Re: samba/ldap/nss

To: debian-user@lists.debian.org
Subject: Re: samba/ldap/nss
From: Jamie Thompson <debian-user@jamie-thompson.co.uk>
Date: Sun, 26 Feb 2006 15:57:29 +0000
Message-id: <[🔎] 4401CFE9.90503@jamie-thompson.co.uk>
In-reply-to: <[🔎] 44019D49.7090300@chrissearle.org>
References: <[🔎] 4400834B.2000206@chrissearle.org> <[🔎] 4400A18D.3040307@jamie-thompson.co.uk> <[🔎] 44019D49.7090300@chrissearle.org>

Have you tested that the authentication for PAM is working correctly?
Try logging in using whatever auth you are using for it and check it can
read the entiries it needs. libnss-ldap and pam_ldap have different
config files. Sounds like nss is working correctly (i.e. its showing
both users), but the auth is failing for whatever reason.

My files are:

common-password:
password	sufficient	pam_ldap.so	ignore_unknown_user
password	required	pam_unix.so	try_first_pass nullok obscure min=4 max=8 md5

common-auth:
auth	sufficient	pam_ldap.so
auth	required	pam_unix.so	use_first_pass nullok_secure

common-account:
account	sufficient	pam_ldap.so
account	required	pam_unix.so	use_first_pass

common-session:
session	required	pam_unix.so

pam_ldap.conf:
host 127.0.0.1
base ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
ldap_version 3
binddn cn=pam,dc=jamie-thompson,dc=co,dc=uk,dc=.
bindpw <snip>
rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=.
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_password crypt

libnss-ldap.conf:
host 127.0.0.1
base dc=jamie-thompson,dc=co,dc=uk,dc=.
ldap_version 3
binddn cn=nss,dc=jamie-thompson,dc=co,dc=uk,dc=.
bindpw <snip>
rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=.
timelimit 60
bind_timelimit 60
bind_policy hard
idle_timelimit 240
nss_base_passwd		ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_shadow		ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_group		ou=Groups,dc=jamie-thompson,dc=co,dc=uk,dc=.
#nss_base_hosts		ou=Hosts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_services	ou=Services,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_networks	ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_protocols	ou=Protocols,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_rpc		ou=Rpc,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_ethers		ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_netmasks	ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_bootparams	ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_aliases	ou=Aliases,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_netgroup	ou=Netgroup,dc=jamie-thompson,dc=co,dc=uk,dc=.

Obviously, I've trimmed these slightly, but hopefully that should help.
I use a similar config on my workstations so that they authenticate/NSS
via LDAP to the server. I suspect that although what I have works, it's
not *quite* the correct way. For one thing, I never did get round to
setting up TLS. Luckily, I trust my LAN for the time being :)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: samba/ldap/nss
  - From: debian@chrissearle.org

References:
- samba/ldap/nss
  - From: Chris <debian@chrissearle.org>
- Re: samba/ldap/nss
  - From: Jamie Thompson <debian-user@jamie-thompson.co.uk>
- Re: samba/ldap/nss
  - From: debian@chrissearle.org

Prev by Date: questions about pppoe MTU settings
Next by Date: Re: search target releases for packages
Previous by thread: Re: samba/ldap/nss
Next by thread: Re: samba/ldap/nss
Index(es):
- Date
- Thread