[Mageia-dev] Help needed with ldap server.and gdm.

Guillaume Rousse guillomovitch at gmail.com
Sun Mar 24 12:49:29 CET 2013


Le 23/03/2013 21:41, David W. Hodgins a écrit :
> Any suggestions?
You're mixing issues here.

pam only deals with authentication and authorization. The problem is not 
to make a choice from pam_unix, or pam_pwdb, or pam_tcb, but to express 
the fact than an user can authenticate from either local password 
database or ldap passwd database:
auth sufficient pam_unix
auth sufficient pam_ldap use_first_pass
auth required   pam_deny.so

Most modules accept debug option to help troubleshooting.

Once you resolved your authentication and authorization issues for both 
users (console login, su, whatever), you can deal with the list of 
people enumerated in gdm, but in gdm configuration.

Also, the documentation you're using is a bit outdated:
- bdb makes more sense today than ldbm as storage backend
- ssha is a better choice than crypt for default password encoding scheme
- using a rootdn with a password defined in slapd.conf is quite discussable
- ACLs such as 'access to dn=".*,dc=mylan,dc=net"' would better be 
defined as 'access to dn.subtree="dc=mylan,dc=net"' (no regex involved)
- examples given use rfc2307 schema, whereas rfc2307bis (group 
membership defined through dn, not uids) is a better choice
- and more important: nss_ldap and pam_ldap are getting deprecated 
nowadays, in favor or nss_pam_slapd, or sssd.

-- 
BOFH excuse #235:

The new frame relay network hasn't bedded down the software loop 
transmitter yet.


More information about the Mageia-dev mailing list