# LDAP, almost there

## xinman

OK, I'm setting up an LDAP server.

I've got it setup, with a new user just in the ldap not on the local system.

If I try to log into the console (local machine) with that username and password it works, then home directory was created and all.

If I try to log into the machine using ssh then it says that access denied, but I don't know why

This is what my log says...

```

Apr  9 14:07:40 cerebrum slapd[9017]: conn=2330 fd=22 ACCEPT from IP=127.0.0.1:35887 (IP=0.0.0.0:389)

Apr  9 14:07:40 cerebrum slapd[9020]: conn=2330 op=0 BIND dn="" method=128

Apr  9 14:07:40 cerebrum slapd[9020]: conn=2330 op=0 RESULT tag=97 err=0 text=

Apr  9 14:07:40 cerebrum slapd[9020]: conn=2330 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=test))"

Apr  9 14:07:40 cerebrum slapd[9020]: conn=2330 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr  9 14:07:40 cerebrum slapd[9020]: conn=2330 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr  9 14:07:42 cerebrum slapd[9019]: conn=2330 op=2 SRCH base="ou=People,dc=domain,dc=com" scope=1 filter="(&(objectClass=shadowAccount)(uid=test))"

Apr  9 14:07:42 cerebrum slapd[9019]: conn=2330 op=2 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Apr  9 14:07:42 cerebrum slapd[9019]: conn=2330 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr  9 14:07:42 cerebrum slapd[15215]: conn=2330 op=3 SRCH base="ou=People,dc=domain,dc=com" scope=1 filter="(&(objectClass=shadowAccount)(uid=test))"

Apr  9 14:07:42 cerebrum slapd[15215]: conn=2330 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Apr  9 14:07:42 cerebrum slapd[15215]: conn=2330 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr  9 14:07:42 cerebrum sshd[18616]: Failed password for test from 192.168.1.101 port 2102 ssh2

```

Anybody have any thoughts?

----------

## Ian

A question for you actually, I tried to setup an LDAP server about this time last year for my old high school, but the documentation, well, sucked, and I didn't get anywhere useful with it.  Did you manage to find any decent documentation, or is it still very sparse?

----------

## xinman

Well, I've been working on this for approximately 6 months or so.

Documentation is still very sparse, I found a pretty good article on OpenLdap at http://linsec.ca/usermgmt/openldap.php?display=printer

It is geared to mandrake users but I found it a better read then some of the others I've read.

I would eventually like to have all my services authenticate off of ldap as that would be so nice, but just getting basically functionality can be a real bear.

Good luck

----------

## xinman

ok I have found that the line in /etc/sshd/sshd_config should be set as

```

UsePrivilegeSeparation no

```

That seems to allow me to login using account information only located in ldap not in the files

Hope this may help someone in the future.

Dan

----------

## nabbed

Post your /etc/nsswitch.conf and /etc/pam.d/system-auth files if they exists. If they dont exists tell us that as well.

----------

## xinman

/etc/nsswitch.conf

```

passwd:   files ldap

group:      files ldap

shadow:    files ldap

hosts:      files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

/etc/pam.d/system-auth

```

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       sufficient   /lib/security/pam_ldap.so use_first_pass

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_ldap.so use_first_pass

password   required     /lib/security/pam_cracklib.so retry=3 minlen=6 dcredit=0 ucredit=0

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   sufficient   /lib/security/pam_ldap.so use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

session    optional     /lib/security/pam_ldap.so

```

But, i've already seemed to get this working, is this for you to try to get it to work?

----------

## nabbed

Those two files look right. I was really after the /etc/ldap.conf file

This is what i have for my /etc/ldap.conf

```
ssl start_tls

ssl on

suffix "dc=idealx,dc=local"

uri ldaps://auth.idealx.local/

pam_password exop

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=Users,dc=idealx,dc=local

nss_base_shadow ou=Users,dc=idealx,dc=local

nss_base_group  ou=Groups,dc=idealx,dc=local

nss_base_hosts  ou=Hosts,dc=idealx,dc=local

scope one

```

Post yours if it is any different.

----------

## xinman

here it is, slight diffrences

```

base dc=domain,dc=com

uri ldap://127.0.0.1/

port 389

scope sub

scope one

# Filter to AND with uid=%s

pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

# Group member attribute

pam_member_attribute memberuid

pam_password crypt

nss_base_passwd         dc=domain,dc=com?sub

nss_base_shadow         ou=People,dc=domain,dc=com?one

nss_base_group          ou=Group,dc=domain,dc=com?one

nss_base_hosts          ou=Hosts,dc=domain,dc=com?one

pam_passwd exop

```

----------

