Help the newbie please

[Kean Johnston <kean.johnston [at] gmail.com>]

Hello everyone,

First let me preface this by stating I am a complete LDAP (and yes even 
PAM) newbie, as I come from a UNIX background where PAM wasn't an option 
and I have only ever used LDAP as a user before, never had to administer 
it. But I need you help please, as I have been struggling for well over a 
week to get things working. I think the problem I am having is with the PAM 
portion of nss-pam-ldapd but if it isn't, and you either happen to know the 
answer or can point me in the direction of docs or lists that may provide 
it, I would be much obliged.

First let me describe the environment. Running CentOS 5.3 with a custom 
compiled version of OpenLDAP 2.4.21 with nssov. Using nss-pam-ldapd (which 
I will call N-P-L for short from now on) 0.7.3 but obviously not using the 
daemon part of it due to using nssov. Currently I just have one host 
running SLAPD but I plan on setting up replication in the near future when 
I have the basic stuff worked out. What I want to achieve is this:

1. Have all normal user accounts stored only in LDAP. Only root and one 
other special account, as well as all of the various package-specific 
pseudo accounts need to be in the local databases. Obviously I also want 
all user group membership handled in LDAP too.
2. Users must be able to change their own passwords when logged in to a 
host, preferably using the standard passwd command. root must be able to 
change any user's account just like in traditional UNIX using flat files.
3. Ideally I would like to be able to do some form of authorization to 
hosts on an individual host basis but that can come later.
4. If a user is defined in LDAP and allowed access to the host they must be 
able to SSH into the host from anywhere as long as they know their LDAP 
password.

I think I have most of the required bits there but I just can't get this to 
work. I will include as much of the config stuff as I can think of in the 
hope that too much information is better than too little.

The relevant bits of the various configuration files are posted here so I 
don't clutter the mailing list: http://unix42.com/ldap

I can do all the various LDAP things I want like ldapsearch and such but I 
absolutely cannot figure out how to log in. ssh fails (ssh -vvv yields 
absolutely no useful information at all), there are no errors in 
/var/log/messages and pam_ldap doesn't have any form of debugging (BTW 
would you accept a patch to add some?) so I can't see where its failing.

The only GOOD news is that NSS seems to be working ok. It may in fact be 
the root of my problems:
getent passwd jkj
  jkj:{SSHA}REMOVED:1009:1010:Kean Johnston:/home/jkj:/bin/bash
getend shadow ldapadm
  ldapadm:{SSHA}REMOVED:::::::0

The interesting thing to note here is that becuase user jkj does not have 
and objectClass: shadowAccount the userPassword attribute is being sent as 
part of the passwd lookups (getpwent) whereas ldapadm does so its 
userPassword is being sent as part of the /etc/shadow lookups. I have tried 
logging in via SSH with the jkj account set to have the shadowAccount 
objectclass and it made no difference.

The one other thing I noticed was trying to set a users password using the 
passwd command as root. It asked for the LDAP administrator pasword. What 
password is that? Any this flies in the face of traditional use of the 
passwd tool where a root user (a sysadmin) should have power to change a 
user's password but may very well NOT be the LDAP administrator becuase a 
sysadmin doesn't need and shouldn't have access to the full directory 
(thing: sensitive HR info in the LDAP directory). Would the following 
change to pam.c fix this? (line 695):

if ((pwent!=NULL)&&(pwent->pw_uid!=getuid() && getuid() != 0))

Anyway ... any help at all would be greatly appreciated. My thanks for your 
time and patience.

Kean
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users