ldap/pam problem

To: debian-user@lists.debian.org
Subject: ldap/pam problem
From: Rob Browning <rlb@cs.utexas.edu>
Date: 16 Jun 1999 18:00:08 -0500
Message-id: <[🔎] 87aetzda4n.fsf@raven.localnet>

Before I ask more detailed questions, I wanted to know if I really
need to edit the /etc/pam.d files presuming that I've modified my
/etc/nsswitch.conf file?

If so, then when I tried those modifications, I couldn't figure out
how to get reasonable behavior.  If you have 

  auth       sufficient pam_ldap.so
  auth       required   pam_unix_auth.so try_first_pass

then if the entry is found in ldap, pam returns and you never execute
things like motd, etc. which is not what you want.

Presuming that setting up /etc/nsswitch.conf is sufficient, I still
can't get things to work.  If I try to log in as a normal (non-ldap)
user, everything's fine, and I can see that it's asking the ldap
server for the user and getting no answer (as an aside, it looks like
it's asking the ldap server for a bunch of fields that the
MigrationTools didn't create (shadowmax, shadowmin, etc)).  Then it
lets that user log in as usual based on their shadow passwd entry.

However, if I try to log in as stray (which is the user that has no
shadow passwd/group entry, but has an ldap entry), it never even asks
the ldap server, it just fails.  If I try su instead, I get "su:
problem establishing PAM_RUSER" also with no attempt to contact the
ldap server.

I think I got my pam_ldap.conf right -- the relevant lines should be:

  base ou=People,dc=localnet
  pam_filter objectclass=account

My nsswitch.conf reads as indicated in the libnss-ldap readme:

  passwd:         files nis ldap
  group:          files nis ldap
  shadow:         files nis ldap

(I didn't know about shadow, but I presumed it should be the same as
 the others).

And I can tell that the entry for stray is in the ldap database
because I can see it with ldapsearch:

  $ ldapsearch -h localhost -v -b ou=People,dc=localnet "(& (uid=stray) (objectclass=account))"
  ldap_init( localhost, 0 )
  filter pattern: (& (uid=stray) (objectclass=account))
  returning: ALL
  filter is: ((& (uid=stray) (objectclass=account)))
  uid=stray,ou=People,dc=localnet
  uid=stray
  cn=stray
  objectclass=top
  objectclass=account
  objectclass=posixAccount
  loginshell=/bin/bash
  uidnumber=1008
  gidnumber=1008
  homedirectory=/home/stray
  gecos=,,,
  1 matches

Any help would be appreciated.

-- 
Rob Browning <rlb@cs.utexas.edu> PGP=E80E0D04F521A094 532B97F5D64E3930

Reply to:

Follow-Ups:
- Re: ldap/pam problem
  - From: Jason Gunthorpe <jgg@ualberta.ca>

Prev by Date: Re: communicator 4.6 - ftp bug
Next by Date: Help with setting up a mailing list.
Previous by thread: Re: VCD PLAYER
Next by thread: Re: ldap/pam problem
Index(es):
- Date
- Thread