====== LDAP Configuration ======

See also: [[software:LDAP]]

it looks like you have not configured NSS (nss-ldap) to use LDAP server for list of users. Does the command getent passwd myuser find the user "myuser"? If not, then the system does not know anything about this user and does not want to authenticate it. You have to setup both nss-ldap (for system to be able to see LDAP users) and pam-ldap (for PAM to authenticate using LDAP).

http://www.redhat.com/archives/pam-list/2008-April/msg00014.html

''slapd.conf'' is this, comments dropped:

<code>
 >
 > include /usr/local/etc/openldap/schema/core.schema
 > include /usr/local/etc/openldap/schema/cosine.schema
 > include /usr/local/etc/openldap/schema/nis.schema
 > include /usr/local/etc/openldap/schema/inetorgperson.schema
 > # additional schema
 > include /usr/local/share/examples/samba/LDAP/samba.schema
 > pidfile /var/run/openldap/slapd.pid
 > argsfile /var/run/openldap/slapd.args
 > logfile /var/log/slapd.log
 > loglevel 512
</code>

loglevel is a bitmask. It you want to have lots of debugging try 255 and run a ''tail -f /var/log/debug.log''.

----

Can you ''ldapsearch -Lx -h localhost''? What's ''/var/log/debug.log'' telling you? Can you id (see id(1) man pages) some ldap users? Does the output of ''getent group'' and ''getent passwd'' look reasonable?

http://lists.freebsd.org/pipermail/freebsd-ports/2007-November/044725.html

Check the permissions on ''/lib/libnss_ldap.so''. Should be 755.

make sure the more specific ACLs come first...

<code>
 access to dn=".*,ou=people,dc=plainjoe,dc=org" attr=userPassword
 by self write
 by * auth
 access to dn=".*,ou=people,,dc=plainjoe,dc=org"
 by * read
</code>

http://www.openldap.org/lists/openldap-software/200104/msg00250.html

Running ''getent passwd'' only returns results from ''/etc/passwd'', and nothing from my running LDAP server.

I have migrated all my user/group accounts into the running ldap server using the Migration tools from PADL.com.

The slapd process is running fine.

I can see everything with an

<code>
ldapsearch -x "(objectClass=posixAccount)"
</code>

My ''/etc/openldap/ldap.conf'' file is setup correctly (used by ''ldapsearch'').

My ''/etc/ldap.conf'' file is also setup correctly (per the book, and about 20 online tutorials).

''slapcat'' shows all of my directory's contents.

My ''/etc/nsswitch.conf'' file has the following entries:

<code>
passwd: ldap compat group: ldap compat
</code>

I know it's not querying ldap because:

1. I added a new user into the ldap directory and it's not showing.

2. I modified an existing user's home directory in LDAP, and it's showing old value (from ''/etc/passwd'').

3. When I remove the 'compat' entry from nsswitch.conf, I get absolutely no output from:

''getent passwd''

===== Some References =====

https://www.linuxquestions.org/questions/slackware-14/nssldap-not-workin...

http://ubuntuforums.org/archive/index.php/t-627833.html