Re: ldap re-creating database

To: debian-user@lists.debian.org
Subject: Re: ldap re-creating database
From: mdevin <mdevin@ozemail.com.au>
Date: Tue, 19 Nov 2002 13:24:18 +1000
Message-id: <[🔎] 20021119032418.GL13036@shark>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3677.216.39.174.24.1037670883.squirrel@webmail.linuxpowered.net>
References: <[🔎] 20021118062446.GC12271@shark> <[🔎] 23973.216.39.174.24.1037603516.squirrel@webmail.linuxpowered.net> <[🔎] 20021118072324.GA13036@shark> <[🔎] 20021118102933.GB13036@shark> <[🔎] 17758.216.39.174.24.1037649028.squirrel@webmail.linuxpowered.net> <20021119012408.GJ13036@shark> <[🔎] 3677.216.39.174.24.1037670883.squirrel@webmail.linuxpowered.net>

On Mon, Nov 18, 2002 at 17:54:43 -0800, nate wrote:
> did you restart SSH after making the change?
Yes.

> I have priviledge speration set to no, just because I haven't had a
> chance to test  it with yes yet, I don't think it would work with the
> strict permissions on the pam_ldap.conf.  maybe you can get around
> this by using group permissions.

Actually that was one problem.  I changed UsePrivilegeSeparation to no
rather than just being commented out.  I guess yes is the default.

After retrying it still didn't work - but I figured out why:  Because
the user aphro doesn't exist on my system.

So I did the following:
Created a short ldif file to add user mark to the ldap directory
Used ldapadd to add the user and group.  And it worked!

Then I tried to ssh in on localhost and entered the password.  I saw the
log messages fly across in the terminal I started slapd in.  Then I was
logged in.  Note that the password I set in the ldap database is
different to my real password so I know that if it lets me in with it
then I was authenticated through ldap.  Also entering in incorrect
password refuses me.

Woooo hooooo.  Wooo hooooo!  It works!

One thing interesting though is that if I enter my proper system
password then ldap refuses me once and gives another Password: prompt.
If I then enter the proper system password again, I am allowed to login.
So ssh must check /etc/passwd and /etc/shadow too.  Which makes sense
from the settings in /etc/pam.d/ssh which say:
auth       sufficient   pam_ldap.so
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]

So you would expect ssh to fall back to pam_unix.so etc.

Thanks again.  Now that I have the basic functionality, I can go about
customising further.  Especially now that I can get ldapadd to work as
it should I feel more comfortable about being able to add and modify
entries etc.

I look forward to your next version of the ldap howto for Debian :-)

I haven't any experience with Wiki etc. that you mention.  The real
reason I wanted to get this stuff to work was so that I could try and
get postfix and Courier IMAP to use it and then install Jamm.  I was
reading the howto at:
http://jamm.sourceforge.net/howto/single-html/mailserver.html
Which seemed like a neat way to manage a mail server even if it does
provide more functionality than I need.  Also I am keen on installing
JBoss and Tomcat and experimenting more with Java webapps and EJBs.

Thanks again.

Cheers.
Mark.

Reply to:

Follow-Ups:
- Re: ldap re-creating database
  - From: "nate" <debian-user@aphroland.org>
- Re: ldap re-creating database
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

References:
- Re: ldap re-creating database
  - From: mdevin <mdevin@ozemail.com.au>
- Re: ldap re-creating database
  - From: "nate" <debian-user@aphroland.org>
- Re: ldap re-creating database
  - From: mdevin <mdevin@ozemail.com.au>
- Re: ldap re-creating database
  - From: mdevin <mdevin@ozemail.com.au>
- Re: ldap re-creating database
  - From: "nate" <debian-user@aphroland.org>
- Re: ldap re-creating database
  - From: "nate" <debian-user@aphroland.org>

Prev by Date: Re: Train simulator
Next by Date: Re: [OT] Clearing a BIOS password
Previous by thread: Re: ldap re-creating database
Next by thread: Re: ldap re-creating database
Index(es):
- Date
- Thread