[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Linux Authetification with openldap, pam_ldap and nss_ldap
Hello,
I'm trying to use openldap for authetification for all linux accounts, i.e.
the users are not in the passwd-file but on the ldap-server wich is in the
first step on the same server (localhost)
I installed pam_ldap and nss_ldap! I put one user into the ldap tree (see
attached ldif-file). I made all the configuration according the documentation
of pam_ldap and nss_ldap.
I can't login to my linux box with the user (mjordan) which is not in the
passwd-file, only on the ldap-user. I tried to debug a bit.
I see the ldap server is asked, the user found but from the login task there
is a 'login failed for user mjordan' in /var/log/messages. With ldapsearch I
can query the ldap server and get the entry for the specific user.
Here are the configuration files:
# /etc/openldap/slapd.conf
# ------------------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
replogfile /var/log/openldap/replication.log
allow bind_anon_dn
defaultsearchbase dc=berlitz,dc=de
allow bind_v2
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=mydomain,dc=de"
rootdn "cn=Manager,dc=mydomain,dc=de"
rootpw mypwd
directory /var/lib/ldap
index objectClass eq
------------------------------------------------------------------------------
# /etc/openldap/lapd.conf
# -----------------------
HOST 127.0.0.1
BASE dc=berlitz,dc=de
ldap_version 2
rootbinddn cn=Manager,dc=mydomain,dc=de
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute cn
pam_password clear
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
nss_base_passwd o=ehq,dc=mydomain,dc=de
nss_base_shadow o=ehq,dc=mydomain,dc=de
nss_base_group o=ehq,dc=mydomain,dc=de
#ssl on
ssl no
------------------------------------------------------------------------------
/etc/pam.d/login
----------------
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix2.so nullok use_firt_pass #set_secrpc
account sufficient pam_ldap.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_ldap.so use_first_pass use_authok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
------------------------------------------------------------------------------
#LDIF-File imported to the openldap-server
#-----------------------------------------
dn:dc=mydomain,dc=de
objectclass:Organization
objectclass:dcObject
o:Berlitz
dc:berlitz
dn:o=ehq,dc=mydomain,dc=de
objectclass:Organization
o:ehq
dn:cn=mjordan,o=ehq,dc=mydomain,dc=de
objectClass:account
objectClass:posixAccount
objectClass:top
cn:mjordan
userPassword:geheim
uid:mjordan
uidNumber:501
gidNumber:100
homeDirectory:/home/mjordan
loginShell:/bin/bash
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
So, what I am doing wrong! I would appreciate very much if someone of the ldap
gurus could give me a hint in the right direction. All google search an
mailing list archives could not solve this problem.
thanks in advance
Manfred Jordan