pam_ldap on woody
anyone here gotten this working? I seem to be able to
get it to query the LDAP server as long as there is
an existing account in /etc/passwd, but without an existing
account, pam does not query the LDAP server(running slapd
with debug 4095)
my /etc/pam.d/login:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
my /etc/pam.d/ssh:
auth sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_ldap.so
session sufficient /lib/security/pam_ldap.so
my /etc/pam_ldap.conf:
host 127.0.0.1
base o=aphroland,c=us
ldap_version 2
rootbinddn cn=admin,o=aphroland,c=us
pam_filter objectclass=uid
pam_login_attribute uid
pam_password md5
the account im trying to login as(in LDIF format)
dn: cn=test account, ou=Information Technology, o=aphroland, c=us
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
jpegPhoto:< file:///home/aphro/genericuser.jpg
uid: testa
cn: test account
sn: account
givenname: test
userpassword: {MD5}MjF1X8aWeXmvUXrKsCV4Dg==
telephoneNumber: 000-000-0000
facsimiletelephonenumber: 000-000-0000
mobile: 000-000-0000
postaladdress: my_address
labeleduri: http://portal.aphroland.org/
mail: my@email.address
loginShell: /bin/bash
uidNumber: 1010
gidNumber: 1010
homeDirectory: /home/testa
gecos: test
description: System Admin
localityName: Bellevue
(i changed a buncha stuff to remove the personal info ..)
the password is 'hoth'. It appears to work as i can 'login'
to the LDAP using the netscape address book, and it works.
I use slappasswd to generate the password.
If i install the nss ldap package i can finger the account,
but still cannot login.
there has to be another pam setting somewhere that is blocking
account checking because it doesn't exist in /etc/passwd
i've gone to half a dozen or more different sites that talk
about LDAP with PAM but have not been able to find info
to help. also read about a dozen posts in the archives to
no avail either.
I have tried at least 5 different variations on /etc/pam.d
configuration.
pullin my hair out!!
any ideas appreciated as usual :)
thanks!
nate
Reply to: