I’ve just authenticated my first test-user on Richard’s Mac OS X (10.2.5) box via LDAP. It worked nicely – besides the fact that the GID was not assigned correctly. I will have a look into this before I’m going to post a little tutorial here.
Stay tuned…
I know… it’s getting boring…
I just wanted to say that I’ve sucessfully fixed two problems:
pilif@sen1 ~ % passwd LDAP Password incorrect passwd: User not known to the underlying authentication module pilif@sen1 ~ %
The problem was a use_first_pass I had in the pam_ldap-line of /etc/pam.d/passwd. When changing the password, it checked the authentity with an empty password (first_pass was empty – I never ever entered one) which failed. If somebody could please tell me the log level to set in slapd.conf to actually get useful logging information describing the problem: step forward!
Oh.. both updatedn and updateref where not correctly set in the replicas slapd.conf. I’ve fixed this too.
Finally. It works. I got Richard’s OSX-Box to authenticate against my OpenLDAP server, I set up yesterday (acutually, it authenticates against the replica but this does not make any difference). Here’s what I did:<ol>
(In my explanations, I assume, your accounts have objectClasses of inetOrgPerson, posixAccount and shadowAccount).
What have I accomplished?
About the password-changing-problems, I will have a look at pam. Until then, I’m quite happy, I finally got it to work.
I really hope, someone will find this useful…
The show must go on. As our ADSL connection from the office to the internet is not that reliable, I deceided to use OpenLDAPs slurpd to replicate the LDAP tree to an internal LDAP-Server. The setup is quite well described in my LDAP-Book and it did work at the first time I tried it.
At least it sort of worked…
Although changed attributes appeared on the replica, a newly created user was not synchronized. There was no reject on the master either – the data just vanished [sidenote: why is there a replication-rejectlog if data can vanish anyway – this is not reliable behaviour at all].
Reading the syslog finally gave me the idea: The permissions of the replicas data directory where not set correctly: some of the files (and the directory istelf) belonged to root.root while slapd was running as slapd.slapd.
Now it’s working like a charm and I am looking forward to trying to authenticate richards mac against the internal LDAP-Server.
When this works, I’m going to finally convert the SAMBA-installation to a PDC and setup something to synchronize the windows-password with the unix one (both in LDAP – of course).
I’ll keep you updated on my progress…
I bought “LDAP System Administration” because I was interested in LDAP for a long time and I never really understood what one could do with it.
While the reading book is great (it lacks some details here and there, but it’s really nice to read and has very understandable explanations), putting it to work wasn’t:
What I want to acomplish is to have a central user-database for our 3 people company: Two Windows PC’s, one Linux-Router, a Mac OS X workstation, 3 Linux-Servers, my Home-PC – I want to be able to log into all of them with my one password I have in the LDAP-Server. That’s what LDAP is for anyway.
Setting up the server was done in no time (although it required some sweat because I first installed the OpenLDAP Server of debian stable but then deceided to upgrade to the current release (debian is lagging like ever) by using the server from the unstable distribution. I got it to install eventually (after purging the former installation that caused the update-script of the new installation to quit beacuse ldap-utils where not installed [side note: if a packages installation script requires tools from another package: why isn’t this dependency marked in the package?]).
Soon I’ve created my test-account, installed nss_ldap and pam_ldap and it seemd to work.
Actually it crashed my SSH-daemon as soon as I tried to log on to the machine, I could not change the password of LDAP-accounts, su did not work and login was not possible either – despite the fact I was following the clear instructions in the LDAP-Book.
The SSH-Problem got solved by updating to the latest version (uncommenting the LDAP-Support for groups in /etc/nsswitch.conf did help with the older version but this was no alternative. suing eventually began to work without me really changing anything, changing the password required me to edit /etc/pam.d/passwd despite the fact that the in-file documentation of that file states that it is not necessary. Just like the su-problem, the one with login went away eventually.
/bin/passwd requires still requires me to enter the users old password when called as root. Stupid, but can be circumvented by using a LDAP-Admin-Tool. chsh authenticates via PAM and gets the current entries correctly but tries to save back to /etc/passwd. As stupid as the thing with passwd
So the adventure is not even half completed but a day is used and I had to fight problems which are not even supposed to be existing…
Is what I am trying to do really that sophisticated that it sinply does not work? Or am I just plain stupid?
I’ll keep you updated…
gnegg 