On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > I'm using the fedora directory server for centralized authentication , > and i have made users with posix account and i put them in ou=People > like this : [snip] > # Server1, Groups, pol.ro > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > description: group for users that have access on server 1 > objectClass: top > objectClass: groupofuniquenames > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > cn: Server1 [snip] > and my ldap.conf looks like this : > > URI ldap://lacatzel.pol.ro > port=389 > BASE dc=pol,dc=ro > host lacatzel.pol.ro > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT allow > scope sub > bind_policy soft > #pam_password exop > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro [snip] The combination of the pam_groupdn and pam_member_attribute settings you have here instructs pam_ldap to check for the user's DN among the values for the group object's "memberUid" attribute, but the user's DN is stored in the "uniqueMember" attribute. Try changing that (or removing it, because "pam_member_attribute uniquemember" is the default). But if that were the only problem, I'd expect that none of your users would be able to log in. You should probably double-check that your PAM configuration is able to deny users entry when pam_ldap's account management function (which is the part that checks group membership) returns a failure. HTH, Nalin
