I ended up writing an ugly script that tests racf authentication just using an ldap bind, and gets called by apache via mod_auth_any. BUT, after I got that done, I tried pam_password clear this morning, which didn't help, but shaking up the configuration files a little bit finally did work.
/etc/openldap/ldap.conf host (host) base profiletype=user,sysplex=TIMEPLEX ldap_version 3 /etc/ldap.conf host (host) base profiletype=user,sysplex=TIMEPLEX binddn racfid=(user),profiletype=user,sysplex=TIMEPLEX bindpw (pass) ldap_version 3 pam_login_attribute racfid (ldap.secret is not working for me yet) Which looks an awful lot like what's in the redbook, except the configuration filenames. According to the redbook, for pam you were supposed to edit /etc/openldap/ldap.conf for SuSE and pam_ldap.conf for Debian. For nss you were supposed to edit nss_ldap for SuSE and libnss-ldap for Debian. I didn't need nss, only pam. For redhat, however, rpm showed that /lib/security/pam_ldap.so was provided by nss_ldap which also provided /etc/ldap.conf. So using openldap's /etc/openldap/ldap.conf for pam was just plain wrong, unlike what the redbook described for SuSE. (I can't believe I made that mistake). So it's nice to know we have pam authentication to racf with ldap if we need it, and an alternative at least for apache authentication if security doesn't like the idea of having a dummy racf account used for binding with more search authority than they are accustomed to granting. Thanks for your help, ~ Daniel > Well, there are some other things you might try. In ldap.conf: > do you have "pam_password clear" > did you specify binddn > did you specify bindpw -> this can alternately be put in > /etc/ldap.secret > with permissions of 600 ----------------------------------------------------------------------- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
