[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems...

>I seem to be having a bit of a problem with OpenLDAP ver 2.0.22-2 (RPM on RedHat 7.2)
>I have an email server with over 27K accounts, all in flat file format....  (i.e. /etc/passwd, /etc/groups, /etc/shadow, etc...)  I want to migrate over to a central LDAP authentication model for my Qpopper, Postfix, FTP, and Apache Home_Dir stuff....
>I downloaded the Migration Tools from podl.com and ran the pass2ldap to get an LDIF file.  I then transferred that file to my test LDAP box (that has no local users.)  After modifying the LDIF file for the home directories, I imported them using ldapadd.  I then tested pop3 auth against ldap and I always get a "Password supplied for "username" is incorrect."
>I can use plenty of LDAP administration programs to see everything in the dir, and everything looks fine....  color me a little lost (and an LDAP newbie)
>Here are my relevant configs (chopped for space...):

>/etc/ldap.conf  (I've tried different pam_password values to no avail)
>base dc=suscom,dc=net
>uri ldap://

Why do you specify the uri when you specified the host and base?

>binddn cn=Manager,dc=suscom,dc=net
>bindpw ldap_test
>pam_password crypt

Below you say this is SSHA in the user object, here you say crypt.  
Password changing will be odd.

># pam_password exop
>#pam_password clear
>ssl no
>#pam_password md5
>/etc/openldap/slapd.conf (played around with suffix and defaultsearchbase to no avail)
>loglevel 4
>defaultsearchbase "ou=accounts,dc=suscom,dc=net"
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
>include         /etc/openldap/schema/redhat/autofs.schema
>include         /etc/openldap/schema/redhat/kerberosobject.schema
>database        ldbm
>suffix          "dc=suscom,dc=net"
>suffix          "ou=accounts,dc=suscom,dc=net"

This suffix is below the other suffix.  Why do you specify two suffix-es?  
I don't think this will work.  Just "dc=suscom,dc=net" unless this is a 

>rootdn          "cn=Manager,dc=suscom,dc=net"
>rootpw          {SSHA}sTyh4meQBWdEfopKtyTf9drN2t+e7y9A
>directory       /var/lib/ldap
>index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
>index   cn,mail,surname,givenname                       eq,subinitial
>access to attr="userPassword"
> by self write
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by anonymous auth
> by * none
>access to dn=".*,ou=accounts,dc=suscom,dc=net"
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by * read
>access to *
> by dn="cn=Manager,dc=suscom,dc=net" write
> by * read
>BASE dc=suscom,dc=net
>my initial LDAP import:
>dn: dc=suscom,dc=net
>objectclass: top
>objectclass: dcObject
>dc: suscom
>dn: ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: organizationalUnit
>ou: accounts
>dn: cn=lmcadmin,ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: person
>objectclass: inetOrgPerson
>cn: lmcadmin
>sn: lmcadmin
>uid: lmcadmin
>userPassword: {SSHA}npuxDYqHSDybRycKcNNOjM6ZP+GSfYHr

I think PAM wants an objectclass of posixAccount or account unless you 
specify otherwise.  The above is niether.

Does nss appear to work?

>auth       sufficient   /lib/security/pam_ldap.so
>auth       required     /lib/security/pam_unix_auth.so try_first_pass
>account    sufficient   /lib/security/pam_ldap.so
>account    required     /lib/security/pam_unix_acct.so

Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS