[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Steve James wrote: > Those instructions look sane to me. I've never messed with 'bind_policy' > before. > > Make sure you shut down nscd when fiddling with this stuff. It's a sod for > tricking you into false assumptions. Keep it shut down until everything is > stable. > > I recommend a simpler ldap.conf. You can make do with only three lines:- > > base dc=somedomain,dc=homelinux,dc=org > uri ldap://officeserver.somedomain.homelinux.org/ > ldap_version 3 > > I note that you have both 'host' and 'uri' fields set. Don't do that! > Ahh I see. > I wouldn't bind as 'root'. Use a dedicated LDAP admin account, say 'admin', > with a unique password. Beware that any client workstation administrator can > see this password. > Okay. Got to work that out now, in phpldapadmin I have three users under the Users ou - rob, admin and joe.bloggs Although I presume it's not here that I should be specifying users? I did managed to get a bit further, turns out the password I was putting in ldap.secret was wrong. I managed to extract the password out of the phpldapadmin config files but again that's using the root account. > Unless you require a user to be able to make a change to her password from the > client workstation, I wouldn't bind with admin privileges at all. You can > then dispense with /etc/ldap.secret and you can be sure that the LDAP > database can only be modified centrally. I let users change password using > Usermin running on the LDAP server (or it could be on a separate, privileged > machine) The server actually has an web interface for changing passwords which is handy. However I did try taking out the authentication but it didn't seem to accept it. Strange thing is that Thunderbird will pick up entries from ldap when I use a basedn of dn=somedomain,dn=homelinux,dn=org > If getent(1) returns a valid entry, then your libnss has bound to LDAP OK. You > should also find that file ownerships (ls -l) are correctly reported. But if > you can't login, PAM isn't binding. What's in /var/log/auth.log? > Well when I login as a local user getent was working okay. It wasn't authenticating, not sure if this was because I was using the root account or what. I then tried logging on which worked to a point, I could login, the home directory was created but it would logout straight away. The .xsession-errors file mentioned something about user ??? not existing. Trying to login to the console itself would allow me to login (after I did a symbolic link from /bin/bash to /usr/bin/rssh) but it would complain about group 500 and 5000 and then come up with something like: I have no name!@testbox:/$ > You can serve {crypt} or {md5} (and others) from your LDAP database and of > course PAM must correspond. I recommend the phpldapadmin package for > adjusting the database via a web page. It also has a password verifier > feature where you can check if the password hash in the database matches a > password you enter. Cool, I'll have a play with that. I'm just worried about making too many changes. The server is based on CentOS and from what I understand the group numbering is different to Ubuntu? I can't help but think it would have made life easier using Ubuntu on the server and desktop but this server has got everything with a nice web interface which makes it easier for the users to administer when I'm not around. > I have the working configuration files in a backup. I can root them out if > you're still stuck. Cool thanks, I'll have another play and let you know how it goes. > Good luck, > Steve. > > Rob -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html