Hi, I'm trying to get PAM and OpenLDAP to work. I have currently some users on the LDAP directory and they can make login on our hosts. However, attempting to solve the 'segmentation fault' problem, I did an update to latest pam, nss_ldap and openldap RPMs from RH, and the same users are now unable to login. Going back to previous setup and looking at the ldap logs, I see that clients are using the filter I put on the lapd.conf file (objectclass=ACCOUNT)(host=PERSEUS): SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))" SRCH base="DC=SOME,DC=ORG" filter="(&(&(objectclass=ACCOUNT)(host=PERSEUS))(uid=GROUCHO))" BIND dn="UID=GROUCHO,OU=ACCOUNTS,DC=SOME,DC=ORG" method=128 SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))" SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=SHADOWACCOUNT)(uid=GROUCHO))" SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))" SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXGROUP)(memberuid=GROUCHO))" SRCH base="DC=SOME,DC=ORG" filter="(&(objectclass=POSIXACCOUNT)(uid=GROUCHO))" AFAIK, it seems that the server is looking for some objectclasses we don't have, but even although we don't have posixgroups or shadow accounts, user Groucho can login. However, with newer packages, our filter doesn't show on the logs. Instead, after looking for the shadow account, the user is rejected. Does it mean that we are now forced to use a shadowaccount objectclass for all accounts? Is such a behaviour configurable somewhere? We have a very simple schema for those accounts and I'd prefer keep it so. Any help or pointers about it? TIA, José A.
