[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perplexed

>Assertion: Openldap is still magic, but now it's black magic.
>Any comments?
>Red Hat 7.2, much modified, kernel.org 2.4.18 ACPI and iptables.
>I'm perfectly happy with 2.1.3 and Berkeley 4.0, openssl 0.9.6b, PADL's
>"do-it-yourself" pam-ldap/nss_ldap kit, Exim 4.10 smtp mail server, the
>pop3 and IMAP packets that I have (think they're the latest WU versions
>without SASL, but I haven't got any further than local SSL/TLS). No
>However, having learned to use GQ, slapd debugging at 5 and 256 levels,
>ethereal and strace to resolve behavior, day after day, until I've
>become blue in the face, I'm perplexed.


>Apart from the Berkeley database, and after having worked hours on
>/etc/ldap.conf and the /etc/pam.d configs, *nothing* about PAM/NSS that
>people here find necessary seems to be necessary for or apply to my
>configuration(s). Much that I've read from the Admin guide, golden rules
>("*never, never, never*") just isn't true. That's why I'm asking for

I don't follow as to what exactly your problems are.  Do PAM & NSS not work?

>Why should I find that things that others seem to accept as gospel,
>don't apply to my configurations?

Maybe it is the interpreter? :)  Or maybe people's instructions leave out minor
steps because they just take them for granted,  I do it all the time.
>"Never use IP numbers for hostnames, always use FQDNs". Well, for me
>TLS/SSL only works with my IP number (, not localhost. or
>'uname -n' - the FQDN "billy.demon.nl". 

Sorry, I'm not an SSL/TLS guru.  Most of that stuff still snows me,  I've never
found a decent document that explains what it all means.

>"Use pam_ldap for /etc/pam.d
>configs, use this, use that", etc. Well, I'm using my old Red Hat
>standard configs, and everything works - login, gdm and su. Obviously I
>need libnss*. Exclusively for the 'passwd' config do I need pam_ldap. No
>trouble in distinguishing between /etc/passwd&shadow and ldap, password
>changing with just one "type=billy" password.

You lost me. "Exclusively for the 'passwd' config do I need pam_ldap"?  Are you
using the passwd back end?  Or trying to replace /etc/passwd with LDAP?  What
operation doesn't work?

>This is what I've done to date, since June:
>I only have my own test machine. However, if ldap breaks now I'm in deep
>trouble :-) I've had a couple of nasty examples that left me gasping.
>Like when I'd stopped slapd while Exim was receiving an Internet
>mailkick and wanted ldap for all user authentication. Ever seen a mail
>server wanting to send 80+ emails back (BSMTP), because it couldn't
>verify the recipients? Arrrrgh ...

Right.  Place a replicant on the mail server.  We have a deplicant on our file
server, intranet server, and mail server.  Their ldap.conf files point them to
themselves.  So "master" can go away,  and everything keeps cooking.  In NT you'
have to create BDCs,  in NIS you'd need slaves, etc....  This is a normal thing.

>I can do *so* much on a standard Linux machine that I'd never dreamed of
>being possible in May, that it still seems like magic. Reading, reading,
>more reading and practicing is why. But why should so much that others
>accept as gospel, be different for me?

What specifically have you have not to be true?