Hey Buchan,
Thanks alot for your help... it make sense now....during the configuration process , I
modified the NSS service to consult the OpenLDAP server by adding the following lines in
the /etc/nsswitch.conf file
passwd: files ldap
shadow: files ldap
group: files ldap
So ldap server is called for NSS lookup regardless of what authentication mechanism is
used. got it
Again, thanks alot
~Hamid
----- Original Message ----
From: Buchan Milne <bgmilne(a)staff.telkomsa.net>
To: openldap-technical(a)openldap.org
Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com>
Sent: Tuesday, February 26, 2008 1:13:56 AM
Subject: Re: using LDAP as central authentication unit
On
Monday
25
February
2008
20:52:08
Hamidreza
Hamedtoolloei
wrote:
so
if
a
user
is
in
both
/etc/passwd
and
ldap,
linux
authentication
is
used.
However,
if
a
user
is
ONLY
in
ldap
directory,
linux
authentication
fails
and
ldap
is
called.
Analysing
the
case
that
a
user
is
only
in
the
etc/passwd:
In
this
case,
there
are
some
activities
in
the
ldap
site
which
I
dont
understand.
If
a
user
is
only
in
etc/passwd
and
pam.d/system.auth
file
says
call
ldap
only
if
linux
fails,
then
why
ldap
is
called
when
linux
authentication
is
successful?
Because,
this
is
NOT
PAM.
It
is
a
NSS
lookup.
For
example,
when
you
type
'ls',
the
filesystem
returns
the
uid
that
owns
the
files.
To
show
the
username
of
the
owner,
the
c
library
invokes
a
function
from
nss,
to
look
up
the
username.
This
has
nothing
to
do
with
pam.
In
a
similar
way,
group
memberships
have
nothing
(much)
to
do
with
PAM,
but
with
nss.
You
say
this
is
expected...
but
if
I
understood
the
pam.d/system.auth
file
correctly,
ldap
should
not
be
called
if
a
user
is
only
in
etc/passwd
We
can't
tell,
as
you
haven't
provided
your
/etc/nsswitch.conf
file,
and
none
of
the
queries
from
your
log
look
like
pam_ldap,
they
look
more
like
nss_ldap
...
Regards,
Buchan
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs