RSS feed

Re: Help the newbie please

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Help the newbie please

Kean Johnston wrote:
> Hello everyone,
> First let me preface this by stating I am a complete LDAP (and yes even
> PAM) newbie, as I come from a UNIX background where PAM wasn't an option
> and I have only ever used LDAP as a user before, never had to administer
> it. But I need you help please, as I have been struggling for well over
> a week to get things working. I think the problem I am having is with
> the PAM portion of nss-pam-ldapd but if it isn't, and you either happen
> to know the answer or can point me in the direction of docs or lists
> that may provide it, I would be much obliged.
> First let me describe the environment. Running CentOS 5.3 with a custom
> compiled version of OpenLDAP 2.4.21 with nssov. 

You either need to use nssov or pam_ldap+nss_ldap, not both.  The nssov overlay 
supplants both.

Using nss-pam-ldapd
> (which I will call N-P-L for short from now on) 0.7.3 but obviously not
> using the daemon part of it due to using nssov. Currently I just have
> one host running SLAPD but I plan on setting up replication in the near
> future when I have the basic stuff worked out. What I want to achieve is
> this:
> 1. Have all normal user accounts stored only in LDAP. Only root and one
> other special account, as well as all of the various package-specific
> pseudo accounts need to be in the local databases. Obviously I also want
> all user group membership handled in LDAP too.
> 2. Users must be able to change their own passwords when logged in to a
> host, preferably using the standard passwd command. root must be able to
> change any user's account just like in traditional UNIX using flat files.
> 3. Ideally I would like to be able to do some form of authorization to
> hosts on an individual host basis but that can come later.
> 4. If a user is defined in LDAP and allowed access to the host they must
> be able to SSH into the host from anywhere as long as they know their
> LDAP password.
> I think I have most of the required bits there but I just can't get this
> to work. I will include as much of the config stuff as I can think of in
> the hope that too much information is better than too little.
> The relevant bits of the various configuration files are posted here so
> I don't clutter the mailing list:
> I can do all the various LDAP things I want like ldapsearch and such but
> I absolutely cannot figure out how to log in. ssh fails (ssh -vvv yields
> absolutely no useful information at all), there are no errors in
> /var/log/messages and pam_ldap doesn't have any form of debugging (BTW
> would you accept a patch to add some?) so I can't see where its failing.
> The only GOOD news is that NSS seems to be working ok. It may in fact be
> the root of my problems:
> getent passwd jkj
>   jkj:{SSHA}REMOVED:1009:1010:Kean Johnston:/home/jkj:/bin/bash
> getend shadow ldapadm
>   ldapadm:{SSHA}REMOVED:::::::0
> The interesting thing to note here is that becuase user jkj does not
> have and objectClass: shadowAccount the userPassword attribute is being
> sent as part of the passwd lookups (getpwent) whereas ldapadm does so
> its userPassword is being sent as part of the /etc/shadow lookups. I
> have tried logging in via SSH with the jkj account set to have the
> shadowAccount objectclass and it made no difference.
> The one other thing I noticed was trying to set a users password using
> the passwd command as root. It asked for the LDAP administrator pasword.
> What password is that? Any this flies in the face of traditional use of
> the passwd tool where a root user (a sysadmin) should have power to
> change a user's password but may very well NOT be the LDAP administrator
> becuase a sysadmin doesn't need and shouldn't have access to the full
> directory (thing: sensitive HR info in the LDAP directory). Would the
> following change to pam.c fix this? (line 695):
> if ((pwent!=NULL)&&(pwent->pw_uid!=getuid() && getuid() != 0))
> Anyway ... any help at all would be greatly appreciated. My thanks for
> your time and patience.
> Kean
> -- 
> To unsubscribe send an email to
> or see

Ryan Steele                          
Systems Administrator                          +1 215-825-2196 x758
AWeber Communications                
To unsubscribe send an email to or see