RSS feed

Re: Need help in integration of pam and ldap using nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Need help in integration of pam and ldap using nss-pam-ldapd

On Tue, 2017-06-13 at 19:51 +0000, Kedar Sirshikar (ksirshik) wrote:
> dn: uid=uid_1,dc=example,dc=com
> uidNumber: 1
> dn: dc=example,dc=com
> dn: uid=uid_2,dc=example,dc=com
> uidNumber: 2
> Now I want to authenticate users created under
> ‘cn=Administrators,ou=groups,ou=system’. LDIF is as below
> dn: cn=Administrators,ou=groups,ou=system
> objectClass: groupOfUniqueNames
> uniqueMember: 0.9.2342.19200300.100.1.1=admin,
> dn: uid=uid_admin,cn=Administrators,ou=groups,ou=system
> gidNumber: 1

It is probably a little uncommon to organise your LDAP directory like
this. You usually put all your users under ou=people,dc=example,dc=com
or some such and groups under ou=groups,dc=example,dc=com. You then use
the member (uniqueMember or memberUid) attributes from groups point to
things under ou=people.
> I tried updating nslcd.conf file by adding “base group
> ‘cn=Administrators,ou=groups,ou=system’” and restarted nslcd 

The base group option can be used to specify which LDAP search base to
use for finding groups in LDAP. It does not handle authentication of

> but user uid_admin is still not getting authenticated.
> Can you please help me in knowing what I may be missing?

Since you also have users under cn=Administrators,ou=groups,ou=system
you should probably have your nslcd.conf contain:

base passwd dc=example,dc=com
base passwd cn=Administrators,ou=groups,ou=system

You could also use ou=groups,ou=system or even ou=system, but again you
probably want to set it up with ou=groups,ou=system,dc=example,dc=com
or similar.

Also the values that you have for uidNumber are pretty low and may
cause conflicts with users already present in /etc/passwd. I would
strongly recommend using user id's >= 1000 in LDAP.

Hope this helps,

-- arthur - - --
To unsubscribe send an email to or see