[KLUG Members] making a linux machine auth against an ldap server.

[Adam Tauno Williams]

> its a sun ONE directory SASL GSSAPI. :).

Ok. Is your machine/workstation part of the Kerberos domain?

> I can't get anonymous queries working. I've been using a DN to do queries.
> ldapsearch -H ldap://dir.wmich.edu -D
> uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu -W -x -b
> ou=people,o=wmich.edu,dc=wmich,dc=edu -s sub 'uid=*******'

Well, simple binds seem to be working.  I assume the oitlabs is a
quasi-generic context used for searching the DSA to locate the uid (or
wmuuid)?  Have you set the binddn/bindpw in /etc/ldap.conf to this DN
and secret?  Depending on what a user object looks like you probably
need to adjust pam_filter, pam_login_attribute, and do some attribute
mapping.  For example add "nss_map_attribtue uid wmuuid" to make the uid
value come from the wmuuid atribute.  I've never used a Sun ONE
directory server so I don't know what the schema looks like,  I'd assume
it contains information at least equivalent to the schema provided by
RFC2307.

Is the server providing a posixAccount for accounts?  Or are you going
to use PAM for authentication but use the local files for NSS? (not
using the LDAP DSA as an NSS source).

> that query with the correct password returns the entry I want, inside
> of the entry there is a wmuuid field that has the username your
> SUPPOSED to connect to the ldap server with, to authenticate.
> when I try using TLS or SASL I get this.
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed

You aren't even getting to SASL then.  Try setting "TLS_REQCERT never"
in /etc/openldap/ldap.conf.

Can you acquire Kerberos tickets?