Tony Wasson wrote:
> 
> George Toft wrote:
> > Has anyone set up a debian box to use LDAP for authentication?  I tried
> > it last night with mixed results:
> > - LDAP is working fine: I can retrieve the entries, and the command
> > getent shows entries from files and ldap.
> > - I can't log in:
> > - I can't change password:
> > # passwd gtoft
> > passwd: Critical error - immediate abort
> > #
> >
> > I think my problem lies in my PAM configuration.  If anyone has done
> > this and wants to share their pam configs, I would be very appreciative.
> >
> > I have googled for the errors I've been getting and have retrieved 0
> > hits consistently :(  This seems to be trivial under RedHat (or so say
> > all the web pages I found on the topic).  Debian is another story.
> 
> Hi George,
> 
> I use LDAP for authentication for IMAP/POP/SMTP/Web and SSH. Our LDAP
> backend is controlled by ISPMan, but I can use generic LDAP tools to add
> and modify users too.
> 
> Most likely the problem lies in either in:
>    1)  /etc/pam-ldap.conf NOT matching /etc/ldap/slapd.conf
>    2)  /etc/pam.d/*  NOT being setup correctly.
> 
> The pam modules and plugins started off with great documentation. Then
> some "cool hacks" started happening and things were no longer documented.
> 
> Here's a sample pam.d I stole off a mailing list for SSH, this will
> allow a fallthrough to local authentication if LDAP is unreachable. It
> will require a local account.
> 
> /------/etc/pam.d/ssh START
> auth       sufficient   pam_ldap.so
> auth       required     pam_nologin.so
> auth       required     pam_unix.so
> 
> account    sufficient   pam_ldap.so
> account    required     pam_unix.so
> 
> session    sufficient   pam_ldap.so
> session    required     pam_unix.so
> 
> password   sufficient   pam_ldap.so
> password   required     pam_unix.so
> 
> \-----------END
> 
> Because you can't change passwords using LDAP, it sounds like your
> pam-ldap connector does not have the right LDAP username/password and
> Base DN information. Can you check your slapd.conf and run
> "dpkg-reconfigure libpam-ldap"?
> 
> Hope this gets you started!
> Tony
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


Cha-ching!!!

This, and the liberal use of "debug" helped.  I also read page 16 of
this month's SysAdmin mag that tells me how to do this for Debian. 
Despite the article, it was this config that did it for me - 10,000
thank you's!!!
-- 
George Toft           +---------------------------------------------+
CISSP, MSIS           | Kerckhoffs' Principle: If the cryptographic |
CTO/Computer Security | algorithm must remain secret in order for   |
AGD,LLC               | the system to be secure, then the system is |
www.agdllc.com        | less secure.                                |
623-203-1760          +---------------------------------------------+
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss