Hi all
I'm new to LDAP, and I must say it took me a LONG time to set it up under Debian etch on both server and client at all to do anything useful.
Now I can do "ldapsearch -x -v -L" type requests from remote a host and locally. I then tried switching the remote host to using LDAP for user authentication. I'd like users not registered locally to be able to login using ldap, and for locally-known users nothing should change.
I did manage to get logins to use ldap by configuring all /etc/pam.d/common-* files to first try pam_unix and then, if that fails to use ldap:
* sufficient pam_unix * sufficient pam_ldap (should this be "required?)
where * is "account", "auth", "password" and "session". In "auth" and "password" I also had to put
* required pam_deny
after ldap, because otherwise wrong passwords were accepted. In nsswitch.conf I put
*: files ldap
for "passwd", "group", "shadow". Now I would expect that with sequences ("pam_unix" before "pam_ldap" and "files" before "ldap") indeed locally known users wouldn't be authenticated using ldap. Unfortunately, this doesn't seem to be the case. Now _all_ nss / pam requests go to the LDAP server. Including calls from udevd, avahi-daemon, and others, which causes them to fail in various ways.
What am I doing wrong?
I know SASL is not configured in my setup, but that shouldn't be a problem? At least not for the cases when LDAP shouldn't be attempted at all.
Thanks Guennadi --- Guennadi Liakhovetski