I have added the corresponding posix accounts in LDAP I wish to use:
Here is a LDIF snippet that works for users authenticated via LDAP:
dn: uid=myuser,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top cn: FirstName LastName gidNumber: 1130 homeDirectory: /home/myuser sn: LastName uid: myuser uidNumber: 1130 gecos: FirstName LastName givenName: FirstName loginShell: /bin/bash mail: myuser@example.com userPassword:: *******************************************************
dn: uid=myuser,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: myuser gidNumber: 1130
Yet su to these accounts is still broken:
I would recommend you to (maybe you have done some already):
- check your ACLs in slpad.conf, quite a few fields need to be visible when doing anonymous binds: http://www.openldap.org/lists/openldap-software/200208/msg00855.html (you may want to add or remove some depending on what you want to achieve, but first try a loose configuration, in order to have something working)
- use a simple, "standard", structure: ou=People,dc=example,dc=com ou=Group,dc=example,dc=com
- use authconfig to generate the configs (it will update pam, nss, and various ldap.conf), you can then review them and deploy them as files, although I have found that running the command is the most predictable way to replicate a working config on client systems
authconfig --enableldap --enableldapauth --enablecache --enablemkhomedir --ldapserver=ldap://myhost --ldapbasedn=dc=example,dc=com --passalgo=sha256 --updateall
- test all this on a separate clean environment (typically a virtual machine, before deploying it)
- maybe use the scripts in /usr/share/openldap/migration for your first import
Any idea why su _still_ isn't authenticating even tho the user accounts have been added to LDAP??? :::sigh:::
Getting this to work was long and painful for me, but worth the effort. Good luck.