[KLUG Members] making a linux machine auth against an ldap server.

[Adam Tauno Williams]

> Not working, I'll come back to it tommorrow.
> Is there a way to tell what pam_ldap.so is doing?

You can add the "debug" parameter to the module,  but the best thing to
do is to run ethereal on the workstation and capture the exchange
between the client and the server.

> tried tail -f /var/log/auth, just some stuff about the last module not 
> working. I have account, auth, password, and session filled with
> sufficient pam_ldap.so as the first hit.
> I have no idea if /etc/pam_ldap.conf is close to correct.

Are you sure "/etc/pam_ldap.conf" is correct?  In most cases the PAM &
NSS LDAP modules share /etc/ldap.conf.

> -----------------------------
> host dir.wmich.edu
> base ou=people,o=wmich.edu,dc=wmich,dc=edu
> ldap_version 3
> binddn uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu
> bindpw ********
> #rootbinddn cn=manager,dc=example,dc=net
> port 389
> scope sub
> # Filter to AND with uid=%s
> pam_filter objectclass=uid

No, this is wrong.  "uid" is an attribute name, not an objectclass.
Look at the user object you get back from the server when you do the
query manually.  If it contains an objectclass of "account", then use
that here (objectclass=account)

> # The user ID attribute (defaults to uid)
> pam_login_attribute wmuuid

Yep, this should be correct.

> pam_password clear_remove_old

Are you sure this should be uncommented?

> nss_map_attribute uid wmuuid 

Yep.