Problem setting up OpenLDAP for user authentication

[Guennadi Liakhovetski <g.liakhovetski@gmx.de>]

Hi all

I'm new to LDAP, and I must say it took me a LONG time to set it up under 
Debian etch on both server and client at all to do anything useful.

Now I can do "ldapsearch -x -v -L" type requests from remote a host and 
locally. I then  tried switching the remote host to using LDAP for user 
authentication. I'd like users not registered locally to be able to login 
using ldap, and for locally-known users nothing should change.

I did manage to get logins to use ldap by configuring all 
/etc/pam.d/common-* files to first try pam_unix and then, if that fails to 
use ldap:

* sufficient pam_unix
* sufficient pam_ldap (should this be "required?)

where * is "account", "auth", "password" and "session". In "auth" and 
"password" I also had to put 

* required pam_deny

after ldap, because otherwise wrong passwords were accepted. In 
nsswitch.conf I put

*: files ldap

for "passwd", "group", "shadow". Now I would expect that with sequences 
("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally 
known users wouldn't be authenticated using ldap. Unfortunately, this 
doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP 
server. Including calls from udevd, avahi-daemon, and others, which causes 
them to fail in various ways.

What am I doing wrong?

I know SASL is not configured in my setup, but that shouldn't be a 
problem? At least not for the cases when LDAP shouldn't be attempted at 
all.

Thanks
Guennadi
---
Guennadi Liakhovetski