netbsd-help: Re: PAM, LDAP; documentation in general

Subject: Re: PAM, LDAP; documentation in general
To: Ing., BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Rene Hexel <rh@netbsd.org>
List: netbsd-help
Date: 05/31/2002 18:53:49
On Fri, 2002-05-31 at 17:23, Ing., BcA. Ivan Dolezal wrote: 

>     I have been tring to find some documentation on how to make it 
> running. I found a lot of information on it for Linux on WWW, but not a 
> word (except package changes) for NetBSD. Unfortunately, the information 
> for Linux was worthless - the step-by-step instructions for Red Hat just 
> didn't work at all.

  The PAM package on NetBSD is the same as on Linux.  Differences are
minor and relate only to file locations and the like.  Therfore, the
Linux HOWTO's work fairly well for PAM on NetBSD.  Please note, however,
that PAM is not a part of the NetBSD system, therefore you cannot use it
for user login and the like.  You can only use with programs that link
against the PAM library!  For packages that may optionally use PAM (such
as security/cyrus-sasl), you need to define USE_PAM in your /etc/mk.conf
  Unfortunately PAM (and also the various PAM modules, such as pam-ldap)
are very terse when it comes to debugging if something's wrong in your
configuration.  This is not NetBSD specific, however.  I have spent
hours upon hours debugging PAM configurations on both NetBSD and Linux
until they finally worked. 

> documentation for source packages is quite a painfull task. The packages 
> rarely install manpages. I would be happy if they installed at least 
> some longer READMEs than "The NetBSD Packages Collection ". When I try 

  A package basically is just a wrapper around the original software to
make it install and run in a standardised manner.  Whatever
documentation comes with the original software usually gets installed
with the corresponding package.  The amount and quality of the
documentation depends on what was included originally. 

> me note that I appreciate the effort, but I have been fighting for three 
> days with PAM/LDAP and I feel quite frustrated.

  Not that this helps you at all, but I did have a similar experience on
a Linux system as well ;-) 

  Since PAM and OpenLDAP are two rather complex packages, my checklist
usually is 

        * does LDAP work (can I access the database, etc.), check 
                /usr/pkg/etc/openldap/* 

        * does PAM work (try with a simpler module than pam-ldap), 
          specifically check 
                /usr/pkg/etc/pam.conf 
                /usr/pkg/etc/pam/* 

        * once both work individually, check /usr/pkg/etc/pam/ldap.conf 
                - are "host", "base", "ldap_version", ... set correctly?


  Kind regards 
     , 
  Rene Hexel