On Tue, Jan 6, 2009 at 6:56 AM, Uwe Lienig
<uwe.lienig%fif.mw.htw-dresden.de@localhost> wrote:
$ > uname -a
NetBSD host 3.0 NetBSD 3.0 (GENERIC) #0
Since the change is in progress this server uses the old NIS databases to auth
users. But in the near future I have to switch to LDAP. The old NIS databases
are to be switched off.
So I installed the missing bits for LDAP, namely
/usr/pkgsrc/security/pam-ldap/
/usr/pkgsrc/databases/nss_ldap/
/usr/pkgsrc/databases/openldap-client/
LDAP was configured with
/usr/pkg/etc/openldap/ldap.conf
The entries i added are
BASE dc=some,dc=domain,dc=org
URI ldap://ldap.server
TLS_CACERT /path/to/cert.pem
Using ldapsearch I can perfectly query the LDAP database and get the user
entries.
After verify the LDAP setup working ok I went ahead with configuring NSS and
PAM. This is where I'm now and stuck, since I can't get that to work as
expected.
In order not to break the current setup I left NIS as is (there shouldn't be any
problem using both NIS and LDAP, however). The pam_ldap.so was linked from
/usr/pkg/lib/security to /usr/lib/security. To get the configuration working I
used the HowTo from http://wiki.netbsd.se/OpenLDAP_Authentication_on_NetBSD
nsswitch.conf got the ldap entries added
group: files nis ldap
passwd: files nis ldap
and /etc/pam.d/system was populated with ldap entries
auth sufficient pam_ldap.so
auth sufficient pam_krb5.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
account sufficient pam_ldap.so
account required pam_krb5.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_lastlog.so no_fail no_nested
password sufficient pam_ldap.so
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
I created /usr/pkg/etc/nss_ldap.conf and sym linked pam_ldap.conf to this file.
I do have a user entry in LDAP that does not exist in NIS. But whatever I try I
can't get getent(1) to produce output for this user (although NIS works ok for
other users).
Up to now I haven't made any step further.
What am I missing? Please feel free to ask for config data I have not provided
in this mail. I think LDAP isn't the problem since ldapsearch produces correct
output, though.
Any hints are very much appreciated.
Watch the logs on the ldap server when you use getent to see if it is
actually performing the search, or even trying to connect.
Also- what happens when you switch ldap to be before nis?