Hello, all. We have just started to explore Debian Lenny as a platform and have been delightfully impressed however we're hitting a problem using LDAP authentication that we have not experienced in RedHat or Ubuntu. We do not allow anonymous LDAP queries but rather configure /etc/pam_ldap.conf with a binddn and bindpw.
Our LDAP queries are failing and, when we look at the access logs on our CentOS Directory Server 8.1, we see the binddn is empty: [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49 [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3 [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber" [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U pam_ldap.conf looks like this: base dc=ssiservices,dc=biz uri ldap://ldap02.ssiservices.biz/ ldap_version 3 binddn uid=someid,dc=ssiservices,dc=biz bindpw somelongpassword #rootbinddn cn=manager,dc=padl,dc=com We have disabled SSL for now. nsswitch.conf looks like: passwd: files ldap group: files ldap shadow: files ldap We could very likely have a missing package. This is a vserver and they install a very skeleton base system. For example, the system initially did not query at all until we realized we needed to install passwd. This is an X2Go print server (hopefully many desktops to come immediately after!) so we have installed: apt-get install locales less joe cups-x2go openssh-client cups foomatic-db-gutenprint gutenprint-locales openprinting-ppds cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl libnss-ldap libpam-ldap nscd libpam-cracklib passwd Here is how we set up pam and nscd: edit /etc/pam.d/common-account to read: account required pam_unix.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so edit /etc/pam.d/common-session so it reads: session required pam_limits.so session required pam_unix.so session optional pam_ldap.so edit /etc/pam.d/common-password so it reads: password sufficient pam_ldap.so password required pam_unix.so nullok obscure md5 password required pam_deny.so edit /etc/pam.d/common-auth so it reads: auth sufficient pam_unix.so nullok_secure auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so Edit /etc/nscd.conf to change the group positive cache limit (positive-time-to-live) to 600 seconds from the default 3600. We've restarted the vserver several times to be sure. Even something as simple is id <some user> fails and we see the empty DN. If we download ldap-utils and do an ldapsearch, queries succeed using the parameters given above in pam_ldap.conf. An almost identical setup works in both CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what did we do wrong? Any help would be greatly appreciated as I've lost days tracking this down with no answer. Thanks - John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
