|
»
»
« Return to Thread: getent passwd problems
Re: Re: getent passwd problems
by charlie derr
::
Rate this Message:
stephen mulcahy wrote:
> Hi,
>
> Some updates on this.
>
> 1. I found that you can put the following in /etc/libnss-ldap.conf to
> get some debug out
>
> debug 1
>
> (where from 1-10 for increasing detail).
>
> 2. I also noticed that the LDAP database does not contain uidNumber or
> gidNumber values for entries - is it possible this is what is causing
> "getent passwd" to fail?
Yeah, I think that's definitely going to be a show stopper.
> If so, is there any way to work around this
> (i.e. get libnss-ldap to auto-generate uidNumbers on the fly?)
I'm certainly no expert, but if you don't have those values in LDAP (or even if they're populated, but not visible to
cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc ) then I think you're not going to succeed. I'm curious about how
you could have managed to populate these entries in your directory (because for objectClass: posixAccount they're both required
attributes). Did you turn off schema checking in your OpenLDAP? (I think you must have because if you hadn't, you wouldn't have
been able to add them without valid integers being set for both uidNumber and gidNumber ). If so, I imagine that you'll need to
reload your entries with the correct values all populated.
good luck,
~c
>
> thanks,
>
> -stephen
>
> stephen mulcahy wrote:
>> Hi,
>>
>> I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch
>> 4.0 system to authenticate against an openldap server. I've done this
>> in the past against other openldap servers without problems but have
>> failed to get nss-ldap so far with this configuration. I suspect I'm
>> missing something in the LDAP search parameters but I'm having trouble
>> debugging this. Are there additional options I can give to nss-ldap to
>> see what query it is sending to the openldap server? I've tried
>> wireshark but since I'm using SSL it doesn't give me anything useful.
>>
>> An ldapsearch against the openldap server gives me the following,
>>
>> ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB
>> Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB
>> Users,dc=ie,dc=bbb,dc=local" -wSecret
>> "(&(objectClass=posixAccount)(uid=*))"
>>
>> Returns an answer of the following format,
>>
>> dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB
>> Users,dc=ie,dc=bbb,dc=
>> ccc
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: posixAccount
>> cn: Stephen Mulcahy
>> sn: Mulcahy
>> givenName: Stephen
>> shadowLastChange: 128763417020503940
>> uid: xxxxxx
>> mail: xxxxxxxx@...
>>
>>
>> So it seems to have valid data.
>>
>> If I install libnss-ldap and edit /etc/nsswitch.conf as follows
>>
>> passwd: files ldap
>>
>> and edit /etc/libnss-ldap.conf as follows
>>
>> base ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>> uri ldaps://aaa.bbb.ie/
>> ldap_version 3
>>
>> binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>> bindpw Secret
>>
>> scope sub
>>
>> pam_filter objectclass=posixAccount
>> pam_login_attribute uid
>>
>>
>> nss_schema rfc2307bis
>>
>> nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>>
>> tls_checkpeer no
>> ssl on
>>
>> and then try running getent passwd, I still only get my local user
>> list, not the additional entries from LDAP. There are no error
>> messages logged in /var/log/auth.log, /var/log/messages or
>> /var/log/syslog
>>
>> Any tips on how to proceed appreciated.
>>
>> Thanks,
>>
>> -stephen
>>
>
> Hi,
>
> Some updates on this.
>
> 1. I found that you can put the following in /etc/libnss-ldap.conf to
> get some debug out
>
> debug 1
>
> (where from 1-10 for increasing detail).
>
> 2. I also noticed that the LDAP database does not contain uidNumber or
> gidNumber values for entries - is it possible this is what is causing
> "getent passwd" to fail?
Yeah, I think that's definitely going to be a show stopper.
> If so, is there any way to work around this
> (i.e. get libnss-ldap to auto-generate uidNumbers on the fly?)
I'm certainly no expert, but if you don't have those values in LDAP (or even if they're populated, but not visible to
cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc ) then I think you're not going to succeed. I'm curious about how
you could have managed to populate these entries in your directory (because for objectClass: posixAccount they're both required
attributes). Did you turn off schema checking in your OpenLDAP? (I think you must have because if you hadn't, you wouldn't have
been able to add them without valid integers being set for both uidNumber and gidNumber ). If so, I imagine that you'll need to
reload your entries with the correct values all populated.
good luck,
~c
>
> thanks,
>
> -stephen
>
> stephen mulcahy wrote:
>> Hi,
>>
>> I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch
>> 4.0 system to authenticate against an openldap server. I've done this
>> in the past against other openldap servers without problems but have
>> failed to get nss-ldap so far with this configuration. I suspect I'm
>> missing something in the LDAP search parameters but I'm having trouble
>> debugging this. Are there additional options I can give to nss-ldap to
>> see what query it is sending to the openldap server? I've tried
>> wireshark but since I'm using SSL it doesn't give me anything useful.
>>
>> An ldapsearch against the openldap server gives me the following,
>>
>> ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB
>> Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB
>> Users,dc=ie,dc=bbb,dc=local" -wSecret
>> "(&(objectClass=posixAccount)(uid=*))"
>>
>> Returns an answer of the following format,
>>
>> dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB
>> Users,dc=ie,dc=bbb,dc=
>> ccc
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: posixAccount
>> cn: Stephen Mulcahy
>> sn: Mulcahy
>> givenName: Stephen
>> shadowLastChange: 128763417020503940
>> uid: xxxxxx
>> mail: xxxxxxxx@...
>>
>>
>> So it seems to have valid data.
>>
>> If I install libnss-ldap and edit /etc/nsswitch.conf as follows
>>
>> passwd: files ldap
>>
>> and edit /etc/libnss-ldap.conf as follows
>>
>> base ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>> uri ldaps://aaa.bbb.ie/
>> ldap_version 3
>>
>> binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>> bindpw Secret
>>
>> scope sub
>>
>> pam_filter objectclass=posixAccount
>> pam_login_attribute uid
>>
>>
>> nss_schema rfc2307bis
>>
>> nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>>
>> tls_checkpeer no
>> ssl on
>>
>> and then try running getent passwd, I still only get my local user
>> list, not the additional entries from LDAP. There are no error
>> messages logged in /var/log/auth.log, /var/log/messages or
>> /var/log/syslog
>>
>> Any tips on how to proceed appreciated.
>>
>> Thanks,
>>
>> -stephen
>>
>
« Return to Thread: getent passwd problems
| Free embeddable forum powered by Nabble | Forum Help |
