[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP - Authentication and SAMBA

To: openldap-software@OpenLDAP.org
Subject: LDAP - Authentication and SAMBA
From: tech mail <tech-mail@prupref.com>
Date: Fri, 25 Apr 2003 12:33:49 -0500

Couple quick items - I am new to the list, just started to set up a LDAP
system to work as an authentication machine for a SAMBA/WINDOZE system.

REDHAT 7.3
SAMBA 2.2.8
OPENLDAP openldap-2.0.27-2.7.3

I basically followed the tutorial:

http://www.mandrakesecure.net/en/docs/ldap-auth.php

and had some hand holding from someone that has also done the same.

First, in that howto, it said that PAM_LDAP was not needed to do basic linux
authentication..well, I couldn't get anywhere until I added pam_ldap to the
/etc/pam.d/system-auth stack.  However, I got hosed and froze out of the
system, and narrowed it down to the line:

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

Whenever I put that in, I was effectively locked out of the system if the
ldap service wasnt started, even though my /etc/nsswitch.conf read files
ldap for the search order.  If I changed it to:

account     sufficient /lib/security/pam_ldap.so

I was fine with or without ldap started and when ldap started could
authenticate off LDAP.  

has anyone else experienced this, or can explain it to me.  I left it as
sufficient, because after redoing a setup twice because of a lock out, I
didnt want the service to fail after a reboot and hold me dead.

Second..I am going to use this as a complete user authentication database
for our network.  However, I usually do not maintain the adding/deleting of
the user accounts, an non-it person takes care of it.  So I am looking for a
very easy way to add/edit users.  I have heard conflicting stories of the
webmin LDAP module.  I have been looking at the sambaldaptools at:
http://samba.idealx.org/ (there is an english how-to pdf on the side) and
was thinking about calling those from a simple web script (my perl is far
from elegant)..lastly I also found these:

http://yolinux.com/TUTORIALS/LinuxTutorialaWebDap.html
http://yala.sourceforge.net/

It really doesn't need to be any special, I will most likely make a call
from a different page where we enter the user data for our web system, it is
the same information, so it would call this interface url with arguements.

If anyone can give me some guidance for a good utility as well as answer
that strange PAM_LDAP question, please do.

In addition, if there is anyone trying this out and wants to bounce ideas
back and forth, this crap is always easier with multiple brains...

Thanks  >

Follow-Ups:
- Re: LDAP - Authentication and SAMBA
  - From: Matthew Schumacher <matt.s@aptalaska.net>

Prev by Date: Re: Checkpointing and BDB
Next by Date: Re: Checkpointing and BDB
Index(es):
- Chronological
- Thread