RSS feed

Help the newbie please

[Date Prev][Date Next] [Thread Prev][Thread Next]

Help the newbie please

Hello everyone,

First let me preface this by stating I am a complete LDAP (and yes even PAM) newbie, as I come from a UNIX background where PAM wasn't an option and I have only ever used LDAP as a user before, never had to administer it. But I need you help please, as I have been struggling for well over a week to get things working. I think the problem I am having is with the PAM portion of nss-pam-ldapd but if it isn't, and you either happen to know the answer or can point me in the direction of docs or lists that may provide it, I would be much obliged.

First let me describe the environment. Running CentOS 5.3 with a custom compiled version of OpenLDAP 2.4.21 with nssov. Using nss-pam-ldapd (which I will call N-P-L for short from now on) 0.7.3 but obviously not using the daemon part of it due to using nssov. Currently I just have one host running SLAPD but I plan on setting up replication in the near future when I have the basic stuff worked out. What I want to achieve is this:

1. Have all normal user accounts stored only in LDAP. Only root and one other special account, as well as all of the various package-specific pseudo accounts need to be in the local databases. Obviously I also want all user group membership handled in LDAP too. 2. Users must be able to change their own passwords when logged in to a host, preferably using the standard passwd command. root must be able to change any user's account just like in traditional UNIX using flat files. 3. Ideally I would like to be able to do some form of authorization to hosts on an individual host basis but that can come later. 4. If a user is defined in LDAP and allowed access to the host they must be able to SSH into the host from anywhere as long as they know their LDAP password.

I think I have most of the required bits there but I just can't get this to work. I will include as much of the config stuff as I can think of in the hope that too much information is better than too little.

The relevant bits of the various configuration files are posted here so I don't clutter the mailing list:

I can do all the various LDAP things I want like ldapsearch and such but I absolutely cannot figure out how to log in. ssh fails (ssh -vvv yields absolutely no useful information at all), there are no errors in /var/log/messages and pam_ldap doesn't have any form of debugging (BTW would you accept a patch to add some?) so I can't see where its failing.

The only GOOD news is that NSS seems to be working ok. It may in fact be the root of my problems:
getent passwd jkj
  jkj:{SSHA}REMOVED:1009:1010:Kean Johnston:/home/jkj:/bin/bash
getend shadow ldapadm

The interesting thing to note here is that becuase user jkj does not have and objectClass: shadowAccount the userPassword attribute is being sent as part of the passwd lookups (getpwent) whereas ldapadm does so its userPassword is being sent as part of the /etc/shadow lookups. I have tried logging in via SSH with the jkj account set to have the shadowAccount objectclass and it made no difference.

The one other thing I noticed was trying to set a users password using the passwd command as root. It asked for the LDAP administrator pasword. What password is that? Any this flies in the face of traditional use of the passwd tool where a root user (a sysadmin) should have power to change a user's password but may very well NOT be the LDAP administrator becuase a sysadmin doesn't need and shouldn't have access to the full directory (thing: sensitive HR info in the LDAP directory). Would the following change to pam.c fix this? (line 695):

if ((pwent!=NULL)&&(pwent->pw_uid!=getuid() && getuid() != 0))

Anyway ... any help at all would be greatly appreciated. My thanks for your time and patience.

To unsubscribe send an email to or see