Well, there are some other things you might try. In ldap.conf: do you have "pam_password clear" did you specify binddn did you specify bindpw -> this can alternately be put in /etc/ldap.secret with permissions of 600
Mark Post -----Original Message----- From: Daniel Jarboe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 3:03 PM To: [EMAIL PROTECTED] Subject: Re: pam_ldap to LDAP server on z/OS with RACF backend > You're welcome, but did it help you to the point you're working now? I thought it would be a piece of cake after reading that redpaper... but after much trial and error, I'm still having problems. Here's what I'm up to... pam.d/httpd is a mere: auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so Which should be enough, really. /etc/openldap/ldap.conf is: host (host is fine) base profiletype=user,sysplex=TIMEPLEX binddn racfid=(racfid),profiletype=user,sysplex=TIMEPLEX bindpw (password in plain text) ldap_version 3 pam_login_attribute racfid SASL_SECPROPS = none That racfid is from somebody with AUDITOR The messages I'm getting now are: Jun 5 14:38:20 linmast httpd: nss_ldap: could not search LDAP server - Insufficient access Jun 5 14:38:20 linmast last message repeated 15 times Jun 5 14:38:23 linmast httpd: pam_ldap: ldap_search_s Insufficient access Though in the past I also saw: Jun 5 14:19:43 linmast httpd: nss_ldap: could not search LDAP server - DSA is unwilling to perform, but that was when I had ldap in nsswitch.conf. With ldapsearch I have to use -x or the bind fails, so I've tried with and without the SASL_SECPROPS none. Ldapsearch worked with -P 3 so ldap_version 3 should not be breaking anything. And ldapsearch -x -D "(racfid),profiletype=user,sysplex=TIMEPLEX" -W -b "racfid=(someoneelse),profiletype=user,sysplex=TIMEPLEX" "objectclass=*" works fine. It fails if I don't specify the -D -W though... Perhaps incorrectly I thought that ldapsearch would bind with the dn specified in /etc/openldap/ldap.conf if none was provided on the command line, but I get: text: R000137 'CN=ANYBODY' is not a valid RACF DN for bind. Check that the syntax is correct and that it is a DN for a RACF user. All in all it's a mess. ~ Daniel ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
