Ok, that indeed seems to be the problem. But even though "ssl no" works when using "host 192.168.1.20", it does not work when I use "URI ldap://192.168.1.20"; Why is this? What's the difference in how the two parameters are processed? Thanks, MARK > -----Original Message----- > From: fedora-list-bounces@xxxxxxxxxx > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Nigel Wade > Sent: Monday, June 13, 2005 1:38 AM > To: For users of Fedora Core releases > Subject: Re: LDAP authentication on FC3 > > > Mark wrote: > > Hi, > > > > I have a problem using LDAP on FC3 for authentication and login. > > > > So far it worked on FC1 without problem, but the same ldap.conf, > > nsswitch.conf and system-auth won't work under FC3. > > > > ldap.conf looks like this: > > > > base dc=mydomain,dc=com > > host 192.168.1.20 > > pam_password md5 > > ssl yes > > > > > > This gives me the following messages in /var/log/message: > > Jun 12 23:48:27 infra1 sshd(pam_unix)[2716]: check pass; > user unknown > > Jun 12 23:48:27 infra1 sshd[2716]: pam_ldap: ldap_simple_bind Can't > > contact LDAP server Jun 12 23:48:27 infra1 sshd[2716]: pam_ldap: > > ldap_simple_bind Can't contact LDAP server > > > > > > Changing the host parameter in ldap.conf to > > URI ldaps://192.168.1.20 > > > > then gives me a different error message: > > Jun 12 23:54:37 infra1 sshd(pam_unix)[2732]: check pass; > user unknown > > Jun 12 23:54:37 infra1 sshd(pam_unix)[2732]: authentication > failure; > > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.29 > > > > nscd is NOT running > > Also, I disabled SELINUX > > > > At the same time, finger and groups commands work, I can > also pull up > > the record using ldapsearch... > > > > Any ideas what could be the problem? > > > > Thanks, > > > > MARK > > > > Don't forget that ldapsearch and nss_ldap/pam_ldap use > different copies of > ldap.conf. One uses /etc/ldap.conf and the other uses > /etc/openldap/ldap.conf (can't remember which offhand). Make > sure both are > updated correctly, or symlink them. Also, at some stage PAM > attempts to bind > as the rootbinddn using the password in /etc/ldap.secret. Is > that setup? > > I'd try getting the system working without SSL to begin with > (if that's an > option). At least then you can monitor the network traffic to > see what's > happening. Once LDAP works you can re-introduce the encryption. > > -- > Nigel Wade, System Administrator, Space Plasma Physics Group, > University of Leicester, Leicester, LE1 7RH, UK > E-mail : nmw@xxxxxxxxxxxx > Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
