Greetings Guru's,
I'm at my wits end attempting to configure LDAP authentication on my Fedora 2 server. I'm not new to Linux, but am new to directory management. Running debugs on slapd returns positive information when GQ is used to browse/change the directory, but when I attempt to login via console with any user other than root results in no contact with the LDAP server. Root authenticates OK, but not via LDAP.
Synopsis:
OS=Fedora Core 2, fully updated via APT/Synaptic. Running current updates of openldap et al, nss_ldap, pam, and openssl.
My LDAP server is working and searchable/writable locally using either GQ or standard openldap tools. I have used the tools 'authconfig' and 'system-config-authentication' to enable LDAP authentication and manually modified 'nsswitch.conf', and '/etc/pam.d/login and /etc/pam.d/system-auth'.
It appears that PAM is not contacting the LDAP server for authentication. Does anyone have a suggestion as to why this may be? I know this is a very open question, but I've struggled with this for about a week and spent several days searching the internet for answers. I have followed many HOW-TO's and rebuilt my LDAP directory about a dozen times. It appears the LDAP server is working fine, but no requests are being made from login to the LDAP server.
Best regards to all, Greg
You should be able to verify whether or not your system is contacting the LDAP server by looking at the LDAP logs on the server. If there is no contact then my guess is something in /etc/ldap.conf. I don't know about the tools you mentioned above as my configurations have been manual.
Here are a few lines to look for in your ldap.conf:
host ldap128.nersc.gov ldap2.nersc.gov ldap.nersc.gov <your names here of course>
(if you have this and the ssl stuff working and you have
network connectivity - no firewall blockages - then you
should at least see stuff showing up in the LDAP logs)
base ou=people,o=ldapsvc,dc=nersc,dc=gov (which of course depends on your schema, which could be an issue if all your automated stuff isn't working for you)
scope sub
pam_groupdn ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov (ditto)
pam_member_attrubute memberUid (ditto)
pam_password md5 (for us - your mileage may vary)
nss_base_shadow ou=People,o=ldapsvc,dc=nersc,dc=gov nss_base_group ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov (brings up the whole nsswitch business. You should know that nsswitch can essentially make the ldap content appear as if it is in /etc/passwd /etc/group /etc/shadow - thereby working very differently from PAM which authenticates - only, no groups - separately through the various applications)
ssl start_tls ssl on (your mileage may vary)
Good luck!
--Jed http://www.nersc.gov/~jed/
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
