[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: tls, pam_ldap and /etc/passwd

I had the same problem and solved it on my own.
You habe to compile slapd with the --with-tls support.
But my problem was, that pam_ldap looked at the wrong config file.
Means, /etc/ldap.conf instead of /etc/pam_ldap.conf.
Use the Uri and the port adressing to get ssl working.
Uri: ldaps://server.domain.ext
Port: 636
Also libnss-ldap and pam_ldap have to be compiled using ssl.
Then all works perfectly.
This is my /etc/pam.d/passwd file which works for me.

auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so use_first_pass md5
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_cracklib.so retry=3


Franz Skale
mainwork information technology AG
Tech Gate Vienna
Donaucitystrasse 1
A-1220 Wien
Tel: +43 1 333 48 58-0
Fax: +43 1 333 48 58-24
e-mail: f.skale@mainwork.com
Internet: http://www.mainwork.com

                    Christopher Walden                                                                                           
                    <cmwalden@mythmade.com>           An:     "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>  
                    Gesendet von:                     Kopie:                                                                     
                    owner-openldap-software@Op        Thema:  tls, pam_ldap and /etc/passwd                                      
                    25.04.2002 16:46                                                                                             


I have been banging my head against a problem for a while now, and I could
a hand.  Maybe you could help, or point me to help.

We have set up an openldap server running on RedHat Linux 7.2.  I have
a database and have more than one system working fine using the pam_ldap
modules.  However, when I activate TLS, pam requires me to have a user to
match the ldap user in the system's local /etc/passwd file.  This rather
defeats my goals for using LDAP in the first place.

Basically if TLS is off, then everything works OK, pulling non-local users
from LDAP.  If I turn TLS on, then LDAP will not authenticate unless there
a user in /etc/passwd.

It is entirely possible that this is performing as designed.  I have been
unable to find any definitive statements on this.

Anything you could point me to would be greatly appreciated.


Christopher Walden
Austin, TX