On Wed, 2010-02-10 at 21:30 +0100, Predrag Gavrilovic wrote: > I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf. > That's what's used when lookup is done by process with effective user > id is 0.
Hmm . . . we intentionally don't want to do that and Ubuntu works without it. We activated it anyway and restarted the vserver to test but received the same results: [10/Feb/2010:16:02:17 -0500] conn=64962 fd=65 slot=65 connection from 172.29.1.253 to 172.30.10.49 [10/Feb/2010:16:02:17 -0500] conn=64962 op=0 BIND dn="" method=128 version=3 [10/Feb/2010:16:02:17 -0500] conn=64962 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [10/Feb/2010:16:02:17 -0500] conn=64962 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=messagebus))" attrs=ALL [10/Feb/2010:16:02:17 -0500] conn=64962 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [10/Feb/2010:16:02:17 -0500] conn=64962 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=messagebus))" attrs="gidNumber" [10/Feb/2010:16:02:17 -0500] conn=64962 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U > > > On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III > <jsulli...@opensourcedevel.com> wrote: > > Hello, all. We have just started to explore Debian Lenny as a platform > > and have been delightfully impressed however we're hitting a problem > > using LDAP authentication that we have not experienced in RedHat or > > Ubuntu. We do not allow anonymous LDAP queries but rather > > configure /etc/pam_ldap.conf with a binddn and bindpw. > > > > Our LDAP queries are failing and, when we look at the access logs on our > > CentOS Directory Server 8.1, we see the binddn is empty: <snip> > > We could very likely have a missing package. This is a vserver and they > > install a very skeleton base system. For example, the system initially > > did not query at all until we realized we needed to install passwd. > > This is an X2Go print server (hopefully many desktops to come > > immediately after!) so we have installed: > > > > apt-get install locales less joe cups-x2go openssh-client cups > > foomatic-db-gutenprint gutenprint-locales openprinting-ppds > > cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl > > libnss-ldap libpam-ldap nscd libpam-cracklib passwd > > <snip> I'm wondering if there is a missing service rather than a missing file. What service or daemon would fill in that information. We aggressively strip out unnecessary services from our vservers, especially any having to do with the hardware. This is from our internal documentation: Clean up the rc directories: cd /etc rm rc*.d/*kdm rm rc*.d/*dirmngr rm rc*.d/*fancontrol rm rc*.d/*lisa rm rc*.d/*rsync rm rc*.d/*saned rm rc*.d/*avahi-daemon rm rc*.d/*portmap rm rc*.d/*hpoj rm rc*.d/*lpd rm rc*.d/*libchipcard-tools rm rc*.d/*stop-bootlogd rm rc*.d/*winbind rm rc*.d/*hwclock.sh rm rc*.d/*mountoverflowtmp rm rc*.d/*urandom rm rc*.d/*umountnfs.sh rm rc*.d/*networking rm rc*.d/*ifupdown rm rc*.d/*umountfs rm rc*.d/*umountroot rm rc*.d/*binfmt-support cd rcS.d rm *udev rm *hdparm rm *pppd-dns rm *lm-sensors rm S05bootlogd rm S01glibc.sh rm S02hostname.sh rm S02mountkernfs.sh rm S04mountdevsubfs.sh rm S08hwclockfirst.sh rm S10checkroot.sh rm S11hwclock.sh rm S12mtab.sh rm S18ifupdown-clean rm S20module-init-tools rm S30checkfs.sh rm S30procps rm S35mountall.sh rm S36mountall-bootclean.sh rm S36udev-mtab rm S37mountoverflowtmp rm S39ifupdown rm S40networking rm S45mountnfs.sh rm S46mountnfs-bootclean.sh rm S55bootmisc.sh rm S55urandom rm S99stop-bootlogd-single > > We've restarted the vserver several times to be sure. Even something as > > simple is id <some user> fails and we see the empty DN. If we download > > ldap-utils and do an ldapsearch, queries succeed using the parameters > > given above in pam_ldap.conf. An almost identical setup works in both > > CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what > > did we do wrong? Any help would be greatly appreciated as I've lost days > > tracking this down with no answer. Thanks - John > > > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > > listmas...@lists.debian.org > > > > > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
