Hi
I'm a relative newcomer to Debian (via Xandros); but I've been using
other *nixs for many years. I'm running version 3.1
I've set up an openldap server, and installed the libnss-ldap and
libpam-ldap packages. The plan is to use LDAP as backend for about 150
hosts, running many different flavours of unix, mostly Solaris 8 and
RHAS 3.
The LDAP server is configured to allow the directory Manager to see and
change anything; other users can't look at passwords (I'll tighten that
up later, to stop users changing their own shells and the like). This
is testable on the command line using ldapsearch and works as expected.
/etc/nsswitch.conf has been reconfigured to use LDAP after files for
the password, shadow and group backends. /etc/libnss-ldap.conf has been
appropriately configured. This works and can be tested using getent
passwd another
/etc/pam_ldap.conf contains almost entirely the default settings.
My problem is that local logins for the new (ldap only) users don't
work where password authentication is required:-
[EMAIL PROTECTED] ~]$ sudo su - another
No directory, logging in with HOME=/
[EMAIL PROTECTED]:/$ id
uid=536(another) gid=136(another) groups=136(another)
[EMAIL PROTECTED]:/$ logout
[EMAIL PROTECTED] ~]$ su - another
Password:
su: Authentication service cannot retrieve authentication info.
Sorry.
[EMAIL PROTECTED] ~]$
There is a pause between entering the password and the error message
from su. I strongly suspect my pam configuration is to blame somewhere
along the way. When running the openldap server in debug mode the
connection from the host is clear; and the searches seem to work; but
the calling service (su or whatever) complains about not being able to
retrieve authentication information.
Enclosed is the contents of some of the files:-
from slapd.conf:
pidfile /opt/slapd/var/run/slapd.pid
argsfile/opt/slapd/var/run/slapd.args
access to attr=userpassword
by dn="cn=Manager,dc=example,dc=com" write
by self write
access to *
by self write
by dn="dc=example,dc=com" read
by * read
databasebdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /opt/slapd/var/openldap-data
index objectClass eq
from grep -v "^#" /etc/libnss-ldap.conf
host 127.0.0.1
base dc=example,dc=com
ldap_version 3
from grep -v "^#" /etc/pam_ldap.conf
host 127.0.0.1
base dc=example,dc=com
ldap_version 3
rootbinddn cn=manager,dc=example,dc=com
from /etc/pam.d/login
@include common-auth
@include common-account
@include common-password
@include common-session
from /etc/pam.d/su
auth sufficient pam_rootok.so
@include common-auth
@include common-account
@include common-session
from /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
from /etc/pam.d/common-account
accountsufficient pam_ldap.so
accountrequired pam_unix.so
from /etc/pam.d/common-session
sessionsufficient pam_ldap.so
sessionrequired pam_unix.so
I can provide the debug from the server if required. However, I get the
feeling I've just missed something obvious on the pam side.
Thanks in anticipation.
=
u n d e r a c h i e v e r (and proud)
<[EMAIL PROTECTED]>
___
ALL-NEW Yahoo! Messenger - all new features - even more fun!
http://uk.messenger.yahoo.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]