Welcome to MekTrix 4.0

Aka Shish’s Place of Stuff

LDAP on Debian Etch

The guide to Sarge I found here very nearly worked, but with some problems.

Quick summary of changes:

  • where libpam-ldap and libnss-ldap suggest an LDAP URI of ldapi:///, ldapi://127.0.0.1/ doesn’t work — ldapi:// seems to be for unix sockets only. ldap:// or ldaps:// should work (I’ve tested ldap:// so far, as it was communicating with localhost)
  • The /etc/pam.d stuff was screwy — where that guide suggests replacing your pam_unix.so lines with completely different ones, I suggest replacing them with copies of themselves but “required” replaced with “sufficient”. Screwing with my existing pam_unix.so config broke the ability to change local user’s passwords.
  • In common-password, the “use_first_pass use_authtok md5” after pam_ldap.so gave me a “passwd: Authentication information cannot be recovered” error when trying to change the password. Removing them (so that the line simply reads “password sufficient pam_ldap.so”) works.
  • To clarify; the general idea of the common-* files should be “unix auth is sufficient, if that fails then ldap auth is sufficient, if that files then denying access is required”. I suspect that “unix auth is sufficient, if that fails then ldap auth is required” would be the same, but IMHO that’s uglier and more prone to breaking if people want more layers later.

Leave a Reply