I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf. That's what's used when lookup is done by process with effective user id is 0.
On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III <jsulli...@opensourcedevel.com> wrote: > Hello, all. We have just started to explore Debian Lenny as a platform > and have been delightfully impressed however we're hitting a problem > using LDAP authentication that we have not experienced in RedHat or > Ubuntu. We do not allow anonymous LDAP queries but rather > configure /etc/pam_ldap.conf with a binddn and bindpw. > > Our LDAP queries are failing and, when we look at the access logs on our > CentOS Directory Server 8.1, we see the binddn is empty: > > [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from > 172.29.2.8 to 172.30.10.49 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH > base="dc=ssiservices,dc=biz" scope=2 > filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL > [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 > etime=0 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH > base="dc=ssiservices,dc=biz" scope=2 > filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 > etime=0 notes=U > [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH > base="dc=ssiservices,dc=biz" scope=2 > filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL > [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 > etime=0 > [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH > base="dc=ssiservices,dc=biz" scope=2 > filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" > [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 > etime=0 notes=U > > pam_ldap.conf looks like this: > > base dc=ssiservices,dc=biz > uri ldap://ldap02.ssiservices.biz/ > ldap_version 3 > binddn uid=someid,dc=ssiservices,dc=biz > bindpw somelongpassword > #rootbinddn cn=manager,dc=padl,dc=com > > We have disabled SSL for now. > > nsswitch.conf looks like: > passwd: files ldap > group: files ldap > shadow: files ldap > > We could very likely have a missing package. This is a vserver and they > install a very skeleton base system. For example, the system initially > did not query at all until we realized we needed to install passwd. > This is an X2Go print server (hopefully many desktops to come > immediately after!) so we have installed: > > apt-get install locales less joe cups-x2go openssh-client cups > foomatic-db-gutenprint gutenprint-locales openprinting-ppds > cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl > libnss-ldap libpam-ldap nscd libpam-cracklib passwd > > Here is how we set up pam and nscd: > > edit /etc/pam.d/common-account to read: > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > edit /etc/pam.d/common-session so it reads: > session required pam_limits.so > session required pam_unix.so > session optional pam_ldap.so > > edit /etc/pam.d/common-password so it reads: > password sufficient pam_ldap.so > password required pam_unix.so nullok obscure md5 > password required pam_deny.so > > edit /etc/pam.d/common-auth so it reads: > auth sufficient pam_unix.so nullok_secure > auth requisite pam_succeed_if.so uid >= 1000 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > Edit /etc/nscd.conf to change the group positive cache limit > (positive-time-to-live) to 600 seconds from the default 3600. > > We've restarted the vserver several times to be sure. Even something as > simple is id <some user> fails and we see the empty DN. If we download > ldap-utils and do an ldapsearch, queries succeed using the parameters > given above in pam_ldap.conf. An almost identical setup works in both > CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what > did we do wrong? Any help would be greatly appreciated as I've lost days > tracking this down with no answer. Thanks - John > > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
