying to get nss_ldap and pam_ldap to authenticate users and allow
them to change their passwords against an LDAP server. Both the server
and clients machines are running RedHat6.2/OpenLDAP1.2.11/. I have
compiled the latest pam_ldap on the client machine and copied the pam.d
files into /etc/pam.d. I did a 'make -f Makefile.linux' for nss_ldap and 
copied the nsswitch.ldap and ldap.conf files from the source directory to 
/etc. I modified the ldap.conf so it reads as below. The LDAP server has a 
defaultaccess of write at the moment. Users that exist on the client
system seem to be authenticated against the LDAP server as I don't get any
errors in /var/log/messages unless I type a wrong password and then it
shows that the credentials failed for the LDAP server. If a user doesn't
exist on the client system but does in the LDAP server it gives an error
that there is no such user! Any ideas what is wrong here??

Also, 'passwd' changing also fails to update the LDAP server with the new
password!???

I noticed one of the files in the source said you should have a file
called libnss_ldap.so.1 in your /lib directory but I don't! What I do have
is a file called libnss_ldap-2.1.3.so in the source directory. Could this
be the same file?


What is the irs.conf file for? I haven't touched it. Do I need it for what
I want...all the HOWTOs/FAQs I've read don't mention it!??


I've been at this for ages so any help would be greatly appreciated.
Thanks,
Ross

##########/etc/ldap.conf###############

#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# To contact the developers, mail support@padl.com.
#

# If the host and base aren't here, then the DNS RR
# _ldap._tcp.<defaultdomain>. will be resolved. <defaultdomain>
# will be mapped to a distinguished name and the target host
# will be used as the server.

# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base o=UL,c=IE

# The LDAP version to use (defaults to 2)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=manager,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# The following options are specific to nss_ldap.

# The hashing algorith your libc uses.
# Optional: default is des
#crypt md5
#crypt sha
#crypt des

# The following options are specific to pam_ldap.

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_crypt local