RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

[Aaron Hicks <HicksA [at] landcareresearch.co.nz>]

Thanks Guillaume, it's been very helpful.

- added debug 1 to /etc/ldap.conf will see what additional reporting I get
- the AD does not respond to SSL on port 636, I'll try forcing TLS on port 389, 
but as ldapsearch works without them (i.e. once bound, it searches fine 
unencrypted) I don't think that's the issue. Have set 'tls_checkpeer no' to no 
effect.
- Currently negoitating with the admin for the directory servers to check their 
logs.
- base for searches is set, I must have deleted it and not put in a mangled 
replacement before posting to the list. it's of the form "base 
dc=our,dc=long,dc=domain,dc=co,dc=nz"

regards,

Aaron

> -----Original Message-----
> From: owner-nssldap@padl.com [owner-nssldap [at] padl.com] On Behalf
> Of Guillaume Rousse
> Sent: Thursday, 25 June 2009 9:12 p.m.
> Cc: pamldap@padl.com; nssldap@padl.com
> Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> server(s)
>
> Aaron Hicks a écrit :
> > Hope someone here can help.
> You'd better test nss first, and pam second. As long as 'getent
> password' doesn't list you all known users, that's no use to try to
> autenticate them.
>
> Various hints:
> - use 'debug 1' in your nss_ldap configuration file.
> - check if there is any difference using anonymous or authenticated
> binding
> - check if there any difference between tls (port 389), ssl (port 636),
> and unencrypted connection (warning, unspecified configuration values
> in
> nss_ldap configuration, such as tls_checkpeer, will usually use
> nss_ldap
> default values, not use openldap library values, such as TLS_REQCERT
> never in your case)
> - check your ldap server logs
>
> I have no clue what eDirectory is, but if it is just a branding name
> over openldap, you can perfectly tune its access policy as needed. I
> doubt it really enforce the use of encryption for connection, rather
> for
> autentication only.
>
> Also, take care than ubuntu (Debian, actually) doesn't use a unique
> configuration file for nss_ldap and pam_ldap (/etc/ldap.conf), but two
> distinct ones (/etc/libnss_ldap and /etc/libpam_ldap, from memory).
> [..]
> > ===========Config files from here on========
> >
> > My /etc/ldap.conf looks like (omitting sections left as default):
> >
> > <defaults omitted>
> > # The distinguished name of the search base.
> > base
> An empty base will not help. maybe nss_ldap use openldap default
> configuration in this case, but I would not rely on it.
>
> --
> BOFH excuse #390:
>
> Increased sunspot activity.

Please consider the environment before printing this email
Warning:  This electronic message together with any attachments is 
confidential. If you receive it in error: (i) you must not read, use, disclose, 
copy or retain it; (ii) please contact the sender immediately by reply email 
and then delete the emails.
The views expressed in this email may not be those of Landcare Research New 
Zealand Limited. http://www.landcareresearch.co.nz