George Toft wrote: > Has anyone set up a debian box to use LDAP for authentication? I tried > it last night with mixed results: > - LDAP is working fine: I can retrieve the entries, and the command > getent shows entries from files and ldap. > - I can't log in: > - I can't change password: > # passwd gtoft > passwd: Critical error - immediate abort > # > > I think my problem lies in my PAM configuration. If anyone has done > this and wants to share their pam configs, I would be very appreciative. > > I have googled for the errors I've been getting and have retrieved 0 > hits consistently :( This seems to be trivial under RedHat (or so say > all the web pages I found on the topic). Debian is another story. Hi George, I use LDAP for authentication for IMAP/POP/SMTP/Web and SSH. Our LDAP backend is controlled by ISPMan, but I can use generic LDAP tools to add and modify users too. Most likely the problem lies in either in: 1) /etc/pam-ldap.conf NOT matching /etc/ldap/slapd.conf 2) /etc/pam.d/* NOT being setup correctly. The pam modules and plugins started off with great documentation. Then some "cool hacks" started happening and things were no longer documented. Here's a sample pam.d I stole off a mailing list for SSH, this will allow a fallthrough to local authentication if LDAP is unreachable. It will require a local account. /------/etc/pam.d/ssh START auth sufficient pam_ldap.so auth required pam_nologin.so auth required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so password sufficient pam_ldap.so password required pam_unix.so \-----------END Because you can't change passwords using LDAP, it sounds like your pam-ldap connector does not have the right LDAP username/password and Base DN information. Can you check your slapd.conf and run "dpkg-reconfigure libpam-ldap"? Hope this gets you started! Tony --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss