I've been hammering at this for a while now, and I'm pretty much stumped. I would like to do LDAP Authentication to a Novell eDirectory Tree, but keep the uid, gid local to the system.

When a user logs in, it will check the passwd file and see what the users local info is (ie shell, uid, gid) but when it tries to authenticate against the md5 hash, it will instead look at the Novell eDirectory tree and do ldap authentication instead of the local shadow file.

Is this possible ? How ? I've tried everything I could think of.

My reason of doing this is I do not want to extend my tree at this point in time to contain posix account values, I would only like to authenticate against it.

Thank you,
Adrian.

Yes, this is possible. I've done it both against eDir and AD. However, I should tell you that generally eDir already has the posix attributes.

Just off the cuff, but modify your nsswitch.conf file to reference the files (passwd/group), and configure PAM to point to LDAP. Then * out the password in the /etc/passwd file

==

==

I tried this out and no luck. I setup an LDAP Search via linux just to make sure my ldap tree is working fine, and it is. These are the steps I did:

1) Edit ldap.conf
- Added the Server Name & Base Search
2) Edit nsswitch.conf
- Added passwd, shadow and group "files ldap" (to simplify the configuration)
3) Edit pam.d/login & sshd
- Added auth, account & password "sufficient pam_ldap.so debug"
4) Edit shadow
- And star'ed out the md5 password hash
5) Restarted nscd daemon

I try to ssh into the system and it fails, check the secure and message logs and just says it fails... If I could see more verbose logs maybe I could figure out what I'm doing wrong... but I would suspect "debug" in the pam configuration should enable this. Any idea ?

Kill your sshd, and restart interactively, using ./sshd -ddd

You will be able to launch one attempted ssh back into the box, and it will give you a full debug.

What does it say in the secure log? In my experience, that has been one of the most thorough logs. You'll need to see if it's telling you that it can't find the account information, or if it's a password problem. Your ldap.conf file may have the password hash misconfigured.

You are doing this against eDir, right?

Here is a document that I was using in the beginning, as well. It references Solaris and eDirectory.

http://developer.novell.com/research...02/a020602.htm

Yes, I'm doing this against eDir. I'm running version 8.6.2, which I don't think has the PosixAccount support. Or at least I don't think I have the directory extended with these attributes, I've searched high and low for the ldap attributes. I could add them, but I'm in a regulated industry, which means lots of documentation before I can do any changes. So for now I just want to authenticate against it, and make sure this works.

The secure log says :
Jul 19 15:40:33 nagios sshd[4633]: Failed password for awildang from 192.168.8.106 port 33518 ssh2

... Hrmm, can you elaborate on what you mean by the password hash may be misconfigured ?

I will take a look at the documentation you sent me as well. Thank you!

You can configure the password hash in your ldap.conf file. it says something like pam_password md5, or something of the sort.

Can you maybe explain something, because your last message got me thinking.

How does PAM authenticate against the LDAP source ? Does it actually look for a PosixAccount attribute that stores thehashed password, or does it just authenicate against the tree. The difference in the two is that one requires a tree extended with the proper attributes, the second only tries to authenticate using an existing ldap username and password.

I was under the assumption, or I thought I understood, that I can just authenticate against an existing ldap tree (ie. username and password), as this would provide me with syncronized accounts and passwords. This is what we do with some other systems here at the company, we just authenticate to our eDir tree via LDAP, if we can that means we are a valid user.

I noticed in the Novell link you sent me that it requires a "shadowAccount" for the PosixAccount, is this refering to that hashed password attribute I'm thinking of above?

I'm stilling hammering away at this... I feel I'm close... but it's so frustrating at times, when something so simple should work...

In my opinion...they are both the same thing. The difference between the two, being that you have a client with the Novell infrastructure, which permits you to simplify your thinking to just "the tree". and the context, because the client is going to look for your object, and then the password within the specified attribute.

However, to answer your question, you will configure the attribute that holds all of your posix attributes, from userPassword to uidNumber,gidNumber,homeDirectory, etc, etc.

I have succeeded in doing exactly what you want to do with RedHat 7 through 9. It has broken with Fedora 2 and I'd sure like to figure out why. My technique:
(requires nss_ldap installed)
1. Startup stunnel with a config file like this (ldap doesn't do TLS to eDir very well):
client = yes
[389]
accept = 389
connect = edirserver:636
2. Configure /etc/ldap.conf ilke this (use your base context -- not mine):
host localhost
base ou=EH,ou=STP,o=MDH
scope one
timelimit 5
bind_timelimit 5
idle_timelimit 5
pam_login_attribute cn
pam_password nds
nss_map_attribute uniqueMember member
nss_map_attribute userPassword authPassword

3. Add this line to /etc/pam.d/system-auth after auth ... pam_unix.so
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass

4. If you'd like to be able to change the password from the linux side, also put this line in there:
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok

That's it. It just works for me like that. NOT with Fedora Core 2 though!!! If you have Fedora Core 2 and you get it to work, please let me know!

Ger

I think I have a similar problem.

I want to use a linux to be a ftp and file server, but I want to use accounts in the netware 5 server. How can I do it?

Well, chancyrus, you should be able to follow the path I laid out above if you just want authentication. Or the others in this thread - if you've got the POSIX attributes in your tree and you want other authorization stuff controlled by nds.
You could also have pam create the account for you on the fly and just use NDS for auth as I do.

If some part of that is confusing please let me know in e-mail.

I think I found my problem with Fedora too. Took me way too long -- it seems that I got burned on the scope which needed to be "scope sub"

Thank you for your reply, gsker.

I have try the setting you mentioned , however I can't make it work.
Should I make some changes on the setting of the novell 5.1 server?