Hi,
I found that if I change the /etc/ldap.conf to use binddn and bindpw it works, but I if I use rootbinddb, and put the password in /etc/ldap.secret, it doesn't. it's the same user account, any ideas? and how would this affect ldap operations?
- Yang
On 10/26/05, Craig White <craigwhite@xxxxxxxxxxx> wrote:
On Wed, 2005-10-26 at 10:08 -0400, Yang Xiao wrote:
> Hi all,
> I'm running openldap-2.2.23-5 on FC4 with nss_ldap, I'm was able start
> the server and populate the db using smbldap-tool, ldapsearch works,
> smbldap-useradd works, but I can't seem to make name switch to work, I
> tried both "files ldap" and "compat ldap" for passwd/shadow/group, PAM
> system-auth seems to be ok.
> I think I should be able to see the ldap users when I do "getent
> passwd", but this only shows the passwd file content.
> please help!
>
> Many thanks!
>
> - Yang
>
> #system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so
> use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> 100 quiet
> account [default=bad success=ok
> user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
> #NSSWITCH
>
> passwd: compat ldap
> group: compat ldap
>
> hosts: files dns
> networks: files dns
>
> services: files ldap
> protocols: files ldap
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files ldap
> publickey: files
>
> bootparams: files
> automount: files ldap
> aliases: files
>
> shadow: compat ldap
>
> #/etc/ldap.conf
>
> host: 127.0.0.1
> base dc=xxx,dc=com
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn cn=nssldap,ou=DSA,dc=xxx,dc=com
>
> nss_base_passwd ou=Users,dc=xxx,dc=com?one
> nss_base_passwd ou=Computers,dc=xxx,dc=com?one
> nss_base_shadow ou=Users,dc=xxx,dc=com?one
> nss_base_group ou=Groups,dc=xxx,dc=com?one
>
> pam_password md5
> ssl no
----
it looks pretty good...
what happens when you try from command line?
ldapsearch -x -h 127.0.0.1 -D 'cn=nssldap,ou=DSA,dc=xxx,dc=com' \
-W '(objectclass=*)' |grep uid
does it list users? Obviously the password you use 'MUST' be the same
password you have in /etc/ldap.secret for this to simulate what you are
trying to do.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list