[Wylug-help] LDAP fun

[John Hodrien]

Apologies for the length...

I just thought I'd have a play with LDAP, but I'm not having as much joy as
I'd hoped.  I'm hoping someone here can slap me back onto the right path.

I've got three different sets of machines that are uid matched, but have
different passwords.  This is how we want it to remain.  At the moment, it is
three separate NIS domains.  In addition there's a user database that isn't
entirely neatly integrated with the NIS domains.

I thought this could be done quite nicely with LDAP.  I've done a basic test
that's got LDAP authentication working no problems, and I've got TLS support
up and running.  The password field is suitably protected, so can only be read
by root, and written by the user themselves.  You're allowed to auth against
it as anonymous, so you don't have to have the lookups done with the root
creds.

That's all fine, but to get the three password config up, I figured I could
just extend it all a bit.  Now this is where I probably get a bit wooly.  I
extended the schema to have my three password fields, to give something close
to this:

attributetype ( 1.3.6.1.4.1.4203.666.1.100.1 NAME 'onePassword'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

attributetype ( 1.3.6.1.4.1.4203.666.1.100.2 NAME 'twoPassword'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

attributetype ( 1.3.6.1.4.1.4203.666.1.100.3 NAME 'threePassword'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

objectclass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'dodgyPerson'
     DESC 'Spod from here'
     SUP person
     STRUCTURAL
          MAY ( onePassword $ twoPassword $ threePassword )
     )

Then in the /etc/ldap.conf add a mapping:

nss_map_attribute userPassword onePassword

I've populated the LDAP tree with the information, exactly as I had it working
before but with userPassword information being fed into onePassword instead.
Doing an ldapsearch shows all the data where it should be with the
onePassword attribute having the identical data in.  Now I feel I'm not far
wrong by the fact that getent shadow returns the correct data.

But nothing works, with a failed login all round.  Now I don't see why any of
my pam config should need changing to reflect this, since it work when
userPassword was used.

Now that I've written all this, I've got a vague inkling that I'm entirely
wrong.  Is the problem that it tries to auth against the LDAP server (which
will always use the userPassword field).  So I could just create a proxy user
with the right to read the password field, and use the nss_ldap rather than
pam_ldap stuff?

jh

--
"We should burn all libraries and allow to remain only that which everybody
 knows by heart.  A beautiful age of legend would then begin."
                                                     -- Hugo Ball