ldap/pam problem
Before I ask more detailed questions, I wanted to know if I really
need to edit the /etc/pam.d files presuming that I've modified my
/etc/nsswitch.conf file?
If so, then when I tried those modifications, I couldn't figure out
how to get reasonable behavior. If you have
auth sufficient pam_ldap.so
auth required pam_unix_auth.so try_first_pass
then if the entry is found in ldap, pam returns and you never execute
things like motd, etc. which is not what you want.
Presuming that setting up /etc/nsswitch.conf is sufficient, I still
can't get things to work. If I try to log in as a normal (non-ldap)
user, everything's fine, and I can see that it's asking the ldap
server for the user and getting no answer (as an aside, it looks like
it's asking the ldap server for a bunch of fields that the
MigrationTools didn't create (shadowmax, shadowmin, etc)). Then it
lets that user log in as usual based on their shadow passwd entry.
However, if I try to log in as stray (which is the user that has no
shadow passwd/group entry, but has an ldap entry), it never even asks
the ldap server, it just fails. If I try su instead, I get "su:
problem establishing PAM_RUSER" also with no attempt to contact the
ldap server.
I think I got my pam_ldap.conf right -- the relevant lines should be:
base ou=People,dc=localnet
pam_filter objectclass=account
My nsswitch.conf reads as indicated in the libnss-ldap readme:
passwd: files nis ldap
group: files nis ldap
shadow: files nis ldap
(I didn't know about shadow, but I presumed it should be the same as
the others).
And I can tell that the entry for stray is in the ldap database
because I can see it with ldapsearch:
$ ldapsearch -h localhost -v -b ou=People,dc=localnet "(& (uid=stray) (objectclass=account))"
ldap_init( localhost, 0 )
filter pattern: (& (uid=stray) (objectclass=account))
returning: ALL
filter is: ((& (uid=stray) (objectclass=account)))
uid=stray,ou=People,dc=localnet
uid=stray
cn=stray
objectclass=top
objectclass=account
objectclass=posixAccount
loginshell=/bin/bash
uidnumber=1008
gidnumber=1008
homedirectory=/home/stray
gecos=,,,
1 matches
Any help would be appreciated.
--
Rob Browning <rlb@cs.utexas.edu> PGP=E80E0D04F521A094 532B97F5D64E3930
Reply to: