LDAP

in order to use the LDAP client auth on oncoweb2, these steps must be followed:

install openldap (server_client)
install nss_ldap
install pam_ldap

on Mandriva 2010, it seems that pam_ccreds needs to be install manually.

cp working config + certs in /etc/ldap.conf, /etc/openldap/ldap.conf.

Add ldap before files in /etc/nsswitch.com
passwd:         ldap files
shadow:         ldap files
group:          ldap files


configure /etc/pam.d/system_auth (use a working config, but pay attention to the transition from pam_unix to pam_tcb. Example:

auth        required      pam_env.so
auth        sufficient    pam_tcb.so shadow fork nullok prefix=$2a$ count=8
auth        [authinfo_unavail=ignore user_unknown=ignore success=1 default=2] pam
_ldap.so use_first_pass
auth        [default=done] pam_ccreds.so action=validate use_first_pass
auth        [default=done] pam_ccreds.so action=store
auth        [default=bad] pam_ccreds.so action=update
auth        required      pam_deny.so

account     sufficient    pam_tcb.so shadow fork
account     [authinfo_unavail=ignore default=done] pam_ldap.so use_first_pass
account     required      pam_permit.so

password    required      pam_cracklib.so try_first_pass retry=3 minlen=4  dcredit=
0  ucredit=0
password    sufficient    pam_tcb.so use_authtok shadow write_to=shadow fork nullok
 prefix=$2a$ count=8
password    sufficient    pam_ldap.so debug
password    required      pam_deny.so

session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use
_uid
session     required      pam_tcb.so