Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

[Guillaume Rousse <Guillaume.Rousse [at] inria.fr>]

Aaron Hicks a écrit :
> Hope someone here can help.
You'd better test nss first, and pam second. As long as 'getent 
password' doesn't list you all known users, that's no use to try to 
autenticate them.

Various hints:
- use 'debug 1' in your nss_ldap configuration file.
- check if there is any difference using anonymous or authenticated binding
- check if there any difference between tls (port 389), ssl (port 636), 
and unencrypted connection (warning, unspecified configuration values in 
nss_ldap configuration, such as tls_checkpeer, will usually use nss_ldap 
default values, not use openldap library values, such as TLS_REQCERT 
never in your case)
- check your ldap server logs

I have no clue what eDirectory is, but if it is just a branding name 
over openldap, you can perfectly tune its access policy as needed. I 
doubt it really enforce the use of encryption for connection, rather for 
autentication only.

Also, take care than ubuntu (Debian, actually) doesn't use a unique 
configuration file for nss_ldap and pam_ldap (/etc/ldap.conf), but two 
distinct ones (/etc/libnss_ldap and /etc/libpam_ldap, from memory).
[..]
> ===========Config files from here on========
>
> My /etc/ldap.conf looks like (omitting sections left as default):
>
> <defaults omitted>
> # The distinguished name of the search base.
> base
An empty base will not help. maybe nss_ldap use openldap default 
configuration in this case, but I would not rely on it.

--
BOFH excuse #390:

Increased sunspot activity.