Re: pam_ldap not working right

2002-06-14 Thread Derrick 'dman' Hudson
On Thu, Jun 13, 2002 at 04:07:30PM -0700, David Wright wrote:
| 
| Looking over your files, I see quite a few problems:
| 
| 1) You need to configure nss_ldap.conf as well as pam_ldap.conf.

Umm, I don't have that ... I need to install libnss-ldap ... that
really helps :-).
 
| 2) The lines in nsswitch.conf should really be files ldap not ldap
| files, i.e. local data takes precedence.

You're right.  I think the howtos I read had it reversed (and they
were meant for RH, of course).
 
| 3) You need to tell pam.d/login to use the same password for pam_unix that
| it tried to use for pam_ldap:
|   authsufficient pam_ldap.so
|   authrequired   pam_unix.so nullok try_first_pass

Hmm, ok.  The docs I read didn't mention that.
 
| 4) In pam_ldap.conf, it's best not to bind as anyone.

Right.  When all else fails, it doesn't hurt to try.

| pam_ldap will attempt to bind with the given password and that will
| be the test. You'll need to use
|   pam_password exop
| if you still want to change user passwords with this setup.

Ok, thanks.

After correcting #1, all is well.  Thanks for noticing that!

-D

-- 

Who can say, I have kept my heart pure;
I am clean and without sin?
Proverbs 20:9
 
http://dman.ddts.net/~dman/



pgpadj8AKWzEz.pgp
Description: PGP signature


pam_ldap not working right

2002-06-13 Thread Derrick 'dman' Hudson

I'm trying to setup a debian system that will
1)  pull all user info from LDAP (except root, of course)
2)  be a samba PDC, and pull all user info from LDAP

My first test was with a spare RH box.  I managed to make login, su,
and ssh on it authenticate against OpenLDAP on Debian.  It was quite
easy (following the HOWTOs I found), and works fine.  Now I'm trying
to get a debian box to do the same thing.  I'm at the point where
1)  login uses password from either LDAP or /etc/shadow,
and the login only succeeds if the user is in the passwd files
(test accounts that exist only in LDAP fail to log in)
2)  su says Unknown id for the LDAP-only accounts

I can't figure out where I've gone wrong.  The relevant config files
from the debian system are at http://dman.ddts.net/~dman/post/.

Thanks in advance for any suggestions or pointers you can give me!

(once I get the debian system to correctly auth against ldap I go back
and work on samba some more)

-D

-- 

The way of a fool seems right to him,
but a wise man listens to advice.
Proverbs 12:15
 
http://dman.ddts.net/~dman/



pgpnetRILVgxs.pgp
Description: PGP signature


Re: pam_ldap not working right

2002-06-13 Thread David Wright

Looking over your files, I see quite a few problems:

1) You need to configure nss_ldap.conf as well as pam_ldap.conf.

2) The lines in nsswitch.conf should really be files ldap not ldap
files, i.e. local data takes precedence.

3) You need to tell pam.d/login to use the same password for pam_unix that
it tried to use for pam_ldap:
  authsufficient pam_ldap.so
  authrequired   pam_unix.so nullok try_first_pass

4) In pam_ldap.conf, it's best not to bind as anyone. pam_ldap will
attempt to bind with the given password and that will be the test. You'll
need to use
  pam_password exop
if you still want to change user passwords with this setup.

If you are still having problems, watch what happens with a packet
sniffer.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]