[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap re-creating database

On Mon, Nov 18, 2002 at 17:54:43 -0800, nate wrote:
> did you restart SSH after making the change?

> I have priviledge speration set to no, just because I haven't had a
> chance to test  it with yes yet, I don't think it would work with the
> strict permissions on the pam_ldap.conf.  maybe you can get around
> this by using group permissions.

Actually that was one problem.  I changed UsePrivilegeSeparation to no
rather than just being commented out.  I guess yes is the default.

After retrying it still didn't work - but I figured out why:  Because
the user aphro doesn't exist on my system.

So I did the following:
Created a short ldif file to add user mark to the ldap directory
Used ldapadd to add the user and group.  And it worked!

Then I tried to ssh in on localhost and entered the password.  I saw the
log messages fly across in the terminal I started slapd in.  Then I was
logged in.  Note that the password I set in the ldap database is
different to my real password so I know that if it lets me in with it
then I was authenticated through ldap.  Also entering in incorrect
password refuses me.

Woooo hooooo.  Wooo hooooo!  It works!

One thing interesting though is that if I enter my proper system
password then ldap refuses me once and gives another Password: prompt.
If I then enter the proper system password again, I am allowed to login.
So ssh must check /etc/passwd and /etc/shadow too.  Which makes sense
from the settings in /etc/pam.d/ssh which say:
auth       sufficient   pam_ldap.so
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]

So you would expect ssh to fall back to pam_unix.so etc.

Thanks again.  Now that I have the basic functionality, I can go about
customising further.  Especially now that I can get ldapadd to work as
it should I feel more comfortable about being able to add and modify
entries etc.

I look forward to your next version of the ldap howto for Debian :-)

I haven't any experience with Wiki etc. that you mention.  The real
reason I wanted to get this stuff to work was so that I could try and
get postfix and Courier IMAP to use it and then install Jamm.  I was
reading the howto at:
Which seemed like a neat way to manage a mail server even if it does
provide more functionality than I need.  Also I am keen on installing
JBoss and Tomcat and experimenting more with Java webapps and EJBs.

Thanks again.


Reply to: