[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: i have no name!

To: John Dalbec <jpdalbec@ysu.edu>
Subject: Re: i have no name!
From: James Bourne <jbourne@mtroyal.ab.ca>
Date: Thu, 13 Feb 2003 07:31:11 -0700 (MST)
Cc: "Brian K. Jones" <jonesy@cs.princeton.edu>, "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <3E4B9F0C.6070807@ysu.edu>
References: <1045069568.18287.59.camel@newhotness> <3E4B9F0C.6070807@ysu.edu>

On Thu, 13 Feb 2003, John Dalbec wrote:

> Brian K. Jones wrote:
...
> > I did see one post which mentioned changing perms on a file called
> > libnss-ldap.conf, which I don't even have on any of my systems, and have
> > never seen documented.  The /etc/ldap.conf and /etc/openldap/ldap.conf
> > files were made world readable, but this didn't solve the problem.  

In /etc/ldap.conf (I'm assuming you are using nss_ldap from padl) add the
directives:

binddn (dn of a bind user)
bindpw (password of the user)

We have created a user who has read access to the required attributes to
do mapping.  That should make it so that the uids/gids get mapped.

To get SSL working, set the directives:
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1

If you do have the server key shared and everything there is
right, set tls_checkpeer to yes.  

> Actually ordinary users access the directory anonymously.  Otherwise the 
> system would have to repeatedly ask you to enter your password in order 
> to bind as you.  Root is an exception because there's only one password 
> that it has to use (in /etc/ldap.secret).  Try "by anonymous read" in 
> your ACL.  You might want to have a separate "access to 
> attr=userPassword" paragraph so your encrypted passwords are not exposed.
> John

The only time pam_ldap and nss_ldap are required to bind as the user are
when the user logs in, or when the user does a password change (or other
type of modification).

We have found that using the root user (admin or
whatever) and /etc/ldap.secret are not really required.

BTW, we are authenticating mostly Linux (about 20 or 30 servers, plus a 20
or so seat lab and a few other workstations, maybe 50-55 systems overall)
to LDAP.  We have just managed to get our Tru64 5.1b cluster
authenticating as well.

Hope that helps!

Regards
James Bourne

> > brian.

-- 
James Bourne, Supervisor Data Centre Operations
Mount Royal College, Calgary, AB, CA
www.mtroyal.ab.ca

******************************************************************************
This communication is intended for the use of the recipient to which it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact the sender immediately if you are not the
intended recipient of this communication, and do not copy, distribute, or
take action relying on it. Any communication received in error, or
subsequent reply, should be deleted or destroyed.
******************************************************************************

"There are only 10 types of people in this world: those who
understand binary and those who don't."

Follow-Ups:
- Re: i have no name!
  - From: Brian Jones <jonesy@CS.Princeton.EDU>

References:
- i have no name!
  - From: "Brian K. Jones" <jonesy@CS.Princeton.EDU>
- Re: i have no name!
  - From: John Dalbec <jpdalbec@ysu.edu>

Prev by Date: Re: converting addresses
Next by Date: openldap and SSL with AD
Index(es):
- Chronological
- Thread