[CentOS] ldif invalid per syntax
Mathieu Baudier
mbaudier at argeo.org
Mon Oct 11 05:34:51 UTC 2010
> I have added the corresponding posix accounts in LDAP I wish to use:
Here is a LDIF snippet that works for users authenticated via LDAP:
dn: uid=myuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: FirstName LastName
gidNumber: 1130
homeDirectory: /home/myuser
sn: LastName
uid: myuser
uidNumber: 1130
gecos: FirstName LastName
givenName: FirstName
loginShell: /bin/bash
mail: myuser at example.com
userPassword:: *******************************************************
dn: uid=myuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: myuser
gidNumber: 1130
> Yet su to these accounts is still broken:
I would recommend you to (maybe you have done some already):
- check your ACLs in slpad.conf, quite a few fields need to be visible
when doing anonymous binds:
http://www.openldap.org/lists/openldap-software/200208/msg00855.html
(you may want to add or remove some depending on what you want to
achieve, but first try a loose configuration, in order to have
something working)
- use a simple, "standard", structure:
ou=People,dc=example,dc=com
ou=Group,dc=example,dc=com
- use authconfig to generate the configs (it will update pam, nss, and
various ldap.conf), you can then review them and deploy them as files,
although I have found that running the command is the most predictable
way to replicate a working config on client systems
authconfig --enableldap --enableldapauth --enablecache
--enablemkhomedir --ldapserver=ldap://myhost
--ldapbasedn=dc=example,dc=com --passalgo=sha256 --updateall
- test all this on a separate clean environment (typically a virtual
machine, before deploying it)
- maybe use the scripts in /usr/share/openldap/migration for your first import
> Any idea why su _still_ isn't authenticating even tho the user
> accounts have been added to LDAP??? :::sigh:::
Getting this to work was long and painful for me, but worth the effort.
Good luck.
More information about the CentOS
mailing list