I'm still trying to set up OpenLDAP here. For some reason, SASL doesn't work, but from the error message I guess it has to do with a missing entry in the LDAP database itself:
Sep 14 15:42:34 clue slapd[24202]: slapd starting Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 ACCEPT from IP=XXX.XXX.XXX.XXX:49623 (IP=0.0.0.0:636) Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH attr=supportedSASLMechanisms Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 14 15:42:40 clue ldapadd: GSSAPI Error: Miscellaneous failure (No credentials cache found) Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 closed I *can* use ldapi{search,add} with the -x parameter though, so I suppose if I add "sasl off" to /etc/ldap.conf (which I did for now), I should be fine as I'll be using SSL with mutual authentication anyway. Migrating the old server's data seems to have worked after I found that you cannot just copy another machine's passwd file and migrate that as the migrationtools will get the password hash from getpwuid(3) which will fail if the account isn't on your machine. Maybe this should be added to the guide -- a careful look would have told me, as there is no mention of the shadow file, but who looks carefully when following a guide? :) So, pam_ldap and nss_ldap are in place and PAM seems to be OK. I still cannot log in due to some nsswitch problem apparently: [snipped a lot of output---I guess "slapd -s0" will shut that up once it works?] Sep 14 16:58:34 clue slapd[15571]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 14 16:58:34 clue slapd[26321]: conn=3 fd=15 closed Sep 14 16:58:34 clue sshd[5422]: Accepted keyboard-interactive/pam for msbethke from ::ffff:131.188.185.45 port 51711 ssh2 Sep 14 16:58:34 clue slapd[26321]: conn=2 fd=13 closed Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd(pam_unix)[8048]: session opened for user msbethke by (uid=0) Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't contact LDAP server Sep 14 16:58:34 clue sshd[8048]: fatal: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Hm. Shouldn't nss_ldap use the URI specified in /etc/ldap.conf to talk to the server? I'm at a loss here. Oh, and BTW: is there a way to allow high-ASCII characters in LDIF files? We happen to have a few users with umlauts in their names and not being able to retain them would be even more backwards than NIS... regards Matthias -- I prefer encrypted and signed messages. KeyID: 90CF8389 Fingerprint: 8E 1F 10 81 A4 66 29 46 B9 8A B9 E2 09 9F 3B 91
pgpMIt5GiIQVl.pgp
Description: PGP signature