[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Afg! Client won't use LDAP

/etc/openldap/ldap.conf is the config file for OpenLDAP's libldap. It has
nothing to do with pam_ldap or nss_ldap. Any PAM or NSS-specific config
directives here will simply be ignored. pam_ldap and nss_ldap use their own
config file /etc/ldap.conf. It is unfortunate that they use such confusing
file naming conventions in default installations but such is life. At Symas
we configure pam_ldap and nss_ldap to use /opt/symas/etc/nsspam.conf instead,
to make it more clear that it is a separate, dedicated config file. Note that
this sort of problem is not an OpenLDAP issue; it is a pam_ldap and nss_ldap
issue, and really doesn't belong here. It may even be a Frequently Asked
Question, but it still doesn't belong here. Also note, if you were using
Symas binaries, you would never face this kind of ambiguity and you would
never have these problems.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Phil Dibowitz

> I've configured my test OpenLDAP server as a client unto
> itself so that
> I may test the setup. However, it isn't using any information
> from LDAP.
> - I have nss_ldap and pam_ldap installed
> - I have changed nsswitch.conf to say:
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files ldap dns
> - I have configured /etc/pam.d/system-auth to use LDAP the same way
> EVERY HowTo shows
> - I have setup a user called proxyuser in LDAP and tested that he has
> access to the correct info
> - I have configured /etc/openldap/ldap.conf like:
> BASE dc=stxe,dc=com,c=US
> binddn cn=proxyuser,dc=stxe,dc=com,c=US
> scope one
> pam_filter objectClass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
> nss_base_passwd         ou=People,dc=stxe,dc=com,c=US?one
> nss_base_shadow         ou=People,dc=stxe,dc=com,c=US?one
> nss_base_group          ou=Group,dc=stxe,dc=com,c=US?one
> nss_base_hosts          ou=Hosts,dc=stxe,dc=com,c=US?one
> Note that I also tried "rootbinddn" in there as some howtos show, but
> that didn't work and the man page said to use "binddn" so I did.
> - I have put proxyuser's password in a 600 mod'd file called
> ldap.secret
> owned my root:root in /etc/openldap (and /etc/).
> However, I removed the user 'phil' from /etc/passwd and
> /etc/shadow and now:
> # getent passwd phil
> #
> Same with hosts entries I have removed from /etc/hosts. Getent will
> return stuff from files but not from ldap.
> For the life of me I cannot figure out why. Any help would be much
> appreciated.
> I'm running OpenLDAP included in Redhat 7.3 (with recent updates).
> Thanks,
> --
> Phil Dibowitz                             phil@ipom.com
> Freeware and Technical Pages              Insanity Palace of Metallica
> http://home.earthlink.net/~jaymzh666/     http://www.ipom.com/
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."
>   - Benjamin Franklin, 1759