1

I have an LDAP server with two BDB backends. The user accounts are split between the two backends. Backend A has a referral object to Backend B.

I have tried to setup LDAP client authentication on Linux Mint 13. getent passwd lists users between Backend A and Backend B but when using su - , su returns "Unknown id". Though, using su with the user ID from Backend A works just fine.

Below is my /etc/ldap/ldap.conf in the client (Linux Mint 13):

    base dc=backendA 
    uri ldaps://ldap.x.example.com
    ldap_version 3 
    binddn cn=auth,dc=backendA 
    bindpw admin@123 
    referrals yes

And the /etc/ldap.conf in the client:

    base dc=backendA 
    uri ldaps://ldap.x.example.com 
    ldap_version 3
    binddn cn=auth,dc=backendA
    bindpw admin@123 
    rootbinddn cn=admin,dc=backendA 
    pam_password md5 

    deref always 
    referrals yes 

    nss_base_passwd    ou=users,dc=backendA?one
    nss_base_shadow    ou=users,dc=backendA?one
    nss_base_group    ou=roles,dc=backendA?one 

    nss_base_passwd    ou=users,dc=backendB?one
    nss_base_shadow    ou=users,dc=backendB?one
    nss_base_group     ou=roles,ou=users,dc=backendB?one

What could be wrong?

Carlo
  • 163
  • 1
  • 10

1 Answers1

3

the getent passwd is just a part of it, it tell that the system can see the user and that the ldap is working, but the su might be using also PAM and PAM have it own set of rules, not just the system user list. As you are using MINT, you are for sure using PAM.

check the /etc/pam.d/su file and any file it loads. you are for sure missing the ldap config in there. Use this document as base for configuring it.

higuita
  • 1,173
  • 9
  • 13
  • I have checked the file /etc/pam.d/su but it already includes common-auth, common-session, etc. at the bottom. Or does this mean I have to use SASL for the LDAP "pass-through" setup based on the document? – Carlo Aug 13 '13 at 15:01
  • you probably have to edit the common-* files to add the ldap authentication support there, or use some daemon to like nslcd to bridge the ldap and PAM. Pass-trough might also work, but i would say that as getent already have everything you probably don't need it, you are just missing the connection between PAM and the LDAP – higuita Aug 13 '13 at 18:31
  • Check also this (http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client) for a more direct howto for the nscld – higuita Aug 13 '13 at 18:39
  • But I already have PAM configured. In fact, when I'm using su with a user from backend A, I can login. The problem is when I'm using a referral. Additionally, I just noticed that when the root account uses "getent passwd", the account from backend B does not show up. But it still shows up for the other account I'm using now. – Carlo Aug 14 '13 at 01:59
  • Ok, i was reading as you couldn't do su to any ldap user, not just the backend B! If it's just backend B, then you may need to use the pass-trough method – higuita Aug 16 '13 at 18:42
  • Hi @higuita, since I checked yesterday, looks like both accounts from each backend is working now. I'm not exactly sure how that happened though. May have been just a restart was required. – Carlo Aug 17 '13 at 10:37