[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam services under LDAP

bluethundr wrote:
> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system

This is a RHEL-based linux system, right? If so, you don't want to do
that. They serve two completely different services.

/etc/openldap/ldap.conf is used by the ldap client command-line tools
(ldapsearch, ldapadd, etc.). And I've confirmed that it's used by the
the name service switch, too. I don't think last part os documented

/etc/ldap.conf is for the pam_ldap module.

If adding that symlink fixed your problem, I think there's something
else wrong with your system.

> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.
> The only thing eluding me currently is getting the client to listen to
> sudoers which is currently working thru ldap on the ldap server
> itself.
>  [root@VIRCENT03:~]#cat /etc/pam.d/sudo
> #%PAM-1.0
> auth       include      system-auth
> auth       required     pam_ldap.so
> account    include      system-auth
> account    required     pam_ldap.so
> password   include      system-auth
> password   required     pam_ldap.so
> session    optional     pam_keyinit.so revoke
> session    required     pam_limits.so
> session    required     pam_ldap.so
> AFAIK the above should get pam_ldap communicating with the LDAP server
> on the behalf of sudoers. the other pam configs (such as sshd and su)
> appear to be getting their info from the system auth which is
> currently communicating with the LDAP server.
> Does anyone have any tips on how to get sudoers working through pam /ldap?
> thanks!!
> On Mon, Nov 8, 2010 at 4:29 PM, Aaron Richton <richton@nbcs.rutgers.edu> wrote:
>> On Mon, 8 Nov 2010, bluethundr wrote:
>>> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
>> [...]
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
>> I don't believe that "sudoers_base" is a recognized OpenLDAP configuration
>> directive. As such, this line may belong in a file other than
>> "/etc/openldap/ldap.conf" on your system.