> > > > > in /etc/ldap.conf, and that your pam stack is set up for pam_ldap > > authentication. Also, if you are using a proxy agent, the proxy agent > > must not be able to see the userPassword attribute, or you will end up > > authenticating via pam_unix, and not pam_ldap. > > This could be the problem. I am using a proxy and not sure how to test > what you are saying. If I do an ldasearch such as: > > ldapsearch -x -ZZ '(uid=tulsa)' > > then that should bind via the entries in ldap.conf hence use the > config'd proxy, correct? Then if that search shows a userPassword then > that would confirm pam_unix usage? Not sure how to stop it if it is > using pam_unix? > That's correct, if you can do a ldapsearch and bind as the proxyagent and you see the userPassword attribute returned, then the directory server has an ACI that allows read for your proxy agent of the userPassword attribute. You can just remove that ACI and it should at that point not return the userPassword field, and pam_ldap authentication would take place then. For example: ldapsearch -x -h ldapsrv -D "cn=proxyid,dc=blah" -W -b "ou=people,dc=blah" uid=tulsa Where -D is the id listed as proxyagent in ldap.conf, and the password supplied is for that id. If userPassword is returned then you know what is going on. If this is not what is happening, check and make sure you don't have rootbinddn and /etc/ldap.secret set up. If it is actually binding as your rootdn then that is what it could be as well. Jamie
