Re: Need help in integration of pam and ldap using nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd
Date: Tue, 20 Jun 2017 23:27:54 +0200

On Tue, 2017-06-13 at 19:51 +0000, Kedar Sirshikar (ksirshik) wrote:
> dn: uid=uid_1,dc=example,dc=com
> uidNumber: 1
>  
> dn: dc=example,dc=com
>  
> dn: uid=uid_2,dc=example,dc=com
> uidNumber: 2
>  
> Now I want to authenticate users created under
> ‘cn=Administrators,ou=groups,ou=system’. LDIF is as below
>  
> dn: cn=Administrators,ou=groups,ou=system
> objectClass: groupOfUniqueNames
> uniqueMember: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>  
> dn: uid=uid_admin,cn=Administrators,ou=groups,ou=system
> gidNumber: 1

It is probably a little uncommon to organise your LDAP directory like
this. You usually put all your users under ou=people,dc=example,dc=com
or some such and groups under ou=groups,dc=example,dc=com. You then use
the member (uniqueMember or memberUid) attributes from groups point to
things under ou=people.

> I tried updating nslcd.conf file by adding “base group
> ‘cn=Administrators,ou=groups,ou=system’” and restarted nslcd 

The base group option can be used to specify which LDAP search base to
use for finding groups in LDAP. It does not handle authentication of
users.

> but user uid_admin is still not getting authenticated.
> Can you please help me in knowing what I may be missing?

Since you also have users under cn=Administrators,ou=groups,ou=system
you should probably have your nslcd.conf contain:

base passwd dc=example,dc=com
base passwd cn=Administrators,ou=groups,ou=system

You could also use ou=groups,ou=system or even ou=system, but again you
probably want to set it up with ou=groups,ou=system,dc=example,dc=com
or similar.

Also the values that you have for uidNumber are pretty low and may
cause conflicts with users already present in /etc/passwd. I would
strongly recommend using user id's >= 1000 in LDAP.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

Re: Need help in integration of pam and ldap using nss-pam-ldapd, (continued)

Prev by Date: Re: Support for Base64 encoded values
Next by Date: Re: shadowexpired user in FreeBSD??
Previous by thread: Re: Need help in integration of pam and ldap using nss-pam-ldapd
Next by thread: Re: Need help in integration of pam and ldap using nss-pam-ldapd