LDAP Beginner

dave9191 · 07-02-2009, 06:51 AM

Hey guys,

First of all if this has already been heavily discussed and I havent found it, I apologise.

I've been given the fun task of sorting out LDAP. If there is something easier, then please point me in the right direction. There are 20 servers and 5 developers who need a login and password for each. So from what I have read, we need an LDAP server and we need to configure PAM for the login on each machine.

So I've tried that and failed.

I have a LDAP server with some logins in place, and I have configured a single machine with PAM to fetch those logins. And if you do 'getent passwd' the logins are fetched from the LDAP server and listed, but it wont let those users login. When I tried to configure PAM on another machine its not even getting the users from the LDAP server.

So clearly I have done something stupid somewhere. And I dont really know what to do next. I have read through many guides and they haven't really helped.

1) Is the information protected in the LDAP server with a username and password, or can anyone query it as long as they know where the server is?

2) How can I check that the admin password I set work? typing ldapsearch on the machine with the ldap server asks for a password, but the admin password never works.

3) How can I check that the passwords for the users work that I created using slappasswd? I guess that it sort of threw me of balance when I noticed that generating the same password with this command gave different resulting strings. But I guess they are being salted as they are hashed.

I am using Ubuntu 8.04 LTS Server install on all the machines.

I guess if you can help me with these few questions at first, it might help me to get somewhere.

Many thanks,

--
Dave

nowonmai · 07-02-2009, 07:02 AM

You shouldn't require a password to search the ldap, otherwise how would anyone log in?
You can limit the extent of the tree that is accessible anonymously to just the users.

You should get your hands on an ldap browser... it's much handier than commandline access, and seeing the ldap database visually really helps your understanding of the structure. JXplorer is pretty good. Do apt-cache search jxplorer to see if it's un the Ubuntu repos.

kenneho · 07-03-2009, 08:30 AM

If "getent password" works, it seem to me like PAM is not configured correctly. What does /var/log/secure when you try to log in? What does SSH say when it don't let you in?

Btw, I'm definately not an expert on this, so don't trust my ldap debugging skills to be of any help.