openldap trouble
Yang Xiao
yxiao2004 at gmail.com
Wed Oct 26 14:42:10 UTC 2005
Hi,
I found that if I change the /etc/ldap.conf to use binddn and bindpw it
works, but I if I use rootbinddb, and put the password in /etc/ldap.secret,
it doesn't. it's the same user account, any ideas? and how would this affect
ldap operations?
- Yang
On 10/26/05, Craig White <craigwhite at azapple.com> wrote:
>
> On Wed, 2005-10-26 at 10:08 -0400, Yang Xiao wrote:
> > Hi all,
> > I'm running openldap-2.2.23-5 on FC4 with nss_ldap, I'm was able start
> > the server and populate the db using smbldap-tool, ldapsearch works,
> > smbldap-useradd works, but I can't seem to make name switch to work, I
> > tried both "files ldap" and "compat ldap" for passwd/shadow/group, PAM
> > system-auth seems to be ok.
> > I think I should be able to see the ldap users when I do "getent
> > passwd", but this only shows the passwd file content.
> > please help!
> >
> > Many thanks!
> >
> > - Yang
> >
> > #system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/$ISA/pam_env.so
> > auth sufficient /lib/security/$ISA/pam_unix.so likeauth
> > nullok
> > auth sufficient /lib/security/$ISA/pam_ldap.so
> > use_first_pass
> > auth required /lib/security/$ISA/pam_deny.so
> >
> > account required /lib/security/$ISA/pam_unix.so broken_shadow
> > account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> > 100 quiet
> > account [default=bad success=ok
> > user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
> > account required /lib/security/$ISA/pam_permit.so
> >
> > password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> > password sufficient /lib/security/$ISA/pam_unix.so nullok
> > use_authtok md5 shadow
> > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> > password required /lib/security/$ISA/pam_deny.so
> >
> > session required /lib/security/$ISA/pam_limits.so
> > session required /lib/security/$ISA/pam_unix.so
> > session optional /lib/security/$ISA/pam_ldap.so
> >
> > #NSSWITCH
> >
> > passwd: compat ldap
> > group: compat ldap
> >
> > hosts: files dns
> > networks: files dns
> >
> > services: files ldap
> > protocols: files ldap
> > rpc: files
> > ethers: files
> > netmasks: files
> > netgroup: files ldap
> > publickey: files
> >
> > bootparams: files
> > automount: files ldap
> > aliases: files
> >
> > shadow: compat ldap
> >
> > #/etc/ldap.conf
> >
> > host: 127.0.0.1 <http://127.0.0.1>
> > base dc=xxx,dc=com
> > # stored in /etc/ldap.secret (mode 600)
> > rootbinddn cn=nssldap,ou=DSA,dc=xxx,dc=com
> >
> > nss_base_passwd ou=Users,dc=xxx,dc=com?one
> > nss_base_passwd ou=Computers,dc=xxx,dc=com?one
> > nss_base_shadow ou=Users,dc=xxx,dc=com?one
> > nss_base_group ou=Groups,dc=xxx,dc=com?one
> >
> > pam_password md5
> > ssl no
> ----
> it looks pretty good...
>
> what happens when you try from command line?
>
> ldapsearch -x -h 127.0.0.1 <http://127.0.0.1> -D
> 'cn=nssldap,ou=DSA,dc=xxx,dc=com' \
> -W '(objectclass=*)' |grep uid
>
> does it list users? Obviously the password you use 'MUST' be the same
> password you have in /etc/ldap.secret for this to simulate what you are
> trying to do.
>
> Craig
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051026/86d2cf1d/attachment-0001.htm>
More information about the fedora-list
mailing list