[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Root user stuck in LDAP database
Hello all...
I've set up an LDAP database to handle authentication, and populated it
with some test users. I set up the server correctly, and the client
correctly, and nnswitch to search files first and then ldap second so I
could have a separate root for each machine. I didn't put root on the
LDAP server. (I appended the configuration files below)
This was working fine (on RH 7.2) but for some reasons users couldn't
change their passwords, even though the correct ACLs had been set up. I
looked around, discovered that there was a bug in the software
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56201) so I
downloaded pam_ldap-148 from PADL, configured, made, checked and
installed it. It worked - users could log in and change their passwords
now.
But there was a hitch: root couldn't log in, and this state of affairs
remained until I added a root user to the LDAP server. It seems that the
system is going straight to the LDAP server without checking the local
files first, and stops when it can't find anything in the LDAP database.
Why is this? Anybody know? How can I fix this? Any help would be
appreciated, I'm totally stumped.
Client: RH 7.2 running OpenLDAP 2.0.11-13 with nss_ldap 1.72 and
pam_ldap 1.48
Server: RH 7.1 running OpenLDAP 2.0.23
Client-Server communication uses TLS
Client authentication set using 'authconfig'
Client ldap.conf:
host <<snip>>
base dc=phys,dc=uvic,dc=ca
port 389
crypt des
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
#ssl yes
#sslpath /usr/share/ssl/certs
ssl start_tls
pam_password md5
Client /etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
Client /etc/nsswitch.conf
...
passwd: files ldap
shadow: files ldap
group: files ldap
...
Server /etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
# Define TLS options
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/ldap.pem
TLSCertificateKeyFile /usr/share/ssl/certs/ldap.pem
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# rootdn can always write!
access to * by * read
access to attr=userPassword by self write
access to *
by self write
by users read
by anonymous auth
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=phys,dc=uvic,dc=ca"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=phys,dc=uvic,dc=ca"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw <<snip>>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
# Indices to maintain
index objectClass eq
---
Jan Van Uytven
Systems Administrator, UVic TRIUMF
wyvern@uvic.ca
'A fronte precipitum a tergo lupi'