hi cuneyt, cuneytm schrieb: > Just wanted to update you on my attempts to authenticate against an openLDAP > server as secondary directory server (but not an Active Directory Server) > for users and groups; > > I managed to get it working, with compromising greatly on the security =) > > I was using wireshark to understand how openthinclient send the LDAP bind > request from the login screen to the openLDAP server (setup as secodary > directory). > > It seems that loginscreen sends only "cn=Manager" part even though Read > only principal (under thinclient server) is complete with dn suffix (such as > cn=Manager,dc=mydomain,dc=com). > I have no idea why this is happening, perhaps You can shed some light on it. > > On openthinclient server, i setup the Secondary Directory Server as > following; > Secondary Directory > LDAP URL: ldap://localhost:389/dc=mydomain,dc=com > Read only principal: [empty] > Password: [empty] > be careful using "localhost"! this LDAP URL is evaluated by the initscripts-tcos package (in detail: "/opt/initscripts-tcos/rc2345.d/pam_ldap"). this script builds the pam ldap config file "/etc/pam_ldap.conf" used for authentication. for further information see its manual page (man pam_ldap.conf).
you definitely have to use your openldap server name or IP instead of "localhost". otherwise the thin client tries to authenticate against itself. my advice is to start the thin client, log in as root remotely using ssh and manually modify the file /etc/pam_ldap.conf with "vim" until your gdm-login works (so you don't need to restart the thin client or gdm). if you have found a working config you can start modifying the initscripts-tcos package to support openLDAP authentication. here some basic configuration options for pam_ldap.conf with comments: # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host <your ldap server> # The distinguished name of the search base. base <dc=yourdomain,dc=com> # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=yourdomain,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw secret # Filter to AND with uid=%s #pam_filter objectclass=account # The user ID attribute (defaults to uid) #pam_login_attribute uid a minimal config file for a openLDAP server that permits anonymous binds just needs "host" and "base" configured. cheers, martin p.s. before you start editing files with vim/vi please have at least a look at some quick guides like http://www.arekdreyer.com/help/vi.html ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ The Open Source Thin Client Solution http://openthinclient.org [email protected] https://lists.sourceforge.net/lists/listinfo/openthinclient-user
