Re: ldap re-creating database
On Mon, Nov 18, 2002 at 17:54:43 -0800, nate wrote:
> did you restart SSH after making the change?
> I have priviledge speration set to no, just because I haven't had a
> chance to test it with yes yet, I don't think it would work with the
> strict permissions on the pam_ldap.conf. maybe you can get around
> this by using group permissions.
Actually that was one problem. I changed UsePrivilegeSeparation to no
rather than just being commented out. I guess yes is the default.
After retrying it still didn't work - but I figured out why: Because
the user aphro doesn't exist on my system.
So I did the following:
Created a short ldif file to add user mark to the ldap directory
Used ldapadd to add the user and group. And it worked!
Then I tried to ssh in on localhost and entered the password. I saw the
log messages fly across in the terminal I started slapd in. Then I was
logged in. Note that the password I set in the ldap database is
different to my real password so I know that if it lets me in with it
then I was authenticated through ldap. Also entering in incorrect
password refuses me.
Woooo hooooo. Wooo hooooo! It works!
One thing interesting though is that if I enter my proper system
password then ldap refuses me once and gives another Password: prompt.
If I then enter the proper system password again, I am allowed to login.
So ssh must check /etc/passwd and /etc/shadow too. Which makes sense
from the settings in /etc/pam.d/ssh which say:
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_unix.so
auth required pam_env.so # 
So you would expect ssh to fall back to pam_unix.so etc.
Thanks again. Now that I have the basic functionality, I can go about
customising further. Especially now that I can get ldapadd to work as
it should I feel more comfortable about being able to add and modify
I look forward to your next version of the ldap howto for Debian :-)
I haven't any experience with Wiki etc. that you mention. The real
reason I wanted to get this stuff to work was so that I could try and
get postfix and Courier IMAP to use it and then install Jamm. I was
reading the howto at:
Which seemed like a neat way to manage a mail server even if it does
provide more functionality than I need. Also I am keen on installing
JBoss and Tomcat and experimenting more with Java webapps and EJBs.