Hello, Thanks for your reply. I've got a directory going, that is it authenticates users. I am able to log in as an ldap user. That's the good news. The bad news is it's probably not the most efficient or secure certainly. I'm having issues getting tls going, when i uncomment tls directives i get nothing from id, finger, or logins don't happen, commenting everything out works fine. I'm using self-signed certificates. My second issue is one with passwd. I'd like it to be able to change ldap passwords in edition to passwords stored on the system. I read several items one about a patch to passwd, but can't find it or more information on it. The second is a pam configuration for passwd which looks promising. I would add: password required /usr/local/lib/pam_ldap.so to the bottom of /etc/pam.d/passwd under the unix.so module, i'm not sure if this is right i don't want to make both modules required and fail out users because they're not in both locations. Do you have this working? Thanks. Dave. -----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G. Heim Sent: Sunday, June 14, 2009 9:52 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] unix machine and ldap authentication We do ldap authentication at the University of Wisconsin Department of Mathematics. If you have specific questions let me know. But I can give you some tips on troubleshooting: First thing you need to do is make sure you can search the ldap directory from the client machine. What you want to do is do an ldapsearch with debug on and with encryption so you can tell if your client can talk to the ldap server. On my systems I'd do something like this: $ ldapsearch -d1 -x -ZZ uid=jheim You will be able to tell if the client knows which server to talk to and if it can find a certificate, etc. If that works, the next thing to try is finger: $ finger jheim That will tell you if the client machine is configured correctly to identify logins from the ldap database. I can point you to some howtos if you get stuck at this point. If you get past this point and logins still don't work, then you have to look in the system log on the server to see what queries are being sent from the client. And you have to check /var/log/auth.log on the client machine. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins