Slackware 13.37 + NSS_LDAP; i can getent and su to user from root,but not usr 2 usr?

pdean712 · 07-28-2011, 11:25 AM

Hi everybody, i have a Slackware LDAP server working fine, i can connect to it with a redhat client just fine. I also have a Slackware client that i want to get working, it is a fresh install of 13.37 with a nss_ldap package installed, i have the /etc/ldap.conf configured correctly and nsswitch.conf with ldap before files on the passwd,shadow,and group. I can su to my 2 ldap test users when i am root, but i cant switch from user to user, i get Authentication Failed....any ideas? thanks alot.

---------- Post added 07-28-11 at 11:26 AM ----------

sorry, i forgot to mention that getent passwd retrieves the 2 ldap users information correctly.

Dinithion · 07-29-2011, 07:22 AM

Did you follow a particular guide when configuring your client? I have never used slackware as a client, because I thought the lack of pam in slack would need a little touch of good old know how to install.

pdean712 · 07-29-2011, 08:56 AM

Hi, thanks for the reply, no i didnt follow a particular tutorial just took something from every tutorial i read. Im whondering now if it is impossible to login to a LDAP user without pam?

Dinithion · 07-29-2011, 09:15 AM

According to Alien Bob it's not necessary to use pam with ldap, however, the tutorial he is refering to, is no longer existing. But there might be others laying around.

Also, this was for slackware 9.0, things might have changed, but I guess the principle will still work.

pdean712 · 07-29-2011, 03:21 PM

Hi, thanks for the reply Dinithon!, the nss_ldap package i installed was by alien. If anyone knows what i am missing i would really appreciate it, Thanks everyone!

NyteOwl · 07-30-2011, 03:00 PM

The FAQ entry AlienBOB is referring to is below.

Code:

How can I authenticate a Slackware client against an LDAP server without PAM?

    If you've read above, you know that Slackware doesn't support PAM,
    but the most common way of configuring a linux client to authenticate
    against an LDAP server is to use PAM.  What to do?

    Well, one method is to use the nss_ldap software provided by PADL
    (http://www.padl.com).  You'll need to obtain and install the
    software yourself, but it's a lot easier than installing PAM.
    The basic procedure follows:

    - Install nss_ldap on the client.
    [FIX ME: some LDAP directories can be configured to permit anonymous
             binding for the purpose of authenticating users.  The
             following steps should not be necessary in those cases]
    [--------------------------------------------------------------]
    - Obtain from your LDAP server admin an LDAP account that has the
      ability to read (at least, write is helpful) all of the appropriate
      login information.  In particular, this account must have at least
      read access to the userPassword attribute of all accounts to be used
      on the Slackware client.
    - Configure this DN in ldap.conf as rootbinddn.
    - Create a file, /etc/ldap.secret, and add the rootbinddn's password
      (cleartext!) to the first line of the file.  Add a trailing newline
      to the password.
    [--------------------------------------------------------------]
    - Modify /etc/nsswitch.conf to authenticate against LDAP.  You'll
      probably want to modify at least passwd, group, and shadow.  It's
      best to add ldap after the files entry for each database (or in an
      appropriate order, if you use things like nis).  (Personally, I don't
      recommend using compat mode if also using nis or ldap.)

    That's all you should need to do - no restarting of daemons should be
    needed.

The entire FAQ can now be found at: http://www.therockgarden.ca/aolsfaq.txt as referenced from the root of the old faq site.

pdean712 · 07-30-2011, 07:36 PM

Nyte Owl thanks alot man!, im about to go fishing right now but i will try it when i get back, thanks for your input , very informative!

m-h · 08-07-2011, 07:55 AM

PAM is definitely not needed. But beware of running the LDAP server and nss_ldap on the same machine, as this could make udev to fail when booting (see http://www.linuxquestions.org/questi...nymore-817791/).

Personally I switched from nss_ldap to nss-pam-ldapd a while ago, because it has some advantages over nss_ldap (see http://arthurdejong.org/nss-pam-ldapd/) and I highly recommmend to give it a try.

Although the name suggests it, it doesn't require PAM. There's no package availabe, but a simple "./configure --disable-pam --mandir=/usr/man;make;make install" will do.

Mike

pdean712 · 08-08-2011, 10:41 PM

Ok thanks Mike, ill try that in the morning, im currently working on Active Directory scenario for class :/. Thanks!