[Martin Schulte]
Hello,
I'm trying to add an Ubuntu-PC to an skolelinux (etch) network using
this HowTo: http://wiki.skolelinux.de/Skolelinux/Ubuntu .
I did all things, written there, and I also set an link from
/etc/ldap.conf to /etc/ldap/ldap.conf (sudo unlink /etc/ldap.conf &&
sudo ln -s ldap/ldap.conf /etc/ldap.conf ), because Ubuntu 9.10 stores
the ldap.conf directly in the /etc/ and not in /etc/ldap/.
After restarting, I run "getent passwd" and I saw all debian-edu users.
After trying su - <username> , password: was prompted. After typing the
password, I got the alert: "Authentication failure" I get the same
error, when trying login after reboot.
The important lines in the auth.log are (username = mschulte):
-----
Jan 4 21:25:19 rootgym-laptop login[2838]: pam_unix(login:auth):
authentication failure; logname=rootgym uid=0 euid=0 tty=/dev/pts/2
ruser= rhost= user=mschulte
Jan 4 21:25:19 rootgym-laptop login[2838]: pam_ldap: error trying to
bind as user "uid=mschulte,ou=People,dc=skole,dc=skolelinux,dc=no"
(Confidentiality required)
Jan 4 21:25:21 rootgym-laptop login[2838]: FAILED LOGIN (2) on
'/dev/pts/2' FOR 'mschulte', Authentication failure
Jan 4 21:25:29 rootgym-laptop login[2838]: pam_ldap: error trying to
bind as user "uid=mschulte,ou=People,dc=skole,dc=skolelinux,dc=no"
(Confidentiality required)
Jan 4 21:25:31 rootgym-laptop login[2838]: FAILED LOGIN (3) on
'/dev/pts/2' FOR 'mschulte', Authentication failure
-----
Can somebody help me?
I would suspect your /etc/pam_ldap.conf do not contain 'ssl start_tls'
or the LDAP server SSL certificate is missing in /etc/ldap/ssl/.
Password checks via LDAP require an encrypted LDAP connection, which
is ensured using TLS, and TLS should be configured to check the server
sertificate. The /etc/init.d/fetch-ldap-cert script is used in
Skolelinux to download the LDAP SSL certificate on the clients. Note
that the LDAP configuration is intended to be different for NSS and
PAM, where NSS isn't encrypted while PAM is.
This is the current pam_ldap.conf settings in Debian Edu/Lenny:
tjener:~# grep -v '#' /etc/pam_ldap.conf |sort -u
base ou=People,dc=skole,dc=skolelinux,dc=no
host ldap
ldap_version 3
pam_filter objectclass=posixAccount
pam_password exop
ssl start_tls
tjener:~#
Another Question: Is there a possibility to assign the hostnames
automatically?
You mean like /etc/init.d/update-hostname is doing in Skolelinux?
Happy hacking,