ldap auth with nss_ldap on FC4
Gordon Messmer
yinyang at eburg.com
Sun Jun 26 17:13:16 UTC 2005
Daniel Chénard wrote:
>
> in /etc/ldap.conf, if I use rootbinddn for my proxyageant,
That probably doesn't do what you want it to. That option only changes
the way that root binds to the directory, and won't affect nscd. It
also won't allow normal users to use LDAP as an NSS source.
> that doesn't
> seem to work but that work with binddn and bindpw. My
> file /etc/ldap.secret mode is 0600 owner is root.root
That won't work, either. You can't hide the login credentials from your
users. In order for the system to use LDAP as an NSS source, users must
be able to bind to the directory and search for the relevant
information. You can accomplish that in one of two ways:
1: Use ACIs in your directory that allow anonymous reads of
non-sensitive fields like name, uid, gid, home directory, and allows
anonymous authentication against the password attribute.
2: Create a user in the directory who can do all of the above, and put
its credentials in ldap.conf with 0444 permissions.
Either way, users need to be able to make the queries, even if you're
using nscd.
More information about the fedora-list
mailing list