Re: ldap auth with nss_ldap on FC4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gordon Messmer wrote:

Uno Engborg wrote:

Yes, I have similar problems. I can use LDAP to authenticate users but they can't change
password.


I used the "system-config-authentication" tool (actually, its equivalent during the installation) to configure LDAP user info and authentication, which works as it should.

If I uncomment the rootbinddn line, authentication fails.


You normally don't need it, so I'd suggest that you use the included config tools to set up a working client configuration, and then decide whether or not you have a need for that option. 


If you do that, the passwd command will not work, at least not for root.



The /etc/openldap/slapd.conf looks like this:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
       by self write
       by users read
       by anonymous auth


Whoa... Hold up there. If you let users write to their uid and gid attributes, "Bad Things(tm)" can happen. Be specific about what you want users to be able to change, do not use wildcards for write access.

You are quite right, I merely used it as prof of concept.
I suppose I should have pointed that out, so that nobody is fooled to use it for something critical.


My /etc/ldap.secret is readable and writable by the user ldap, and only by that user.


If you want to pursue gettting "rootbinddn" working after using the config tools, that file should be owned and readable only by root. 

Tried  to change, ownership to root, but that makes no difference.


This worked perfectly with the same settings on FC3. Any idea what have changed?


I'm not sure, but selinux might be preventing root from reading files that it doesn't own.

No, I have tested turning SELinux off, and it still doesn't work.

If I do "passwd uengborg" as root I get:

Enter login(LDAP) password:
New UNIX password:
Retype Unix password:
LDAP password information update failed: Can't contact LDAP server

passwd: Permission denied



/uno



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux