Problem solved! Thanks to all for the advice, suggestions, and links. The solution, as usual, was very simple. Although, I have to express my disappointment that neither of the following points was ever stated in the dozens of documents I've recently referenced in my search for a solution. First - There are two 'ldap.conf' files located on my server. I don't know if this is true for all *nix servers. The first of which is installed by OpenLDAP at '/etc/openldap/ldap.conf' and the other installed by PAM at '/etc/ldap.conf'. I was unaware of the existence of the PAM '/etc/ldap.conf' file, which was part of the problem. It is well documented and requires modification to work correctly. I spend many hours messing around with /etc/openldap/ldap.conf' which in the end was fine with the basic entries of HOST, BASE, and BINDDN. Second - There needs to exist '/etc/ldap.secret' containing the password to bind with the LDAP server which is used by ldap clients. This file did not exist on my server until a few minutes ago after I created it. Following the modification of '/etc/ldap.conf' and the creation of the '/etc/ldap.secret' file and finally restarting my ldap service all works as it should. My thanks to Magnus and his forwarding of a very helpful link to -> http://web.singnet.com.sg/~garyttt/ which outlines the steps stated above. Greg Dotts -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Jed Donnelley Sent: Wednesday, November 10, 2004 5:50 PM To: Pluggable Authentication Modules Subject: Re: Fedora LDAP authentication failure At 02:21 PM 11/10/2004, Greg Dotts wrote: >Greetings Guru's, > >I'm at my wits end attempting to configure LDAP authentication on my Fedora >2 server. I'm not new to Linux, but am new to directory management. >Running debugs on slapd returns positive information when GQ is used to >browse/change the directory, but when I attempt to login via console with >any user other than root results in no contact with the LDAP server. Root >authenticates OK, but not via LDAP. > >Synopsis: > >OS=Fedora Core 2, fully updated via APT/Synaptic. >Running current updates of openldap et al, nss_ldap, pam, and openssl. > >My LDAP server is working and searchable/writable locally using either GQ or >standard openldap tools. I have used the tools 'authconfig' and >'system-config-authentication' to enable LDAP authentication and manually >modified 'nsswitch.conf', and '/etc/pam.d/login and /etc/pam.d/system-auth'. > >It appears that PAM is not contacting the LDAP server for authentication. >Does anyone have a suggestion as to why this may be? I know this is a very >open question, but I've struggled with this for about a week and spent >several days searching the internet for answers. I have followed many >HOW-TO's and rebuilt my LDAP directory about a dozen times. It appears the >LDAP server is working fine, but no requests are being made from login to >the LDAP server. > >Best regards to all, >Greg You should be able to verify whether or not your system is contacting the LDAP server by looking at the LDAP logs on the server. If there is no contact then my guess is something in /etc/ldap.conf. I don't know about the tools you mentioned above as my configurations have been manual. Here are a few lines to look for in your ldap.conf: host ldap128.nersc.gov ldap2.nersc.gov ldap.nersc.gov <your names here of course> (if you have this and the ssl stuff working and you have network connectivity - no firewall blockages - then you should at least see stuff showing up in the LDAP logs) base ou=people,o=ldapsvc,dc=nersc,dc=gov (which of course depends on your schema, which could be an issue if all your automated stuff isn't working for you) scope sub pam_groupdn ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov (ditto) pam_member_attrubute memberUid (ditto) pam_password md5 (for us - your mileage may vary) nss_base_shadow ou=People,o=ldapsvc,dc=nersc,dc=gov nss_base_group ou=PosixGroup,o=ldapsvc,dc=nersc,dc=gov (brings up the whole nsswitch business. You should know that nsswitch can essentially make the ldap content appear as if it is in /etc/passwd /etc/group /etc/shadow - thereby working very differently from PAM which authenticates - only, no groups - separately through the various applications) ssl start_tls ssl on (your mileage may vary) Good luck! --Jed http://www.nersc.gov/~jed/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
