|
»
»
« Return to Thread: getent passwd problems
Re: getent passwd problems
by stephen mulcahy-3
::
Rate this Message:
Hi,
Some updates on this.
1. I found that you can put the following in /etc/libnss-ldap.conf to
get some debug out
debug 1
(where from 1-10 for increasing detail).
2. I also noticed that the LDAP database does not contain uidNumber or
gidNumber values for entries - is it possible this is what is causing
"getent passwd" to fail? If so, is there any way to work around this
(i.e. get libnss-ldap to auto-generate uidNumbers on the fly?)
thanks,
-stephen
stephen mulcahy wrote:
> Hi,
>
> I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch
> 4.0 system to authenticate against an openldap server. I've done this in
> the past against other openldap servers without problems but have failed
> to get nss-ldap so far with this configuration. I suspect I'm missing
> something in the LDAP search parameters but I'm having trouble debugging
> this. Are there additional options I can give to nss-ldap to see what
> query it is sending to the openldap server? I've tried wireshark but
> since I'm using SSL it doesn't give me anything useful.
>
> An ldapsearch against the openldap server gives me the following,
>
> ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB
> Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB
> Users,dc=ie,dc=bbb,dc=local" -wSecret
> "(&(objectClass=posixAccount)(uid=*))"
>
> Returns an answer of the following format,
>
> dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB
> Users,dc=ie,dc=bbb,dc=
> ccc
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: posixAccount
> cn: Stephen Mulcahy
> sn: Mulcahy
> givenName: Stephen
> shadowLastChange: 128763417020503940
> uid: xxxxxx
> mail: xxxxxxxx@...
>
>
> So it seems to have valid data.
>
> If I install libnss-ldap and edit /etc/nsswitch.conf as follows
>
> passwd: files ldap
>
> and edit /etc/libnss-ldap.conf as follows
>
> base ou=BBB Users,dc=ie,dc=bbb,dc=ccc
> uri ldaps://aaa.bbb.ie/
> ldap_version 3
>
> binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
> bindpw Secret
>
> scope sub
>
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
>
>
> nss_schema rfc2307bis
>
> nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>
> tls_checkpeer no
> ssl on
>
> and then try running getent passwd, I still only get my local user list,
> not the additional entries from LDAP. There are no error messages logged
> in /var/log/auth.log, /var/log/messages or /var/log/syslog
>
> Any tips on how to proceed appreciated.
>
> Thanks,
>
> -stephen
>
Some updates on this.
1. I found that you can put the following in /etc/libnss-ldap.conf to
get some debug out
debug 1
(where from 1-10 for increasing detail).
2. I also noticed that the LDAP database does not contain uidNumber or
gidNumber values for entries - is it possible this is what is causing
"getent passwd" to fail? If so, is there any way to work around this
(i.e. get libnss-ldap to auto-generate uidNumbers on the fly?)
thanks,
-stephen
stephen mulcahy wrote:
> Hi,
>
> I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch
> 4.0 system to authenticate against an openldap server. I've done this in
> the past against other openldap servers without problems but have failed
> to get nss-ldap so far with this configuration. I suspect I'm missing
> something in the LDAP search parameters but I'm having trouble debugging
> this. Are there additional options I can give to nss-ldap to see what
> query it is sending to the openldap server? I've tried wireshark but
> since I'm using SSL it doesn't give me anything useful.
>
> An ldapsearch against the openldap server gives me the following,
>
> ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB
> Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB
> Users,dc=ie,dc=bbb,dc=local" -wSecret
> "(&(objectClass=posixAccount)(uid=*))"
>
> Returns an answer of the following format,
>
> dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB
> Users,dc=ie,dc=bbb,dc=
> ccc
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: posixAccount
> cn: Stephen Mulcahy
> sn: Mulcahy
> givenName: Stephen
> shadowLastChange: 128763417020503940
> uid: xxxxxx
> mail: xxxxxxxx@...
>
>
> So it seems to have valid data.
>
> If I install libnss-ldap and edit /etc/nsswitch.conf as follows
>
> passwd: files ldap
>
> and edit /etc/libnss-ldap.conf as follows
>
> base ou=BBB Users,dc=ie,dc=bbb,dc=ccc
> uri ldaps://aaa.bbb.ie/
> ldap_version 3
>
> binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
> bindpw Secret
>
> scope sub
>
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
>
>
> nss_schema rfc2307bis
>
> nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc
>
> tls_checkpeer no
> ssl on
>
> and then try running getent passwd, I still only get my local user list,
> not the additional entries from LDAP. There are no error messages logged
> in /var/log/auth.log, /var/log/messages or /var/log/syslog
>
> Any tips on how to proceed appreciated.
>
> Thanks,
>
> -stephen
>
« Return to Thread: getent passwd problems
| Free embeddable forum powered by Nabble | Forum Help |
