Problem solved! Thanks to all for the advice, suggestions, and links.
The solution, as usual, was very simple. Although, I have to express my disappointment that neither of the following points was ever stated in the dozens of documents I've recently referenced in my search for a solution.
First - There are two 'ldap.conf' files located on my server. I don't know if this is true for all *nix servers. The first of which is installed by OpenLDAP at '/etc/openldap/ldap.conf' and the other installed by PAM at '/etc/ldap.conf'. I was unaware of the existence of the PAM '/etc/ldap.conf' file, which was part of the problem. It is well documented and requires modification to work correctly. I spend many hours messing around with /etc/openldap/ldap.conf' which in the end was fine with the basic entries of HOST, BASE, and BINDDN.
I thought I'd take this opportunity to clarify my understanding of the model used by some of this LDAP software.
My understanding is that the distinction between the above two mentioned ldap.conf files is that:
/etc/openldap/ldap.conf is the configuration for the openldap *server*
and
/etc/ldap.conf is the configuration for ldap *client* access, including
PAM and the NSS libraries.If you are only accessing an LDAP server remotely as a client (and not setting up a local server for caching or whatever), then you don't need the /etc/openldap/ldap.conf file configured at all. We have some systems that have a local running openldap server and some without, so I'm pretty confident both approaches work. In general we've been using a local server for caching only in instances where we have large numbers of local accesses likely to the server. Otherwise we've been accessing a shared server instance that's local to a LAN segment. I'd be interested to hear what others are doing in this regard. Of course I realize this is more LDAP related than PAM related, but since it came up on this list in the context of this thread I thought I'd mention it here.
Also, with regard to:
Second - There needs to exist '/etc/ldap.secret' containing the password to bind with the LDAP server which is used by ldap clients. This file did not exist on my server until a few minutes ago after I created it.
I'm guessing you need this secret only because you're running a local instance of openldap that needs to synchronize with a remote server. In most of our client installations we don't need such a "secret" file, which of course seems a bit of a worry from a security viewpoint.
--Jed http://www.nersc.gov/~jed/
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
