Henrik Schmidt wrote:
/etc/ldap.conf is auto generated :
# OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls ldap_version 3 pam_filter objectClass=posixAccount nss_base_passwd ou=people,dc=ks,dc=mydomain,dc=uni-kiel,dc=de nss_base_shadow ou=people,dc=ks,dc=mydomain,dc=uni-kiel,dc=de nss_base_group ou=group,dc=ks,dc=mydomain,dc=uni-kiel,dc=de tls_checkpeer no #ssl on
Some additional values you may also want in /etc/ldap.conf nss_map_attribute uniqueMember member timelimit 15 bind_timelimit 15 bind_policy soft
Two questions :
1. Why is tls_checkpeer set to "no" or set at all ? I want have it either enabled or not set at all so that the configuration in /etc/openldap/ldap.conf is used as default.
tls_checkpeer is set to 'no' because you haven't defined tls_cacertdir or tls_cacertfile which are required for peer verification. This is described in nss_ldap(5).
2. Is "objectClass" in pam_filter objectClass=posixAccount spelled correctly ? I think it should be spelled objectclass with a small c.
Case doesn't matter for these identifiers but it's common practice when an identifier is a concatenation of multiple words to use upper case for the first letter the successive words. It's lends to the readability but that is it. -- Darin Perusich Unix Systems Administrator Cognigen Corporation 395 Youngs Rd. Williamsville, NY 14221 Phone: 716-633-3463 Email: darinper@cognigencorp.com -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org