[CentOS] ldif invalid per syntax

Mon Oct 11 05:34:51 UTC 2010
Mathieu Baudier <mbaudier at argeo.org>

> I have added the corresponding posix accounts in LDAP I wish to use:

Here is a LDIF snippet that works for users authenticated via LDAP:

dn: uid=myuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: FirstName LastName
gidNumber: 1130
homeDirectory: /home/myuser
sn: LastName
uid: myuser
uidNumber: 1130
gecos: FirstName LastName
givenName: FirstName
loginShell: /bin/bash
mail: myuser at example.com
userPassword:: *******************************************************

dn: uid=myuser,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: myuser
gidNumber: 1130

> Yet su to these accounts is still broken:

I would recommend you to (maybe you have done some already):

- check your ACLs in slpad.conf, quite a few fields need to be visible
when doing anonymous binds:
(you may want to add or remove some depending on what you want to
achieve, but first try a loose configuration, in order to have
something working)

- use a simple, "standard", structure:

- use authconfig to generate the configs (it will update pam, nss, and
various ldap.conf), you can then review them and deploy them as files,
although I have found that running the command is the most predictable
way to replicate a working config on client systems

authconfig --enableldap --enableldapauth --enablecache
--enablemkhomedir --ldapserver=ldap://myhost
--ldapbasedn=dc=example,dc=com --passalgo=sha256 --updateall

- test all this on a separate clean environment (typically a virtual
machine, before deploying it)

- maybe use the scripts in /usr/share/openldap/migration for your first import

> Any idea why su _still_ isn't authenticating even tho the user
> accounts have been added to LDAP??? :::sigh:::

Getting this to work was long and painful for me, but worth the effort.
Good luck.