RE: pam services under LDAP

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system
> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.

Those two files do not serve the same purpose, nor use the same options.

/etc/openldap/ldap.conf is for ldap tools - ie ldapsearch, ldapmodify, etc.
Primarily only on openldap servers (and perhaps admin work stations).

/etc/ldap.conf is used by pam.

Symlinking from to the other won't help.

For reference, here are examples of my ldap.conf from a NON ldap server:

# /etc/ldap.conf
uri                     ldaps://ldap-vip.example.net
timelimit               30
bind_timelimit          30
bind_policy             hard_open
base                    dc=example,dc=net
scope                   sub
ssl                     on
tls_checkpeer           no
tls_cacertfile          /etc/openldap/cacert.pem
pam_login_attribute     uid
pam_lookup_policy       yes
pam_password            exop
nss_base_passwd         ou=people,dc=example,dc=net?one

# /etc/openldap/ldap.conf
URI ldap://ldapconsole.example.net/
BASE " dc=example,dc=net"
TLS_CACERTDIR /etc/openldap/cacerts

On the box I pulled these from, the latter file is never used - nor will it even work.

If that line is a pam config directive, it belongs in /etc/ldap.conf.

If you keep straight what you're working on, it will likely help.

- chris

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.