[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    [nssldap] libpam-ldap not required for Linux authentication chain?
From:       "JT Olds" <jtolds () xnet5 ! com>
Date:       2006-11-30 22:27:46
Message-ID: 499ac1e70611301427l79b7552ao6d5853d287e711ad () mail ! gmail ! com
[Download RAW message or body]

Hello,
I'm currently in the bowels of a "shouldn't be working" sort of
situation. I've inherited a computer lab that uses LDAP and
libnss-ldap alone for name services and authentication. No libpam-ldap
required whatsoever.
Naively, I've been happily adding client machines to the network by
simply installing libnss-ldap and giving it only the current LDAP
server's hostname and search base distinguished name.

I'm trying to duplicate this functionality on a second server, and
I've all but given up. What sort of conditions are required on the
server side to use libnss-ldap alone in the authentication chain,
without ever needing libpam-ldap? I'm sort of at my wit's end.

FWIW, I have LDAP over SSL working. At one point I gathered that might be key.

All machines involved are Debian-based. The current server is running
slapd 2.0.23-6.3 and the new server is running slapd 2.2.23-8. Every
part of the configuration but the database backend stuff is the same;
however, for some reason it appears that the current server will
display password hashes willy-nilly to anyone who does a search
request while the new server won't. I have yet to figure out why this
discrepancy exists, as both have configuration lines to restrict
userPassword field access. Just to see if that was why my
lack-of-libpam-ldap setup was working, I temporarily removed access
control to userPassword on the new server, but that didn't seem to fix
it. PAM still complained about being unable to authenticate the user.

Thanks
-JT

-- 
oldsx015 /at/ umn /dot/ edu
jtolds /at/ aps /dot/ umn /dot/ edu
http://www.jtolds.com/
[prev in list] [next in list] [prev in thread] [next in thread]