Hey,
sorry for the long delay, it was a busy week.
Looking at your /etc/ldap.conf I see that the following lines are missing:
Code:
nss_base_passwd ou=users,dc=removed,dc=com?one
nss_base_group ou=groups,dc=removed,dc=com?one
They should point to the actual ou of your users and groups. What I also noticed is your use of the use_sasl and rootuse_sasl options. Adding these to my config, the login took significantly longer. I'm not using them though, and to be honest I have no idea what they actually do. It works nevertheless.
Also, check your TLS_CACERT and TLS_CACERTDIR options in /etc/ldap/ldap.conf. I'm not sure about this, but I think you have to decide for one, not use both. And since you use a backup server, you'd likely want to go for TLS_CACERTDIR.
Here's my config that works without problems:
/etc/ldap.conf:
Code:
# Pre-configured values
base dc=removed,dc=com
uri ldap://masterldap.removed.com
ldap_version 3
pam_password md5
# Own settings
ssl start_tls
tls_checkpeer yes
bind_policy soft
nss_base_passwd ou=users,dc=removed,dc=com?one
nss_base_group ou=groups,dc=removed,dc=com?one
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,saned,sync,sys,syslog,uucp,vboxadd,www-data
/etc/ldap/ldap.conf:
Code:
BASE dc=removed,dc=com
URI ldap://masterldap.removed.com
TLS_REQCERT demand
TLS_CACERT /usr/share/ca-certificates/cacert_home.crt
If you still have problems, I'd guess there's something wrong with the certificates. How did you add your certs to your LDAP server? And does the LDAP server cert's common name match exactly your LDAP URI, in this case masterldap.removed.com? You'd need a separate certificate for your LDAP backup server as well.
Hm, that's all that comes to my mind for now. Hope it is of some use for you!
Cheers,
Robert
Bookmarks