-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jones, Russell wrote:
> I have a couple questions about connecting to ldap from Suse linux.
Before we get really into this, I should refer you to your local LDAP
administrator, if you are not that person.
If you are your own local LDAP admin, well, read on, but also apply
heavy does of google fu. LDAP is a, uh, non-intuitive world.
> - Does anyone have experience using the MVS ldap server for Z/linux
> authentication.
I don't use the MVS LDAP server, but another product. However, from a
linux client perspective, LDAP is LDAP, for the most bits.
There's a few assumptions in this which you'll need to know, btw
*) do you allow anonymous binds
*) do you force, allow, or not support SSL and/or TLS
*) What bind method do you use Simple, SASL-???
Here's a few sets of tests I use, in roughly ascending order of
functionality. This is assuming non-anonymous binds, simple binding,
and no SSL/TLS
1) Can you do a manual ldapsearch at all, with fully specified
parameters? E.g. something like this:
ldapsearch -x -h <your_ldap_host> -D bindname -W -b <ldap_base> \
-s one objectclass=*
If this fails, examine your assumptions. This should always be able to
made work, if your assumptions are correct.
2) Do an ldapsearch leaving default some of the search parameters, to
insure you have them configured correctly on your client host. E.g:
ldapsearch -x -s one objectclass=*
If this fails, use a process of elimination to find and correct the
saved search parameters (LDAP server hostnames, ldap base, ldap bind
names and passwords, etc). Most of this data is in the file
/etc/ldap.conf and the directory /etc/openldap
3) Does the client OS see account / group information?
getent passwd ; getent group ; id <some_ldap_account>
There's lots of possible failures here. First check /etc/nsswitch.conf,
and insure it's setup for either "files ldap" or "compat" for everything
you care to get from the LDAP server. If it's "compat" there also needs
to be a "compat_passwd ..." and other compat_* entries.
Next, look for SSL / TLS connection failures, if you're using them. In
particular, check the client's certdb is correct. If your server
supports non-SSL connections, try testing this non-SSL to positively
confirm whether this is an SSL problem or not.
Next, check for extra search filters in /etc/ldap.conf specified as part
of an "nss_base_*' statements. Try commenting these out as a test.
Also look in /etc/ldap.conf for attribute mapping statements -- make
sure these match what the server actually provides, as seen in the
output of a manual ldapsearch.
Finally, check the server's schema, and insure it's compatible. The
server needs some form of RFC2307 schema, and of course, each account
and group used with linux LDAP needs the proper objectclasses and
attributes. (E.g. objectclass: posixaccount, uidNumber: 123456,
loginShell: /bin/ksh, etc etc)
4) Can you su - to an LDAP served account
Check pam settings, existence of shell, home directory
5) Last, can you ssh / telnet to an LDAP served account
If not, check your pam settings and sshd config.
>
> - I am also trying to do ldap authentication in a php page. I have
> installed the PHP5-ldap package, but my php page is failing to make the
> ldap connection. I don't see any ldap related error in the apache log,
> so I am not sure what exactly is happening. Is it possible that the ldap
> errors are going to a different log file? Are there additional php
> packages that must be installed to make it work?
Recall here that you can have apache (via mod_auth_ldap) do session
authentication, or you can do manual authentication in php via trying to
do an ldap_bind in your php code.
Which are you trying to do, here?
- -- Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk1pjAACgkQNObCqA8uBsx2zQCcCTFjg2P5bj9uPZ9076atLIIh
AFsAn1Xr1J+tRMmIpEYiht5N3CqFNWV/
=+ubc
-----END PGP SIGNATURE-----
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
