On Mon, Nov 18, 2002 at 17:54:43 -0800, nate wrote: > did you restart SSH after making the change? Yes.
> I have priviledge speration set to no, just because I haven't had a > chance to test it with yes yet, I don't think it would work with the > strict permissions on the pam_ldap.conf. maybe you can get around > this by using group permissions. Actually that was one problem. I changed UsePrivilegeSeparation to no rather than just being commented out. I guess yes is the default. After retrying it still didn't work - but I figured out why: Because the user aphro doesn't exist on my system. So I did the following: Created a short ldif file to add user mark to the ldap directory Used ldapadd to add the user and group. And it worked! Then I tried to ssh in on localhost and entered the password. I saw the log messages fly across in the terminal I started slapd in. Then I was logged in. Note that the password I set in the ldap database is different to my real password so I know that if it lets me in with it then I was authenticated through ldap. Also entering in incorrect password refuses me. Woooo hooooo. Wooo hooooo! It works! One thing interesting though is that if I enter my proper system password then ldap refuses me once and gives another Password: prompt. If I then enter the proper system password again, I am allowed to login. So ssh must check /etc/passwd and /etc/shadow too. Which makes sense from the settings in /etc/pam.d/ssh which say: auth sufficient pam_ldap.so auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] So you would expect ssh to fall back to pam_unix.so etc. Thanks again. Now that I have the basic functionality, I can go about customising further. Especially now that I can get ldapadd to work as it should I feel more comfortable about being able to add and modify entries etc. I look forward to your next version of the ldap howto for Debian :-) I haven't any experience with Wiki etc. that you mention. The real reason I wanted to get this stuff to work was so that I could try and get postfix and Courier IMAP to use it and then install Jamm. I was reading the howto at: http://jamm.sourceforge.net/howto/single-html/mailserver.html Which seemed like a neat way to manage a mail server even if it does provide more functionality than I need. Also I am keen on installing JBoss and Tomcat and experimenting more with Java webapps and EJBs. Thanks again. Cheers. Mark. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
