Nabble
Software
 » 
LDAP
 » 
PADL Lists
 » 
PAM LDAP

Problem setting up OpenLDAP for user authentication

View: New views
2 Messages — Rating Filter:   Alert me  

Problem setting up OpenLDAP for user authentication

by Guennadi Liakhovetski :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi all

I'm new to LDAP, and I must say it took me a LONG time to set it up under
Debian etch on both server and client at all to do anything useful.

Now I can do "ldapsearch -x -v -L" type requests from remote a host and
locally. I then  tried switching the remote host to using LDAP for user
authentication. I'd like users not registered locally to be able to login
using ldap, and for locally-known users nothing should change.

I did manage to get logins to use ldap by configuring all
/etc/pam.d/common-* files to first try pam_unix and then, if that fails to
use ldap:

* sufficient pam_unix
* sufficient pam_ldap (should this be "required?)

where * is "account", "auth", "password" and "session". In "auth" and
"password" I also had to put

* required pam_deny

after ldap, because otherwise wrong passwords were accepted. In
nsswitch.conf I put

*: files ldap

for "passwd", "group", "shadow". Now I would expect that with sequences
("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally
known users wouldn't be authenticated using ldap. Unfortunately, this
doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP
server. Including calls from udevd, avahi-daemon, and others, which causes
them to fail in various ways.

What am I doing wrong?

I know SASL is not configured in my setup, but that shouldn't be a
problem? At least not for the cases when LDAP shouldn't be attempted at
all.

Thanks
Guennadi
---
Guennadi Liakhovetski

Parent Message unknown Re: Problem setting up OpenLDAP for user authentication

by Guennadi Liakhovetski :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Wed, 5 Mar 2008, Jokke Heikkila wrote:

> On 4.3.2008, at 12.45, Guennadi Liakhovetski wrote:
>
> > I'm new to LDAP, and I must say it took me a LONG time to set it up under
> > Debian etch on both server and client at all to do anything useful.
>
> Sorry, this is not an answer to your question, but I was interested if you
> could tell does ssh login work for you (for ldap accounts) with this setup?
> I've got this same setup but I'm failing to ssh in (as in this thread
> http://marc.info/?l=pamldap&m=120220811015423&w=2 ).

Yes, it works for me. And sorry, I have no idea what your problem can be.
I think ssh might be trying some other kind of authentication - not
simple, but SASL? And it is not configured on your server?


Thanks
Guennadi
---
Guennadi Liakhovetski
Free Forum Powered by Nabble Forum Help