[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: test my LDAP server ONLY using ssh?

tor, 2003-01-23 kl. 15:30 skrev Brian K. Jones:

Many <snip>s:

> I have OpenLDAP 2.1.12 built from source on a Redhat 7.3 box.  I also
> installed pam_ldap and nss_ldap from source.  

> What I'd like to do now is test by pointing ONLY ssh at the ldap server,
> so that if things don't work I can get in by some other means - and the
> console if necessary.

> I've edited my /etc/pam.d/sshd (it's gone through several iterations)
> file so it looks like this (right now):

Does it work?

> And my /etc/ldap.conf file just has the 'host' and 'base' designations
> in it.  Here's the log output from the last test I performed - I've put
> line breaks between the log entries for easier reading:

> Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128 

This is an anonymous bind. Is that what you want to find things with?
Difficult to know without knowing what your ACLs look like.

> Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SEARCH RESULT tag=101
> err=0 nentries=0 text= 

It hasn't found anything, but there's no error.

> Here's the entry for the user I'm trying to log in as.  Curiously,
> there's no 'shadowAccount' objectClass.  Is this necessary?  I also
> notice it's looking for 'posixAccount' first, which is here.

> dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
> uid: jonesy
> cn: Brian K. Jones
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> loginShell: /bin/bash
> uidNumber: 3025
> gidNumber: 22
> homeDirectory: /home/jonesy
> gecos: My gecos field
> userPassword:: e1NNRDV....

dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Jones
cn: Brian K. Jones
uid: jonesy
mail: jonesy@CS.Princeton.EDU
uidNumber: 508  <-- Up to your choice for your system
gidNumber: 1001 <-- Have to make a group, first, with you in it
userPassword:: e1NNRDV....
homeDirectory: /home/jonesy
loginShell: /bin/ksh
gecos: Brian K. Jones

You can have shadowAccount if you want, but that's mostly accounting to
do with the validity of the account - it's not necessary for the

Get GQ, compile it for Red Hat - jump from www.biot.com :-)




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl