Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- From: Guillaume Rousse <Guillaume.Rousse [at] inria.fr>
- Cc: "pamldap [at] padl.com" <pamldap [at] padl.com>, "nssldap [at] padl.com" <nssldap [at] padl.com>
- Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- Date: Thu, 25 Jun 2009 11:11:35 +0200
Aaron Hicks a écrit :
Hope someone here can help.
You'd better test nss first, and pam second. As long as 'getent
password' doesn't list you all known users, that's no use to try to
autenticate them.
Various hints:
- use 'debug 1' in your nss_ldap configuration file.
- check if there is any difference using anonymous or authenticated binding
- check if there any difference between tls (port 389), ssl (port 636),
and unencrypted connection (warning, unspecified configuration values in
nss_ldap configuration, such as tls_checkpeer, will usually use nss_ldap
default values, not use openldap library values, such as TLS_REQCERT
never in your case)
- check your ldap server logs
I have no clue what eDirectory is, but if it is just a branding name
over openldap, you can perfectly tune its access policy as needed. I
doubt it really enforce the use of encryption for connection, rather for
autentication only.
Also, take care than ubuntu (Debian, actually) doesn't use a unique
configuration file for nss_ldap and pam_ldap (/etc/ldap.conf), but two
distinct ones (/etc/libnss_ldap and /etc/libpam_ldap, from memory).
[..]
===========Config files from here on========
My /etc/ldap.conf looks like (omitting sections left as default):
<defaults omitted>
# The distinguished name of the search base.
base
An empty base will not help. maybe nss_ldap use openldap default
configuration in this case, but I would not rely on it.
--
BOFH excuse #390:
Increased sunspot activity.