I'm still trying to set up OpenLDAP here. For some reason, SASL doesn't work, but from the error message I guess it has to do with a missing entry in the LDAP database itself:
Sep 14 15:42:34 clue slapd[24202]: slapd starting
Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 ACCEPT from
IP=XXX.XXX.XXX.XXX:49623 (IP=0.0.0.0:636)
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH attr=supportedSASLMechanisms
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SEARCH RESULT tag=101 err=0
nentries=1 text=
Sep 14 15:42:40 clue ldapadd: GSSAPI Error: Miscellaneous failure (No
credentials cache found)
Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 closed
I *can* use ldapi{search,add} with the -x parameter though, so I suppose
if I add "sasl off" to /etc/ldap.conf (which I did for now), I should be
fine as I'll be using SSL with mutual authentication anyway.
Migrating the old server's data seems to have worked after I found that
you cannot just copy another machine's passwd file and migrate that
as the migrationtools will get the password hash from getpwuid(3) which
will fail if the account isn't on your machine. Maybe this should be
added to the guide -- a careful look would have told me, as there is no
mention of the shadow file, but who looks carefully when following a
guide? :)
So, pam_ldap and nss_ldap are in place and PAM seems to be OK. I still
cannot log in due to some nsswitch problem apparently:
[snipped a lot of output---I guess "slapd -s0" will shut that up once it
works?]
Sep 14 16:58:34 clue slapd[15571]: conn=3 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Sep 14 16:58:34 clue slapd[26321]: conn=3 fd=15 closed
Sep 14 16:58:34 clue sshd[5422]: Accepted keyboard-interactive/pam for msbethke
from ::ffff:131.188.185.45 port 51711 ssh2
Sep 14 16:58:34 clue slapd[26321]: conn=2 fd=13 closed
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd(pam_unix)[8048]: session opened for user msbethke by
(uid=0)
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: fatal: PAM: pam_open_session(): Cannot
make/remove an entry for the specified session
Hm. Shouldn't nss_ldap use the URI specified in /etc/ldap.conf to talk
to the server? I'm at a loss here.
Oh, and BTW: is there a way to allow high-ASCII characters in LDIF
files? We happen to have a few users with umlauts in their names and
not being able to retain them would be even more backwards than NIS...
regards
Matthias
--
I prefer encrypted and signed messages. KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46 B9 8A B9 E2 09 9F 3B 91
pgpMIt5GiIQVl.pgp
Description: PGP signature
