[Date Prev][Date Next] [Chronological] [Thread] [Top]
posixAccount info from LDAP (long)

To: openldap-software@OpenLDAP.org
Subject: posixAccount info from LDAP (long)
From: Andrew Bacchi <bacchi@rpi.edu>
Date: Tue, 7 May 2002 13:54:14 -0400 (EDT)
Hello,

I am trying to get my /etc/passwd (posixAccount) info from my LDAP server 
rather than my /etc/passwd file.  I am NOT trying to authenticate to LDAP, 
I already authenticate to an AFS/Kerberos server, and it works 
perfectly.  I want to get my gid, uid, and home dir path from the 
LDAP server, but failing.

I run the server in debug mode and I can see tons of data blow by, so I 
know I am hitting it.  I do have the LDAP Browser/Editor v 2.8.2 by Jarek 
Gawor using JDK working perfectly.  I can see my data and edit it from the 
browser.  I have re-indexed the data using an LDIF import.

I am not certain, but I think it is my PAM config (system-auth) that is 
bunging me up.  Or possibly the ldap.conf.

The client and server systems are RedHat Linux 7.2.  Versions are:
nss_ldap-172-2
openldap-2.0.21-1
openldap-clients-2.0.21-1
openldap-devel-2.0.21-1

I have included parts of the ldap.conf, nsswitch.conf and 
pam.d/system-auth files below.  Any help is greatly appreciated.

The pertinent nsswitch.conf info looks like this:

passwd:     ldap files 	  # needed to get AFS auth to work
shadow:     ldap files	  # needed to get AFS auth to work
group:      ldap files	  # This is where I hope to grab posixAccount


The pam.d/system-auth file looks like this: (Is this correct?)

#%PAM-1.0

auth        required      /lib/security/pam_env.so
# auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_afs.krb.so likeauth nullok
auth        required      /lib/security/pam_deny.so

# account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
password    required      /lib/security/pam_deny.so
A
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     required      /lib/security/pam_ldap.so



The ldap.conf file looks like this:

# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
host 128.113.26.59

# The distinguished name of the search base.
base dc=rpi,dc=edu

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The search scope.
#scope sub
#scope one
scope base

# Search timelimit
timelimit 30

# Bind timelimit
bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=posixAccount
pam_filter objectclass=Accounts

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=user,ou=AccountGroups,dc=rpi,dc=edu

### No changes made below this line!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
----------------------------------------------------------------------------

# Group member attribute
#pam_member_attribute uniquemember

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=example,dc=com?one
#nss_base_shadow	ou=People,dc=example,dc=com?one
#nss_base_group		ou=Group,dc=example,dc=com?one
#nss_base_hosts		ou=Hosts,dc=example,dc=com?one
#nss_base_services	ou=Services,dc=example,dc=com?one
#nss_base_networks	ou=Networks,dc=example,dc=com?one
#nss_base_protocols	ou=Protocols,dc=example,dc=com?one
#nss_base_rpc		ou=Rpc,dc=example,dc=com?one
#nss_base_ethers	ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks	ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=example,dc=com?one
#nss_base_aliases	ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client sertificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
ssl no
pam_password md5


-- 
Andrew Bacchi
Staff Systems Programmer
Rensselaer Polytechnic Institute
phone: 518 276-6415  fax: 518 276-2809

http://www.rpi.edu/~bacchi/
Prev by Date: RE: gdbm fatal:write error ( resource temp unavaiable )
Next by Date: Re: web500gw
Index(es):
- Chronological
- Thread