On Sat Mar 16, 2002 at 10:16:38AM +0100, Antonio Galea wrote: [...]
> > Not having done too much with pam before, I'm really not sure where to > > go with this. > > > > I've found this reference, which applies to your case: > > http://www.linuxdoc.org/HOWTO/Authentication-Gateway-HOWTO/setup.html > > At the bottom of the document, there's something about LDAP authentication; > the document gives a copy of RedHat's auto-generated /etc/pam.d/system-auth: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth sufficient /lib/security/pam_ldap.so use_first_pass > auth required /lib/security/pam_deny.so [...] > Sorry, I had no time to set up an auth server to check if it works :-) > > Hope this helps, It *totally* helped. Everything is working very nicely now... =) I can login locally authenticating against the LDAP database, so that's very positive. It's a bit of a PITA for account/password maintenance (I had to write a ldap-passwd script for LDAP-based users to change thier passwords.. actually, speaking of which, does anyone know how to read input from stdin into a bash script but not print out the text to stdout? Kinda like passwd when you enter in your new password... that's the only thing missing from the script right now). I do have one other concern, and I hope someone with a little more LDAP experience than I has an idea (thus why I'm also cc'ing this to the expert list). When I do lookups against the LDAP database locally, it's very fast. But when I do them from the PPC machine, they're horrendously slow. I have NSS configured to do passwd/shadow/group/hosts lookups from the LDAP server, and I'm pretty sure the LDAP client (via /etc/ldap.conf) is configured properly as it does eventually work, but it's very very slow. For instance, using "getent hosts" on the PPC machine takes 30s-1m before the hosts info from LDAP is returned, but when I do "getent hosts" on the LDAP server (likewise configured with regards to NSS), the information is returned immediately. I've looked at the slapd manpage and I've looked a the OpenLDAP guide, but I don't see anything in there as to why it's so slow when accessing it from remote. Does anyone have any ideas about this? I think LDAP-based authentication is very very slick, and works real nice (once you get past the PITA to set it up), but this slowdown is ridiculous... doing a simple query like: ldapsearch -LL -H ldap://10.0.5.5 -b"dc=danen,dc=net" -x "(uid=adanen)" takes forever... in fact, I haven't had it return any info once yet. But getent hosts returns info (slow) as does doing a ping to a host that's listed in ou=Hosts. getent passwd works also... but still slow (30s-1m). My ldapsearch just never returns anything, and the logs are, well, pretty cryptic. Any pointers, tips, etc. would be more than welcome... If this thing can be sped up to be near-instant (ie. 1-3s delays), I would be extremely happy. Thanks. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 5 days 10 hours 48 minutes.
msg51034/pgp00000.pgp
Description: PGP signature
