I miss the LDAP_BASE the most, because it is required to make queries. I see that the wiki page was created a few days ago. Why do I see different environment variables?
root@colla-21091438:/# ldapsearch -D $LDAP_HOSTDN -y /etc/machine.secret -H ldap://$LDAP_MASTER:$LDAP_MASTER_PORT
Warning: Password file /etc/machine.secret is publicly readable/writeable
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
the wiki page was indeed created a few days ago. In fact, it was written with https://forge.univention.org/bugzilla/show_bug.cgi?id=46779 in mind without waiting until it is actually fixed. Sorry for the inconvenience. This should work - in a few days.
Please use $LDAP_SERVER, not $LDAP_MASTER, as soon as this works. Some systems do not have access to the LDAP on the DC Master, but only to one on a DC Slave.
Thanks for your answer. On my test system, I still can experiment, using the actual values. I can bind to the host’s LDAP from the container with ldapsearch. Next I tried to configure pam_ldap.so, but it did not work, it failed silently.
uri ldap://ucs-4067.collabora.intranet:7389
binddn cn=colla-21091438,cn=memberserver,cn=computers,dc=collabora,dc=intranet
bindpw 35b983003025e037d1f7dde377a7a74a1737b68cadfbea360c62000fc767ee1a
base dc=collabora,dc=intranet
ldap_version 3
scope sub
pam_password crypt
ssl start_tls
So far, I expected that LDAP users can be authenticated this way, but it did not happen, I get PAM authentication failure. Any ideas, what’s missing, please?
/etc/ldap.conf does not really accept BINDDN nor BINDPW. The former is a user-only option (goes into ~/.ldaprc), the latter does not exist for OpenLDAP.