[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Massive Headaches Setting Up Clients
- To: openldap-software@OpenLDAP.org
- Subject: Massive Headaches Setting Up Clients
- From: Phil Dibowitz <phil@ipom.com>
- Date: Mon, 10 Feb 2003 15:41:09 -0800
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1
Ok, I'm having a huge list of headaches getting my clients to
authenticate correctly to my OpenLDAP server.
1. [small] If nscd isn't running, getent, ldapsearch, etc. SEGFAULT.
This shouldn't happen. They shouldn't require nscd, and even if they do,
they should warn.
2. [large] LDAP is completely inconsistent. Once I switch nsswitch.conf
over to be 'files ldap' for passwd, shadow, group, and take out my user
from local passwd file, I get this:
# grep phil /etc/passwd
# getent passwd phil
# getent passwd | grep phil
phil:x:505:505:Phil Dibowitz:/home/phil:/bin/bash
#
Why the heck won't it find phil if I specify phil? This problem causes
me to not be able to login.
3. [note] The same thing happens with hosts:
# grep px3 /etc/hosts
# getent hosts px3
# getent hosts | grep px3
192.168.2.207 px3
#
4. [note] The server is a GOOD client UNTO ITSELF. It works fine.
GENERAL INFO:
I'm running RedHat 7.3 everywhere with recent updates.
Clients look like:
# rpm -qa | grep openldap
openldap-2.0.23-4
openldap-devel-2.0.23-4
openldap-clients-2.0.23-4
Server looks like:
# rpm -qa | grep openldap
openldap-devel-2.0.23-4
openldap-clients-2.0.23-4
openldap-servers-2.0.23-4
openldap-2.0.23-4
My /etc/pam.d/system-auth looks like:
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
Where those line breaks caused my mail wrapping are NOT in the file.
My /etc/pam.d/passwd is:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
My relevant parts of my /etc/nsswitch.conf looks like:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files ldap dns
/etc/ldap.conf, /etc/openldap/ldap.conf, and /etc/openldap/ldap.secret
at the same as on the server which works fine as a client -- EXCEPT that
the 'host' option is changed to reflect the server instead of 127.0.0.1.
Perms are:
root:root 640 /etc/openldap/ldap.conf
root:root 600 /etc/openldap/ldap.secret
root:root 640 /etc/ldap.conf
Any help would be much appreciated. Thanks.
--
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://home.earthlink.net/~jaymzh666/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759