[CentOS] {Disarmed} Re: Problems with nss_ldap - where to start?
Craig White
craigwhite at azapple.com
Wed Dec 16 20:44:30 UTC 2009
On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> I think not as well. The tactest user has been blown back out. I can
> re-add it from ldif again.
>
> [root at ldap home]# getent passwd | grep example
> [root at ldap home]#
>
> [root at ldap home]# cat /etc/nsswitch.conf | grep -v \#
>
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> hosts: files dns
>
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: nisplus
>
> publickey: nisplus
>
> automount: files nisplus
> aliases: files nisplus
>
> [root at ldap home]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> [root at ldap home]# cat /etc/ldap.conf | grep -v \#
>
>
> BASE dc=tncionline, dc=net
> URI ldap://MailScanner warning: numerical links are often malicious:
> 127.0.0.1
> port 389
>
> SIZELIMIT 12
> TIMELIMIT 15
> DEREF never
> timelimit 600
> bind_timelimit 600
> bind_policy soft
> idle_timelimit 3600
>
> nss_initgroups_ignoreusers
> pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> base dc=tncionline, dc=net
> pam_password md5
----
here's a big problem... /etc/ldap.conf
you need to add...(assuming this is where you have People/Groups)
nss_base_passwd ou=People,tncionline,dc=net?one
nss_base_shadow ou=People,tncionline,dc=net?one
nss_base_group ou=Groups,tncionline,dc=net?one
take the space out of base...
base dc=tncionline,dc=net
I'd also add (until you can deal)...
ssl no
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list