On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote:
On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
I think not as well. The tactest user has been blown back out. I can re-add it from ldif again.
[root@ldap home]# getent passwd | grep example [root@ldap home]#
[root@ldap home]# cat /etc/nsswitch.conf | grep -v #
passwd: files ldap shadow: files ldap group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus aliases: files nisplus
[root@ldap home]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
[root@ldap home]# cat /etc/ldap.conf | grep -v #
BASE dc=tncionline, dc=net URI ldap://MailScanner warning: numerical links are often malicious: 127.0.0.1 port 389
SIZELIMIT 12 TIMELIMIT 15 DEREF never timelimit 600 bind_timelimit 600 bind_policy soft idle_timelimit 3600
nss_initgroups_ignoreusers pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus base dc=tncionline, dc=net pam_password md5
here's a big problem... /etc/ldap.conf
you need to add...(assuming this is where you have People/Groups)
nss_base_passwd ou=People,tncionline,dc=net?one nss_base_shadow ou=People,tncionline,dc=net?one nss_base_group ou=Groups,tncionline,dc=net?one
take the space out of base... base dc=tncionline,dc=net
I'd also add (until you can deal)... ssl no
---- oh...
nss_initgroups_ignoreusers pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
you can remove pserwe,dgates from the list unless you have daemon services running as those users prior to LDAP start (highly unlikely)
and if the above doesn't work, it is because your slapd.conf ACL's are blocking anonymous binds at the indicated dn's
So you might want to either simplify your ACL's, permit anonymous binds to the 'people/groups' or let us see what you've got for ACL's
these are some rules that I've found good to have in /etc/openldap/slapd.conf - YMMV
allow bind_anon_dn
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by self write by anonymous auth by * none
access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$" by self read by anonymous auth by * none
# a bottom catchall rule... access to * by anonymous read by * read
access to dn.base="cn=Subschema" by * read
Craig