>> /etc/openldap/ldap.conf is the configuration for the openldap *server* >> and >> /etc/ldap.conf is the configuration for ldap *client* access, including >> PAM and the NSS libraries. GT: Not true. GT: $ETC_OPENLDAP/ldap.conf is the configuration file for ALL OpenLDAP LDAP Clients including the "local" client at the OpenLDAP Server end. The location of $ETC_OPENLDAP is configured by "./configure", default is /usr/local/etc/openldap, some distro like RH set it to /etc/openldap. See "man ldap.conf" GT: /etc/ldap.conf is the configuration file for NSS_LDAP/PAM_LDAP usually, again configurable by "./configure", most distros do not have "man" pages for NSS_LDAP/PAM_LDAP's ldap.conf but there is a well commented sample from PADL in the source tarball. GT: NSS_LDAP provides nss_ldap.so and affects the /etc/nsswitch.conf name service switch w.r.t. LDAP service , PAM_LDAP provides pam_ldap.so LDAP auth modules for /etc/pam.conf and/or /etc/pam.d/*. GT: Yes /etc/ldap.secret is for "rootdn" binding and RECOMMENDED NOT needed at LDAP Clients' end for security reason. If I am incorrect please could someone correct me. Gary -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Jed Donnelley Sent: Friday, November 12, 2004 4:11 AM To: Pluggable Authentication Modules Cc: Nick Balthaser Subject: Model clarification - was: RE: Fedora LDAP authentication failure At 05:08 PM 11/10/2004, Greg Dotts wrote: >Problem solved! Thanks to all for the advice, suggestions, and links. > >The solution, as usual, was very simple. Although, I have to express >my disappointment that neither of the following points was ever stated >in the dozens of documents I've recently referenced in my search for a >solution. > >First - There are two 'ldap.conf' files located on my server. I don't >know if this is true for all *nix servers. The first of which is >installed by OpenLDAP at '/etc/openldap/ldap.conf' and the other >installed by PAM at '/etc/ldap.conf'. I was unaware of the existence >of the PAM '/etc/ldap.conf' file, which was part of the problem. It is >well documented and requires modification to work correctly. I spend >many hours messing around with /etc/openldap/ldap.conf' which in the >end was fine with the basic entries of HOST, BASE, and BINDDN. I thought I'd take this opportunity to clarify my understanding of the model used by some of this LDAP software. My understanding is that the distinction between the above two mentioned ldap.conf files is that: /etc/openldap/ldap.conf is the configuration for the openldap *server* and /etc/ldap.conf is the configuration for ldap *client* access, including PAM and the NSS libraries. If you are only accessing an LDAP server remotely as a client (and not setting up a local server for caching or whatever), then you don't need the /etc/openldap/ldap.conf file configured at all. We have some systems that have a local running openldap server and some without, so I'm pretty confident both approaches work. In general we've been using a local server for caching only in instances where we have large numbers of local accesses likely to the server. Otherwise we've been accessing a shared server instance that's local to a LAN segment. I'd be interested to hear what others are doing in this regard. Of course I realize this is more LDAP related than PAM related, but since it came up on this list in the context of this thread I thought I'd mention it here. Also, with regard to: >Second - There needs to exist '/etc/ldap.secret' containing the >password to bind with the LDAP server which is used by ldap clients. >This file did not exist on my server until a few minutes ago after I >created it. I'm guessing you need this secret only because you're running a local instance of openldap that needs to synchronize with a remote server. In most of our client installations we don't need such a "secret" file, which of course seems a bit of a worry from a security viewpoint. --Jed http://www.nersc.gov/~jed/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
