LDAP Configuration

See also: LDAP

it looks like you have not configured NSS (nss-ldap) to use LDAP server for list of users. Does the command getent passwd myuser find the user “myuser”? If not, then the system does not know anything about this user and does not want to authenticate it. You have to setup both nss-ldap (for system to be able to see LDAP users) and pam-ldap (for PAM to authenticate using LDAP).

http://www.redhat.com/archives/pam-list/2008-April/msg00014.html

slapd.conf is this, comments dropped: 

 >
 > include /usr/local/etc/openldap/schema/core.schema
 > include /usr/local/etc/openldap/schema/cosine.schema
 > include /usr/local/etc/openldap/schema/nis.schema
 > include /usr/local/etc/openldap/schema/inetorgperson.schema
 > # additional schema
 > include /usr/local/share/examples/samba/LDAP/samba.schema
 > pidfile /var/run/openldap/slapd.pid
 > argsfile /var/run/openldap/slapd.args
 > logfile /var/log/slapd.log
 > loglevel 512

loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log.

Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id (see id(1) man pages) some ldap users? Does the output of getent group and getent passwd look reasonable?

http://lists.freebsd.org/pipermail/freebsd-ports/2007-November/044725.html

Check the permissions on /lib/libnss_ldap.so. Should be 755.

make sure the more specific ACLs come first… 

 access to dn=".*,ou=people,dc=plainjoe,dc=org" attr=userPassword
 by self write
 by * auth
 access to dn=".*,ou=people,,dc=plainjoe,dc=org"
 by * read

http://www.openldap.org/lists/openldap-software/200104/msg00250.html

Running getent passwd only returns results from /etc/passwd, and nothing from my running LDAP server.

I have migrated all my user/group accounts into the running ldap server using the Migration tools from PADL.com.

The slapd process is running fine.

I can see everything with an 

ldapsearch -x "(objectClass=posixAccount)"

My /etc/openldap/ldap.conf file is setup correctly (used by ldapsearch).

My /etc/ldap.conf file is also setup correctly (per the book, and about 20 online tutorials).

slapcat shows all of my directory's contents.

My /etc/nsswitch.conf file has the following entries: 

passwd: ldap compat group: ldap compat

I know it's not querying ldap because:

  1. I added a new user into the ldap directory and it's not showing.
  2. I modified an existing user's home directory in LDAP, and it's showing old value (from /etc/passwd).
  3. When I remove the 'compat' entry from nsswitch.conf, I get absolutely no output from:

getent passwd

Some References

https://www.linuxquestions.org/questions/slackware-14/nssldap-not-workin

http://ubuntuforums.org/archive/index.php/t-627833.html