Hi again Martin, I checked the file /opt/initscripts-tcos/rc2345.d/pam_ldap
and it simply reads the config from OTC apache-ldap allright, BUT it truncated the bindDn for some reason... I can reproduce this and confirm by checking the etc/pam_ldap.conf generated through SSH to thinclient. If i setup the Secondary Directory Server to authenticate openldap (with proper ip address, localhost not used at any point for address resolution) and key-in the binddn as cn=Manager,dc=domain,dc=com save-> run one thinclient -> login via ssh -> cat /etc/pam_ldap.conf it shows as following: # TCOS modified by: /opt/initscripts-tcos/rc2345.d/pam_ldap at:.... base dc=domain,dc=com binddn cn=Manager # <-- ,dc=domain,dc=com truncated <<< bindpw secret host IP_Of_OPENLDAP_SERVER:389 pam_filter objectclass=person pam_login_attribute cn the initscript pam_ldap.conf itself doesn't seem to be doing any tricky stuff (truncate etc.) but binddn truncated for sure at the end. If i edit the file via ssh -> save -> try logging with thinclient -> it works! I can only assume there is a bug somewhere, which exceeds my current knowledge to figure out.. On a related topic, if i set under OTC-> Secondary Directory > User and Group information. and create the same group under OTC manager, assign Application Group (or Appplications - makes no difference) logging in with a openldap user DONOT set application rights... The "Group" is the only thing i can relate here for assigning application group or applications to users on Secondary Diretory server.. Don't seem to work If i assign applications to ThinClient under OTC manager, it works for all users logging from that machine. But thats not ideal as there is no USER-LEVEL assigment of application group(s) or applications.. Can you shed some light on how to go about that? Looking forward to hear from you. All the best. Martin Kreiner wrote: > > hi cuneyt, > > cuneytm schrieb: >> Just wanted to update you on my attempts to authenticate against an >> openLDAP >> server as secondary directory server (but not an Active Directory Server) >> for users and groups; >> >> I managed to get it working, with compromising greatly on the security =) >> >> I was using wireshark to understand how openthinclient send the LDAP bind >> request from the login screen to the openLDAP server (setup as secodary >> directory). >> >> It seems that loginscreen sends only "cn=Manager" part even though Read >> only principal (under thinclient server) is complete with dn suffix (such >> as >> cn=Manager,dc=mydomain,dc=com). >> I have no idea why this is happening, perhaps You can shed some light on >> it. >> >> On openthinclient server, i setup the Secondary Directory Server as >> following; >> Secondary Directory >> LDAP URL: ldap://localhost:389/dc=mydomain,dc=com >> Read only principal: [empty] >> Password: [empty] >> > be careful using "localhost"! > this LDAP URL is evaluated by the initscripts-tcos package (in detail: > "/opt/initscripts-tcos/rc2345.d/pam_ldap"). this script builds the pam > ldap > config file "/etc/pam_ldap.conf" used for authentication. for further > information see its manual page (man pam_ldap.conf). > > you definitely have to use your openldap server name or IP instead of > "localhost". otherwise the thin client tries to authenticate against > itself. > > my advice is to start the thin client, log in as root remotely using ssh > and > manually modify the file /etc/pam_ldap.conf with "vim" until your > gdm-login > works (so you don't need to restart the thin client or gdm). > > if you have found a working config you can start modifying the > initscripts-tcos > package to support openLDAP authentication. > > > here some basic configuration options for pam_ldap.conf with comments: > > # Your LDAP server. Must be resolvable without using LDAP. > # Multiple hosts may be specified, each separated by a > # space. How long nss_ldap takes to failover depends on > # whether your LDAP client library supports configurable > # network or connect timeouts (see bind_timelimit). > host <your ldap server> > > # The distinguished name of the search base. > base <dc=yourdomain,dc=com> > > # The distinguished name to bind to the server with. > # Optional: default is to bind anonymously. > #binddn cn=proxyuser,dc=yourdomain,dc=com > > # The credentials to bind with. > # Optional: default is no credential. > #bindpw secret > > # Filter to AND with uid=%s > #pam_filter objectclass=account > > # The user ID attribute (defaults to uid) > #pam_login_attribute uid > > > a minimal config file for a openLDAP server that permits anonymous binds > just > needs "host" and "base" configured. > > > cheers, > martin > > p.s. before you start editing files with vim/vi please have at least a > look at > some quick guides like http://www.arekdreyer.com/help/vi.html > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > The Open Source Thin Client Solution http://openthinclient.org > [email protected] > https://lists.sourceforge.net/lists/listinfo/openthinclient-user > > -- View this message in context: http://www.nabble.com/Secondary-Directory-%3E-Bind-Req.-doesn%27t-send-the-full-principal-tp19477692p19845050.html Sent from the openthinclient.org users' mailing list mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ The Open Source Thin Client Solution http://openthinclient.org [email protected] https://lists.sourceforge.net/lists/listinfo/openthinclient-user
