ldap auth with nss_ldap on FC4
Uno Engborg
uno at webworks.se
Sun Jun 26 21:41:05 UTC 2005
Gordon Messmer wrote:
> Uno Engborg wrote:
>
>> Yes, I have similar problems. I can use LDAP to authenticate users
>> but they can't change
>> password.
>
>
> I used the "system-config-authentication" tool (actually, its
> equivalent during the installation) to configure LDAP user info and
> authentication, which works as it should.
>
>> If I uncomment the rootbinddn line, authentication fails.
>
>
> You normally don't need it, so I'd suggest that you use the included
> config tools to set up a working client configuration, and then decide
> whether or not you have a need for that option.
If you do that, the passwd command will not work, at least not for root.
>
>
>> The /etc/openldap/slapd.conf looks like this:
>>
>> include /etc/openldap/schema/core.schema
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> allow bind_v2
>> pidfile /var/run/slapd.pid
>> argsfile /var/run/slapd.args
>> access to dn.base="" by * read
>> access to dn.base="cn=Subschema" by * read
>> access to *
>> by self write
>> by users read
>> by anonymous auth
>
>
> Whoa... Hold up there. If you let users write to their uid and gid
> attributes, "Bad Things(tm)" can happen. Be specific about what you
> want users to be able to change, do not use wildcards for write access.
You are quite right, I merely used it as prof of concept.
I suppose I should have pointed that out, so that nobody is fooled to
use it for something critical.
>
>> My /etc/ldap.secret is readable and writable by the user ldap, and
>> only by that user.
>
>
> If you want to pursue gettting "rootbinddn" working after using the
> config tools, that file should be owned and readable only by root.
Tried to change, ownership to root, but that makes no difference.
>
>> This worked perfectly with the same settings on FC3. Any idea what
>> have changed?
>
>
> I'm not sure, but selinux might be preventing root from reading files
> that it doesn't own.
>
No, I have tested turning SELinux off, and it still doesn't work.
If I do "passwd uengborg" as root I get:
Enter login(LDAP) password:
New UNIX password:
Retype Unix password:
LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
/uno
More information about the users
mailing list