pam_ldap and OpenLDAP ppolicy

Hi list,

Breaking my head on getting pam_ldap to interface with OpenLDAP's
ppolicy overlay.

What I need, are the extended operation ppolicy login and passwd
constraints for console and gdm (Gnome Desktop Manager) logins.

System: Fedora FC6 as test machine for 4 RHL5 production machines, all
are using Red Hat's nss_ldap-253-1, which in true Red Hat fashion is an
amalgamation of nss_ldap and pam_ldap - I have no idea what the pam_ldap
version is (it's hidden :( ). OpenLDAP version is Buchan Milnes' 2.3.37
srpm (2.3.38 fails the ppolicy test on my test machine).

ppolicy is correctly configured and works as it should. Thank Deity I
use gq and can easily see what's going on.

Tried Padl's ldapprofile, I got it working, but all it does is mangle my
ldap.conf.

Before I go into all kinds of config details, has anyone with a similar
system got this working? I've all postings from this list since May 2006
on my harddisk but can only find one posting from Pierre-Yves Bonnetain
about a (probably unrelated) problem, from last May.

--Thanks,

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Tony Earnshaw skrev, on 31-08-2007 08:36:

[...]

> Before I go into all kinds of config details, has anyone with a similar
> system got this working? I've all postings from this list since May 2006
> on my harddisk but can only find one posting from Pierre-Yves Bonnetain
> about a (probably unrelated) problem, from last May.

I solved this in the end - apart from anything else, I had a stupid
slapd.conf configuration mistake. Going on and on reading the docs and
what looking at what was in the (Buchan Milnes' OL srpm) build/tests
directory for ppolicy finally got things working - even with automatic
Samba password updates. It's all in the docs, in test022 testdata and,
as far as the Samba stuff is concerned, in a single Google message.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl