NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Using LDAP for auth against LINUX

On Tue, Jan 6, 2009 at 6:56 AM, Uwe Lienig
<> wrote:
> Hello all and a happy new year,
> I'm in the process of changing our infrastructure from NIS to LDAP. In the 
> past
> NIS was hosted on a AlphaServer 1200 with Tru64UNIX that acted as an file
> server. Since the storage is going to be exhausted and buying more hard disks
> was not an option it was planned to buy a new server with plenty of storage.
> The new server has arrived and got SuSE Linux Enterprise Server 10 installed
> (there was no option to choose an other OS :-( . It will serve Windows Clients
> (NT, W2k, XP, ..) via Samba and Unix-Systems (Tru64, NetBSD, Linux, ..) via 
> NFS.
> Samba is configured as a PDC. Users are kept in LDAP so that password
> syncronisation can easily be achieved. This setup works as expected.
> Now, I have to adapt all the other systems to the new infrastructure. The most
> urgend task is to switch the mail server to the new setup. The mail server is 
> a
> AlphaStation 255/300 with NetBSD-3.0.
> $ > uname -a
> NetBSD host 3.0 NetBSD 3.0 (GENERIC) #0
> Since the change is in progress this server uses the old NIS databases to auth
> users. But in the near future I have to switch to LDAP. The old NIS databases
> are to be switched off.
> So I installed the missing bits for LDAP, namely
>  /usr/pkgsrc/security/pam-ldap/
>  /usr/pkgsrc/databases/nss_ldap/
>  /usr/pkgsrc/databases/openldap-client/
> LDAP was configured with
>  /usr/pkg/etc/openldap/ldap.conf
> The entries i added are
>  BASE       dc=some,dc=domain,dc=org
>  URI        ldap://ldap.server
>  TLS_CACERT /path/to/cert.pem
> Using ldapsearch I can perfectly query the LDAP database and get the user 
> entries.
> After verify the LDAP setup working ok I went ahead with configuring NSS and
> PAM. This is where I'm now and stuck, since I can't get that to work as 
> expected.
> In order not to break the current setup I left NIS as is (there shouldn't be 
> any
> problem using both NIS and LDAP, however). The was linked from
> /usr/pkg/lib/security to /usr/lib/security. To get the configuration working I
> used the HowTo from
> nsswitch.conf got the ldap entries added
> group:          files nis ldap
> passwd:         files nis ldap
> and /etc/pam.d/system was populated with ldap entries
> auth      sufficient
> auth      sufficient     no_warn try_first_pass
> auth      required     no_warn try_first_pass nullok
> account   sufficient
> account   required
> account   required
> session   sufficient
> session   required  no_fail no_nested
> password  sufficient
> password  sufficient     no_warn try_first_pass
> password  required     no_warn try_first_pass
> I created /usr/pkg/etc/nss_ldap.conf and sym linked pam_ldap.conf to this 
> file.
> I do have a user entry in LDAP that does not exist in NIS. But whatever I try 
> I
> can't get getent(1) to produce output for this user (although NIS works ok for
> other users).
> Up to now I haven't made any step further.
> What am I missing? Please feel free to ask for config data I have not provided
> in this mail. I think LDAP isn't the problem since ldapsearch produces correct
> output, though.
> Any hints are very much appreciated.

Watch the logs on the ldap server when you use getent to see if it is
actually performing the search, or even trying to connect.

Also- what happens when you switch ldap to be before nis?

Home | Main Index | Thread Index | Old Index