[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: nss_ldap, pam_ldap woes
On Fri, 27 Aug 1999, Amy Tebbe wrote:
> Date: Fri, 27 Aug 1999 19:22:17 -0500
> From: Amy Tebbe <atebbe@real-time.com>
> Reply-To: amy@real-time.com
> To: openldap-general@OpenLDAP.org
> Subject: nss_ldap, pam_ldap woes
For discussion that is specific to PADL Software's nss_ldap/pam_ldap (as
opposed to having more of an OpenLDAP bias), it's best to join the ldap-nis
mailing list (see the ANNOUNCE file in the nss_ldap package - at least, the
source code includes it, I have no idea whether or not Red Hat's RPMs include
it).
> I'm running openldap 1.2.6-5 with nss_ldap-85-1 and pam_ldap-36-1
> on RedHat 6.0. I can connect to my ldap server fine and do a simple
> ldapsearch. I also installed the MigrationTools and ran the
> migrate_all_online.sh script.
It's not absolutely necessary to install/run the MigrationTools - they just
give you an idea of how to convert existing users from /etc/passwd to
LDAP-based RFC 2307 entries.
In doing the "simple ldapsearch", are you using the RFC 2307 suggested NSS
patterns/filters?
> 1. When I create a user with useradd, should the user be added to
> ldap automatically? Here's what I get:
Depends - if useradd is specific to /etc/passwd, then I would say "No".
> % useradd -m tester
> % passwd tester
> Changing password for user tester
> New UNIX password:
"UNIX" refers to users who have an entry in /etc/passwd - looks like useradd
created the user locally rather than remotely.
> Retype new UNIX password:
> Enter login(LDAP) password:
The extra "LDAP" prompt is an artifact of the PAM configuration - you can get
rid of this (or at least, make it replace the UNIX prompt) by changing your
PAM configuration accordingly.
> 2. What do I enter for the LDAP password? I tried the binddn password
The userPassword value stored for that user in the LDAP directory.
> (default of secret still) After 3 unsuccessful attempts for the LDAP
> password I get a segmentation fault.
Ouch.. something could be broken in Red Hat's RPMs.
> 3. What are the capabilities of nss_ldap and pam_ldap? What should
> I expect to be able to do with it?
As the pam_ldap README file says:
"Here are some possible deployment scenarios:
"o pam_ldap with account information in /etc flat files,
kept manually in sync with LDAP
"o pam_ldap with account information in LDAP, using
nss_ldap
"o pam_ldap with account information in NIS, using
ypldapd"
I'm using the second option - this means user entries do not need to exist in
/etc/passwd+/etc/shadow, they exist in an LDAP directory instead. You then
need some way of telling all those UNIX applications to look in the LDAP
directory for their user data - this is where PAM and NSS (both by Sun) enter
the picture.
PAM = Pluggable Authentication Modules
NSS = Name Service Switch
Essentially, PAM allows applications to use different sources for
authentication information. NSS does something similar but is for simple
"lookups" (mapping login ID to UID and back again, for example) rather than
authentication. The reason the two exist is that they need not be talking to
the same source.
> I can't find much info on nss_ldap or pam_ldap anywhere. I've been
As above - join the ldap-nis mailing list (very low volume). If you need
specific Linux/PAM information, there's a separate list (hosted by Red Hat)
for that.
> to rage.net but it doesn't look like that site is being maintained.
> padl.com doesn't have much either. I checked the openldap-general
> archives too. Any help would be appreciated.
How about this (August 10, 1999):
http://www.openldap.org/lists/openldap-general/9908/msg00051.html
Cheers..
dave