Re: ldif invalid per syntax

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> I have added the corresponding posix accounts in LDAP I wish to use:

Here is a LDIF snippet that works for users authenticated via LDAP:

dn: uid=myuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: FirstName LastName
gidNumber: 1130
homeDirectory: /home/myuser
sn: LastName
uid: myuser
uidNumber: 1130
gecos: FirstName LastName
givenName: FirstName
loginShell: /bin/bash
mail: myuser@xxxxxxxxxxx
userPassword:: *******************************************************


dn: uid=myuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: myuser
gidNumber: 1130


> Yet su to these accounts is still broken:

I would recommend you to (maybe you have done some already):

- check your ACLs in slpad.conf, quite a few fields need to be visible
when doing anonymous binds:
http://www.openldap.org/lists/openldap-software/200208/msg00855.html
(you may want to add or remove some depending on what you want to
achieve, but first try a loose configuration, in order to have
something working)

- use a simple, "standard", structure:
ou=People,dc=example,dc=com
ou=Group,dc=example,dc=com

- use authconfig to generate the configs (it will update pam, nss, and
various ldap.conf), you can then review them and deploy them as files,
although I have found that running the command is the most predictable
way to replicate a working config on client systems

authconfig --enableldap --enableldapauth --enablecache
--enablemkhomedir --ldapserver=ldap://myhost
--ldapbasedn=dc=example,dc=com --passalgo=sha256 --updateall

- test all this on a separate clean environment (typically a virtual
machine, before deploying it)

- maybe use the scripts in /usr/share/openldap/migration for your first import

> Any idea why su _still_ isn't authenticating even tho the user
> accounts have been added to LDAP??? :::sigh:::

Getting this to work was long and painful for me, but worth the effort.
Good luck.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux