ldap auth with nss_ldap on FC4

Uno Engborg uno at webworks.se
Sun Jun 26 21:41:05 UTC 2005 

Gordon Messmer wrote:

> Uno Engborg wrote:
>
>> Yes, I have similar problems. I can use LDAP to authenticate users 
>> but they can't change
>> password.
>
>
> I used the "system-config-authentication" tool (actually, its 
> equivalent during the installation) to configure LDAP user info and 
> authentication, which works as it should.
>
>> If I uncomment the rootbinddn line, authentication fails.
>
>
> You normally don't need it, so I'd suggest that you use the included 
> config tools to set up a working client configuration, and then decide 
> whether or not you have a need for that option.


If you do that, the passwd command will not work, at least not for root.

>
>
>> The /etc/openldap/slapd.conf looks like this:
>>
>> include         /etc/openldap/schema/core.schema
>> include         /etc/openldap/schema/cosine.schema
>> include         /etc/openldap/schema/inetorgperson.schema
>> include         /etc/openldap/schema/nis.schema
>> allow bind_v2
>> pidfile         /var/run/slapd.pid
>> argsfile        /var/run/slapd.args
>> access to dn.base="" by * read
>> access to dn.base="cn=Subschema" by * read
>> access to *
>>        by self write
>>        by users read
>>        by anonymous auth
>
>
> Whoa... Hold up there.  If you let users write to their uid and gid 
> attributes, "Bad Things(tm)" can happen.  Be specific about what you 
> want users to be able to change, do not use wildcards for write access.

You are quite right,  I merely used it as prof of concept.
I suppose I should have pointed that out, so that nobody is fooled to 
use it for something critical.

>
>> My /etc/ldap.secret is readable and writable by the user ldap, and 
>> only by that user.
>
>
> If you want to pursue gettting "rootbinddn" working after using the 
> config tools, that file should be owned and readable only by root.

Tried  to change, ownership to root, but that makes no difference.

>
>> This worked perfectly with the same settings on FC3. Any idea what 
>> have changed?
>
>
> I'm not sure, but selinux might be preventing root from reading files 
> that it doesn't own.
>
No, I have tested turning SELinux off, and it still doesn't work.

If I do "passwd uengborg" as root I get:

Enter login(LDAP) password:
New UNIX password:
Retype Unix password:
LDAP password information update failed: Can't contact LDAP server

passwd: Permission denied



/uno

More information about the users mailing list