nss_ldap/pam_ldap: problems binding
martin mccann
martin at orbweavers.co.uk
Thu Apr 20 22:14:26 UTC 2006
Hi,
I've been trying to get my ldap authentication working, something I have done
before with little issue, but this time around it is causing real pain.
Pretty much the same problems Jan HREHO was having back in Febuary -
http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112066.html
I tried the suggested solution to that - moving the slapd startup script
into /etc/rc.d, but that didn't help, same problem just further up in the
boot process.
Another possibility I came across was putting the line 'bind_policy soft'
in /etc/ldap.conf (symlinked to /usr/local/etc/ldap.conf
& /usr/local/etc/nss_ldap.conf). This seemed to do the job, until I then
tried to ssh onto localhost using an ldap user account. It failed with
Apr 19 22:48:10 svr1 sshd[660]: nss_ldap: could not search LDAP server -
Server is unavailable
Apr 19 22:48:10 svr1 sshd[660]: fatal: login_get_lastlog: Cannot find account
for uid 2000
Removing the bind_policy from the file then retrying, it worked fine.
The second solution I tried was to change the slapd.sh file to just launch
the deamon i.e. '/usr/local/libexec/slapd'. This seems to work, but it is
very unelegent, and it may have knock on effects I am unaware of at this
time. I'm more interested in getting the process right to set it up at this
stage, rather than hacking away to get a working system (I'm working on a
series of documents).
I'm doing this on a virgin 6.0 installation, cvsuped with the latest ports,
fresh install of openldap22, pam_ldap and nss_ldap.
So the question is, is this a common problem, if not then what I am
doing wrong to create it, if so then is there a more elequent solutions than
hacking away at the startup script?
The thread that suggests the bind_policy also mentions 'nss_reconnect_*
parameters', which certainly sounds like it could be the answer, but I havn't
been able to google anything about them.
Cheers,
Martin
More information about the freebsd-questions
mailing list