Freebsd 5.3 + openldap.
Помогите настроить openLDAP. завел тестового юзера(testuser1) в LDAP. Но что то не работает, так при попытке логинится под этим юзером пишет что такого юзера нет.
Freebsd1# id testuser1
id: testuser1: no such user
ldapsearch находит все группы и юзеров что я создал.
например:
ldapsearch -x -W -D"uid=testuser1,ou=Users,dc=test,dc=ru"
спрашивает пароль и нормально показывает данные testuser1мои конфиги.
----------------------------
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
shells: files
publickey: nisplus nis
automount: files
aliases: files nisplus nis
------------------------------------------
/etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
------------------------------------------------
/etc/pam.d/system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_
auth required pam_unix.so no_warn try_first_pass nul
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account sufficient /usr/local/lib/pam_ldap.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
session optional /usr/local/lib/pam_ldap.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so use_authtok
-----------------------------------------------------
/usr/local/etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
ldap_version 3
base dc=test, dc=ru
#URI ldap://127.0.0.1
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
host 127.0.0.1
rootbinddn cn=nssldap,ou=DSA,dc=test,dc=ru
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
nss_base_passwd ou=Users,dc=test,dc=ru?one
nss_base_host ou=Computers,dc=test,dc=ru?one
nss_base_shadow ou=Users,dc=test,dc=ru?one
nss_base_group ou=Groups,dc=test,dc=ru?one
port 389
TLS_REQCERT allow
pam_password SSHA
SIZELIMIT 12
TIMELIMIT 15
DEREF never
--------------------------------------------
создал файл с паролем
/usr/local/etc/openldap/ldap.secret
---------------------------------------------
/usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
replica-pidfile /var/run/openldap/slurpd.pid
replica-argsfile /var/run/openldap/slurpd.args
replicationinterval 600
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb
# moduleload back_ldap
# moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
password-hash {SSHA}
access to attr=userPassword,sambaLMPassword,sambaNTPAssword
by self write
by anonymous auth
by dn="uid=root,dc=test,dc=ru" write
by dn="cn=samba,ou=DSA,dc=test,dc=ru" write
by dn="cn=smbldap-tools,ou=DSA,dc=test,dc=ru" write
by dn="cn=nssldap,ou=DSA,dc=test,dc=ru" read
by * none
access to *
by dn="uid=root,dc=test,dc=ru" write
by dn="cn=samba,ou=DSA,dc=test,dc=ru" write
by dn="cn=smbldap-tools,ou=DSA,dc=test,dc=ru" write
by self read
by * none
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=test,dc=ru"
rootdn "cn=admin,dc=test,dc=ru"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
#index objectClass eq
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
В разных документациях пишут что у пользователя должен быть пароль
userPassword:: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
а у меня вот:
userPassword:: e1NTXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Подскажите где напутал.
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(ok) on 02-Июн-05, 19:40 
