[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: > >On Sat Mar 16, 2002 at 10:16:38AM +0100, Antonio Galea wrote: >[...] >> > Not having done too much with pam before, I'm really not sure where to >> > go with this. >> > >>=20 >> I've found this reference, which applies to your case: >>=20 >> http://www.linuxdoc.org/HOWTO/Authentication-Gateway-HOWTO/setup.html >>=20 >> At the bottom of the document, there's something about LDAP authenticatio= >n; >> the document gives a copy of RedHat's auto-generated /etc/pam.d/system-au= >th: >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required /lib/security/pam_env.so >> auth sufficient /lib/security/pam_unix.so likeauth nullok >> auth sufficient /lib/security/pam_ldap.so use_first_pass >> auth required /lib/security/pam_deny.so >[...] >> Sorry, I had no time to set up an auth server to check if it works :-) >>=20 >> Hope this helps, >It *totally* helped. Everything is working very nicely now... =3D) I >can login locally authenticating against the LDAP database, so that's >very positive. It's a bit of a PITA for account/password maintenance >(I had to write a ldap-passwd script for LDAP-based users to change >thier passwords.. actually, speaking of which, does anyone know how to >read input from stdin into a bash script but not print out the text to >stdout? Kinda like passwd when you enter in your new >password... that's the only thing missing from the script right now). If your pam-setup is correct, you pam_ldap should allow for password changes also. You should not need to write a script for this (AFAIK). Even if you do need a script, I am sure you could find one on Freshmeat. I have seen a cgi-based on posted to the samba list before ... If that still doesn't work, expect is supposed to be ideal for this. >I do have one other concern, and I hope someone with a little more >LDAP experience than I has an idea (thus why I'm also cc'ing this to >the expert list). >When I do lookups against the LDAP database locally, it's very fast. >But when I do them from the PPC machine, they're horrendously slow. I >have NSS configured to do passwd/shadow/group/hosts lookups from the >LDAP server, and I'm pretty sure the LDAP client (via /etc/ldap.conf) >is configured properly as it does eventually work, but it's very very >slow. For instance, using "getent hosts" on the PPC machine takes >30s-1m before the hosts info from LDAP is returned, but when I do >"getent hosts" on the LDAP server (likewise configured with regards to >NSS), the information is returned immediately. >I've looked at the slapd manpage and I've looked a the OpenLDAP guide, >but I don't see anything in there as to why it's so slow when >accessing it from remote. Vince, I assume you either have hosts entries on your LDAP server for all your clients, or working DNS, but I will still ask ..... A 30s pause always makes me think name resolution. Also, since you have got hosts in ldap, does your server have ldap in the hosts line of nsswitch.conf? I normally try and keep files in sync with LDAP as much as possible (specifically on the LDAP server) so that things work when your LDAP server is down for some reason. I expect LDAP needs its own account available to start up anyway ;-) >Does anyone have any ideas about this? I think LDAP-based >authentication is very very slick, and works real nice (once you get >past the PITA to set it up), but this slowdown is ridiculous... doing >a simple query like: >ldapsearch -LL -H ldap://10.0.5.5 -b"dc=3Ddanen,dc=3Dnet" -x "(uid=3Dadanen= >)" It depends quite a bit on the hardware on your server, though you should at least have your search query return. Our production LDAP box is a 500 Celeron, and it does domain controlling (samba) and serves as our main file server (samba and NFS)for about 60 desktops, and although an LDAP "getent passwd" does take a second or two, it is nothing to complain about (sometimes cd ~ does take a bit longer than you expect). On my home test box (a P120), anything LDAP was slow (haven't setup LDAP since I upgraded the box to RC1 ;-), so I can't give you figures, but ldapsearch did return. The KDM user listing did take a while though ... >takes forever... in fact, I haven't had it return any info once yet. >But getent hosts returns info (slow) as does doing a ping to a host >that's listed in ou=3DHosts. getent passwd works also... but still slow >(30s-1m). My ldapsearch just never returns anything, and the logs >are, well, pretty cryptic. We don't use ldap in hosts, we use DNS instead. >Any pointers, tips, etc. would be more than welcome... If this thing >can be sped up to be near-instant (ie. 1-3s delays), I would be >extremely happy. Just for reference, we actually use LDAP for accounts, and pam_smb for passwords. You can find our Mandrake-8.0-ish system-auth-ldap here: http://ranger.dnsalias.com/mandrake/configs/system-auth-ldap-smb BTW, it's good all the system accounts (things like xgrp, ctools, ntools etc come to mind) not get uids <500, but some critical uid's changed between 8.0 and 8.1, which caused my postfix running on a 8.1 box with LDAP auth off the 8.0 box some problems, since I had: passwd: ldap files Btw, this setup for passwd makes rpm segfault while installing anything, so it is not suggested (although nice when you have an LDAP server which points homes to a nfs-mounted /home/users/$USERNAME, while the account in files points the home to a local /home/$USERNAME, meaning you can still log in if you have stuffed ldap up). So now are you ready to write page two of my LDAP docs at http://ranger.dnsalias.com/mandrake/muo/connect/cldap.html Hope this has helped.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
