[Date Prev][Date Next] [Chronological] [Thread] [Top]

PAM LDAP naming context question

To: openldap-software@OpenLDAP.org
Subject: PAM LDAP naming context question
From: Roy Bixler <rcb@press.uchicago.edu>
Date: Wed, 5 Dec 2001 17:56:20 -0600
Organization: The University of Chicago Press

Hi:

I'm a newbie to LDAP, but I have been charged with the task of setting up an 
LDAP server for user authentication purposes.  Further, management specifies 
use of Netscape Directory Server 4.13 under Solaris 8.  With some pain, I've 
gotten the server working and Solaris 8 clients are able to authenticate 
users with it.

However, we also have some Debian Linux boxes and I am having trouble getting 
those to authenticate with the Netscape Directory Server.  I don't know if 
this complicates things, but I am not using 'ldap' and not 'ldaps'.  After 
all, I'm mainly interested in proof of concept.

On the Debian (woody) system, I have the 'libnss-ldap' and 'libpam-ldap' 
packages installed and I have made appropriate customisations to 
/etc/pam.d/login and /etc/ldap/ldap.conf files. It seems the PAM part is 
working because I now get prompted for a password twice on a login attempt.  
If the user is in the local files, login works.  It seems the problem is with 
the LDAP communication end of things.

Specifically, it seems the naming context is problematic.  When I set up the 
Netscape Directory Server, I use 'o=press.uchicago.edu' as the naming 
context.  I put the following lines into the /etc/ldap/ldap.conf file:

BASE    o=press.uchicago.edu
BINDDN cn=proxyagent,ou=profile
bindpw passwordgoeshere
SASL_SECPROPS none

Yet, when I try to login in as 'jdoe' (creative name, I know, but it is able 
to login with a Solaris client), here is what the Netscape Directory Server 
gets:

[05/Dec/2001:17:06:38 -0600] conn=12 op=0 BIND dn="" method=128 version=3
[05/Dec/2001:17:06:38 -0600] conn=12 op=0 RESULT err=0 tag=97 nentries=0 
etime=0[05/Dec/2001:17:06:38 -0600] conn=12 op=1 SRCH 
base="dc=press,dc=uchicago,dc=edu" scope=2 filter="(uid=jdoe)"
[05/Dec/2001:17:06:38 -0600] conn=12 op=1 RESULT err=32 tag=101 nentries=0 
etime=0

The search is failing because the naming context is wrong.  Am I missing 
something or does the PAM LDAP module require that the server be set up to 
use the 'dc=...' form of the naming context?

Thanks,

-- 
Roy Bixler <rcb@press.uchicago.edu>
The University of Chicago Press
http://www.press.uchicago.edu

Follow-Ups:
- Re: PAM LDAP naming context question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: FW: SASL Authentication & OpenLDAP 2.0.18
Next by Date: Re: PAM LDAP naming context question
Index(es):
- Chronological
- Thread