[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems...
>I seem to be having a bit of a problem with OpenLDAP ver 2.0.22-2 (RPM on RedHat 7.2)
>I have an email server with over 27K accounts, all in flat file format.... (i.e. /etc/passwd, /etc/groups, /etc/shadow, etc...) I want to migrate over to a central LDAP authentication model for my Qpopper, Postfix, FTP, and Apache Home_Dir stuff....
>I downloaded the Migration Tools from podl.com and ran the pass2ldap to get an LDIF file. I then transferred that file to my test LDAP box (that has no local users.) After modifying the LDIF file for the home directories, I imported them using ldapadd. I then tested pop3 auth against ldap and I always get a "Password supplied for "username" is incorrect."
>I can use plenty of LDAP administration programs to see everything in the dir, and everything looks fine.... color me a little lost (and an LDAP newbie)
>Here are my relevant configs (chopped for space...):
>/etc/ldap.conf (I've tried different pam_password values to no avail)
>host 127.0.0.1
>base dc=suscom,dc=net
>uri ldap://127.0.0.1/
Why do you specify the uri when you specified the host and base?
>binddn cn=Manager,dc=suscom,dc=net
>bindpw ldap_test
>pam_password crypt
Below you say this is SSHA in the user object, here you say crypt.
Password changing will be odd.
># pam_password exop
>#pam_password clear
>ssl no
>#pam_password md5
>
>/etc/openldap/slapd.conf (played around with suffix and defaultsearchbase to no avail)
>loglevel 4
>defaultsearchbase "ou=accounts,dc=suscom,dc=net"
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/redhat/rfc822-MailMember.schema
>include /etc/openldap/schema/redhat/autofs.schema
>include /etc/openldap/schema/redhat/kerberosobject.schema
>database ldbm
>suffix "dc=suscom,dc=net"
>suffix "ou=accounts,dc=suscom,dc=net"
This suffix is below the other suffix. Why do you specify two suffix-es?
I don't think this will work. Just "dc=suscom,dc=net" unless this is a
partition.
>rootdn "cn=Manager,dc=suscom,dc=net"
>rootpw {SSHA}sTyh4meQBWdEfopKtyTf9drN2t+e7y9A
>directory /var/lib/ldap
>index objectClass,uid,uidNumber,gidNumber,memberUid eq
>index cn,mail,surname,givenname eq,subinitial
>access to attr="userPassword"
> by self write
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by anonymous auth
> by * none
>access to dn=".*,ou=accounts,dc=suscom,dc=net"
> by dn="cn=Manager,dc=suscom,dc=net" write
> by dn="cn=lmcadmin,ou=accounts,dc=suscom,dc=net" write
> by * read
>access to *
> by dn="cn=Manager,dc=suscom,dc=net" write
> by * read
>
>
>/etc/openldap/ldap.conf
>HOST 127.0.0.1
>BASE dc=suscom,dc=net
>
>
>my initial LDAP import:
>dn: dc=suscom,dc=net
>objectclass: top
>objectclass: dcObject
>dc: suscom
>
>dn: ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: organizationalUnit
>ou: accounts
>
>dn: cn=lmcadmin,ou=accounts,dc=suscom,dc=net
>objectclass: top
>objectclass: person
>objectclass: inetOrgPerson
>cn: lmcadmin
>sn: lmcadmin
>uid: lmcadmin
>userPassword: {SSHA}npuxDYqHSDybRycKcNNOjM6ZP+GSfYHr
I think PAM wants an objectclass of posixAccount or account unless you
specify otherwise. The above is niether.
Does nss appear to work?
>/etc/pam.d/pop3
>#%PAM-1.0
>auth sufficient /lib/security/pam_ldap.so
>auth required /lib/security/pam_unix_auth.so try_first_pass
>account sufficient /lib/security/pam_ldap.so
>account required /lib/security/pam_unix_acct.so
--
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------