Re: LDAP Authentication on Debian - help?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMCraig White at <-
MMGeorge Toft at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Tony Wasson
Date:  
To: plug-discuss
Subject: Re: LDAP Authentication on Debian - help?
George Toft wrote:
> Has anyone set up a debian box to use LDAP for authentication? I tried
> it last night with mixed results:
> - LDAP is working fine: I can retrieve the entries, and the command
> getent shows entries from files and ldap.
> - I can't log in:
> - I can't change password:
> # passwd gtoft
> passwd: Critical error - immediate abort
> #
>
> I think my problem lies in my PAM configuration. If anyone has done
> this and wants to share their pam configs, I would be very appreciative.
>
> I have googled for the errors I've been getting and have retrieved 0
> hits consistently :( This seems to be trivial under RedHat (or so say
> all the web pages I found on the topic). Debian is another story.

Hi George,

I use LDAP for authentication for IMAP/POP/SMTP/Web and SSH. Our LDAP
backend is controlled by ISPMan, but I can use generic LDAP tools to add
and modify users too.

Most likely the problem lies in either in:
1) /etc/pam-ldap.conf NOT matching /etc/ldap/slapd.conf
2) /etc/pam.d/* NOT being setup correctly.

The pam modules and plugins started off with great documentation. Then
some "cool hacks" started happening and things were no longer documented.

Here's a sample pam.d I stole off a mailing list for SSH, this will
allow a fallthrough to local authentication if LDAP is unreachable. It
will require a local account. 

/------/etc/pam.d/ssh START
auth       sufficient   pam_ldap.so
auth       required     pam_nologin.so
auth       required     pam_unix.so


account    sufficient   pam_ldap.so
account    required     pam_unix.so


session    sufficient   pam_ldap.so
session    required     pam_unix.so


password   sufficient   pam_ldap.so
password   required     pam_unix.so


\-----------END

Because you can't change passwords using LDAP, it sounds like your
pam-ldap connector does not have the right LDAP username/password and
Base DN information. Can you check your slapd.conf and run
"dpkg-reconfigure libpam-ldap"?

Hope this gets you started!
Tony
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: LDAP Authentication on Debian - help?Web script work in perl->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)