[Date Prev][Date Next] [Chronological] [Thread] [Top]

Massive Headaches Setting Up Clients



Ok, I'm having a huge list of headaches getting my clients to authenticate correctly to my OpenLDAP server.

1. [small] If nscd isn't running, getent, ldapsearch, etc. SEGFAULT. This shouldn't happen. They shouldn't require nscd, and even if they do, they should warn.

2. [large] LDAP is completely inconsistent. Once I switch nsswitch.conf over to be 'files ldap' for passwd, shadow, group, and take out my user from local passwd file, I get this:
# grep phil /etc/passwd
# getent passwd phil
# getent passwd | grep phil
phil:x:505:505:Phil Dibowitz:/home/phil:/bin/bash
#


Why the heck won't it find phil if I specify phil? This problem causes me to not be able to login.

3. [note] The same thing happens with hosts:
# grep px3 /etc/hosts
# getent hosts px3
# getent hosts | grep px3
192.168.2.207   px3
#

4. [note] The server is a GOOD client UNTO ITSELF. It works fine.

GENERAL INFO:
I'm running RedHat 7.3 everywhere with recent updates.

Clients look like:
# rpm -qa | grep openldap
openldap-2.0.23-4
openldap-devel-2.0.23-4
openldap-clients-2.0.23-4

Server looks like:
# rpm -qa | grep openldap
openldap-devel-2.0.23-4
openldap-clients-2.0.23-4
openldap-servers-2.0.23-4
openldap-2.0.23-4

My /etc/pam.d/system-auth looks like:
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so


Where those line breaks caused my mail wrapping are NOT in the file.

My /etc/pam.d/passwd is:
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth


My relevant parts of my /etc/nsswitch.conf looks like: passwd: files ldap shadow: files ldap group: files ldap hosts: files ldap dns

/etc/ldap.conf, /etc/openldap/ldap.conf, and /etc/openldap/ldap.secret at the same as on the server which works fine as a client -- EXCEPT that the 'host' option is changed to reflect the server instead of 127.0.0.1.
Perms are:
root:root 640 /etc/openldap/ldap.conf
root:root 600 /etc/openldap/ldap.secret
root:root 640 /etc/ldap.conf


Any help would be much appreciated. Thanks.
--
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://home.earthlink.net/~jaymzh666/     http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 - Benjamin Franklin, 1759