Re: Using LDAP for auth against LINUX

["matthew sporleder" <msporleder%gmail.com@localhost>]

On Tue, Jan 6, 2009 at 6:56 AM, Uwe Lienig
<uwe.lienig%fif.mw.htw-dresden.de@localhost> wrote:
> Hello all and a happy new year,
>
> I'm in the process of changing our infrastructure from NIS to LDAP. In the 
> past
> NIS was hosted on a AlphaServer 1200 with Tru64UNIX that acted as an file
> server. Since the storage is going to be exhausted and buying more hard disks
> was not an option it was planned to buy a new server with plenty of storage.
>
> The new server has arrived and got SuSE Linux Enterprise Server 10 installed
> (there was no option to choose an other OS :-( . It will serve Windows Clients
> (NT, W2k, XP, ..) via Samba and Unix-Systems (Tru64, NetBSD, Linux, ..) via 
> NFS.
> Samba is configured as a PDC. Users are kept in LDAP so that password
> syncronisation can easily be achieved. This setup works as expected.
>
> Now, I have to adapt all the other systems to the new infrastructure. The most
> urgend task is to switch the mail server to the new setup. The mail server is 
> a
> AlphaStation 255/300 with NetBSD-3.0.
>
> $ > uname -a
> NetBSD host 3.0 NetBSD 3.0 (GENERIC) #0
>
> Since the change is in progress this server uses the old NIS databases to auth
> users. But in the near future I have to switch to LDAP. The old NIS databases
> are to be switched off.
>
> So I installed the missing bits for LDAP, namely
>
>  /usr/pkgsrc/security/pam-ldap/
>  /usr/pkgsrc/databases/nss_ldap/
>  /usr/pkgsrc/databases/openldap-client/
>
> LDAP was configured with
>
>  /usr/pkg/etc/openldap/ldap.conf
>
> The entries i added are
>  BASE       dc=some,dc=domain,dc=org
>  URI        ldap://ldap.server
>  TLS_CACERT /path/to/cert.pem
>
> Using ldapsearch I can perfectly query the LDAP database and get the user 
> entries.
>
> After verify the LDAP setup working ok I went ahead with configuring NSS and
> PAM. This is where I'm now and stuck, since I can't get that to work as 
> expected.
>
> In order not to break the current setup I left NIS as is (there shouldn't be 
> any
> problem using both NIS and LDAP, however). The pam_ldap.so was linked from
> /usr/pkg/lib/security to /usr/lib/security. To get the configuration working I
> used the HowTo from http://wiki.netbsd.se/OpenLDAP_Authentication_on_NetBSD
> nsswitch.conf got the ldap entries added
>
> group:          files nis ldap
> passwd:         files nis ldap
>
> and /etc/pam.d/system was populated with ldap entries
>
> auth      sufficient  pam_ldap.so
> auth      sufficient  pam_krb5.so     no_warn try_first_pass
> auth      required    pam_unix.so     no_warn try_first_pass nullok
> account   sufficient  pam_ldap.so
> account   required    pam_krb5.so
> account   required    pam_unix.so
> session   sufficient  pam_ldap.so
> session   required    pam_lastlog.so  no_fail no_nested
> password  sufficient  pam_ldap.so
> password  sufficient  pam_krb5.so     no_warn try_first_pass
> password  required    pam_unix.so     no_warn try_first_pass
>
> I created /usr/pkg/etc/nss_ldap.conf and sym linked pam_ldap.conf to this 
> file.
>
> I do have a user entry in LDAP that does not exist in NIS. But whatever I try 
> I
> can't get getent(1) to produce output for this user (although NIS works ok for
> other users).
>
> Up to now I haven't made any step further.
>
> What am I missing? Please feel free to ask for config data I have not provided
> in this mail. I think LDAP isn't the problem since ldapsearch produces correct
> output, though.
>
> Any hints are very much appreciated.
>


Watch the logs on the ldap server when you use getent to see if it is
actually performing the search, or even trying to connect.

Also- what happens when you switch ldap to be before nis?