I just had those users in there because I didn't want to attempt to hit ldap for known local users. Peter On Wed, Dec 16, 2009 at 12:58 PM, Craig White <craigwhite at azapple.com>wrote: > On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote: > > On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote: > > > I think not as well. The tactest user has been blown back out. I can > > > re-add it from ldif again. > > > > > > [root at ldap home]# getent passwd | grep example > > > [root at ldap home]# > > > > > > [root at ldap home]# cat /etc/nsswitch.conf | grep -v \# > > > > > > > > > passwd: files ldap > > > shadow: files ldap > > > group: files ldap > > > > > > hosts: files dns > > > > > > > > > bootparams: nisplus [NOTFOUND=return] files > > > > > > ethers: files > > > netmasks: files > > > networks: files > > > protocols: files > > > rpc: files > > > services: files > > > > > > netgroup: nisplus > > > > > > publickey: nisplus > > > > > > automount: files nisplus > > > aliases: files nisplus > > > > > > [root at ldap home]# cat /etc/pam.d/system-auth > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_ldap.so use_first_pass > > > auth required pam_deny.so > > > > > > account required pam_unix.so broken_shadow > > > account sufficient pam_localuser.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > account required pam_permit.so > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > use_authtok > > > password sufficient pam_ldap.so use_authtok > > > password required pam_deny.so > > > > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_mkhomedir.so > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > crond quiet use_uid > > > session required pam_unix.so > > > session optional pam_ldap.so > > > > > > [root at ldap home]# cat /etc/ldap.conf | grep -v \# > > > > > > > > > BASE dc=tncionline, dc=net > > > URI ldap://MailScanner warning: numerical links are often malicious: > > > 127.0.0.1 > > > port 389 > > > > > > SIZELIMIT 12 > > > TIMELIMIT 15 > > > DEREF never > > > timelimit 600 > > > bind_timelimit 600 > > > bind_policy soft > > > idle_timelimit 3600 > > > > > > nss_initgroups_ignoreusers > > > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus > > > base dc=tncionline, dc=net > > > pam_password md5 > > ---- > > here's a big problem... /etc/ldap.conf > > > > you need to add...(assuming this is where you have People/Groups) > > > > nss_base_passwd ou=People,tncionline,dc=net?one > > nss_base_shadow ou=People,tncionline,dc=net?one > > nss_base_group ou=Groups,tncionline,dc=net?one > > > > take the space out of base... > > base dc=tncionline,dc=net > > > > I'd also add (until you can deal)... > > ssl no > ---- > oh... > > nss_initgroups_ignoreusers > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus > > you can remove pserwe,dgates from the list unless you have daemon services > running as those users prior to LDAP start (highly unlikely) > > and if the above doesn't work, it is because your slapd.conf ACL's are > blocking anonymous binds at the indicated dn's > > So you might want to either simplify your ACL's, permit anonymous binds to > the 'people/groups' or let us see what you've got for ACL's > > these are some rules that I've found good to have in > /etc/openldap/slapd.conf - YMMV > > allow bind_anon_dn > > access to attrs=userPassword,sambaNTPassword,sambaLMPassword > by self write > by anonymous auth > by * none > > access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$" > by self read > by anonymous auth > by * none > > # a bottom catchall rule... > access to * > by anonymous read > by * read > > access to dn.base="cn=Subschema" by * read > > Craig > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Peter Serwe http://truthlightway.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091216/7612b906/attachment-0005.html>