Thomas Mathiesen wrote: >WORKS!!! I am actually not using the libnssldap.conf file.. but the >pam_ldap.conf file in /etc/ on ubuntu. > > That's great! If it wouldn't be too much trouble, I would appreciate it if you would tell us the steps you took and any gotchas you ran into. Then I can update the HowTo:PAM on our wiki. Thanks! >There are two "ldap" conf files, and it seems to use only one. > >Thanks alot for guidance :) > >/T > >Nalin Dahyabhai (nalin at redhat.com) wrote: > > >>On Tue, Jun 07, 2005 at 12:00:34PM +0000, Thomas Mathiesen wrote: >> >> >>>So, here's what I continued doing: >>>Added a user (using the webinterface). >>>Added objectclass posixAccount to this user (using GQ) >>> >>>Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using >>>this ldap config: >>>host ldap.mydomain.com >>>base dc=mydomain,dc=com >>>ldap_version 3 >>>timelimit 30 >>>pam_filter objectclass=posixAccount >>>pam_login_attribute uid >>>ssl no >>>#ssl start_tls >>>#tls_checkpeer no >>>pam_password ssha >>> >>>I've tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works. >>> >>>In my log on the fedora directory server, I see the connection, and it first >>>tries to find the posixAccount, and returns no error. Then it looks for >>>shadowAccount, and returns no error (after I added that objectclass as well). >>> >>>The client worked fine, authenticating with my previous openldap server... and >>>I can't see why I doesn't authenticate with my new fedora server. >>> >>> >>Can you give us some more details to go on? Are you using pam_ldap to >>check passwords, or are you just using nss_ldap in combination with >>pam_unix? What do your system logs indicate when the user's attempt to >>authenticate fails? >> >>If it's nss_ldap+pam_unix, can you read the userPassword attribute of >>the user's posixAccount object when you bind to the directory >>anonymously? For example, does this command give you any userPassword >>values? >> ldapsearch -x -h ldap.mydomain.com -b dc=mydomain,dc=com >> uid=username userPassword >> >>My guess here is that you have an ACI on dc=mydomain,dc=com which allows >>read access to any attribute except "userPassword" for anonymous users, >>and because nss_ldap is binding to the directory anonymously on >>pam_unix's behalf to read the attribute, pam_unix can't check passwords. >> >>HTH, >> >>Nalin >> >> >> >> > >-- >LinProfs >Phone: +31703521193 & +31652572454 >Web: www.linprofs.com & www.linprofs.nl >Email: thomas at linprofs.com > >- >"Microsoft is to operating systems & security .... >.... what McDonalds is to gourmet cooking" > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20050608/dd2657cd/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050608/dd2657cd/attachment.bin
