|
»
»
getent passwd problems
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
getent passwd problems
by stephen mulcahy-3
::
Rate this Message:
Hi,
I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch 4.0 system to authenticate against an openldap server. I've done this in the past against other openldap servers without problems but have failed to get nss-ldap so far with this configuration. I suspect I'm missing something in the LDAP search parameters but I'm having trouble debugging this. Are there additional options I can give to nss-ldap to see what query it is sending to the openldap server? I've tried wireshark but since I'm using SSL it doesn't give me anything useful. An ldapsearch against the openldap server gives me the following, ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=local" -wSecret "(&(objectClass=posixAccount)(uid=*))" Returns an answer of the following format, dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc= ccc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: posixAccount cn: Stephen Mulcahy sn: Mulcahy givenName: Stephen shadowLastChange: 128763417020503940 uid: xxxxxx mail: xxxxxxxx@... So it seems to have valid data. If I install libnss-ldap and edit /etc/nsswitch.conf as follows passwd: files ldap and edit /etc/libnss-ldap.conf as follows base ou=BBB Users,dc=ie,dc=bbb,dc=ccc uri ldaps://aaa.bbb.ie/ ldap_version 3 binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc bindpw Secret scope sub pam_filter objectclass=posixAccount pam_login_attribute uid nss_schema rfc2307bis nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc tls_checkpeer no ssl on and then try running getent passwd, I still only get my local user list, not the additional entries from LDAP. There are no error messages logged in /var/log/auth.log, /var/log/messages or /var/log/syslog Any tips on how to proceed appreciated. Thanks, -stephen |
|
|
Re: getent passwd problems
by stephen mulcahy-3
::
Rate this Message:
Hi,
Some updates on this. 1. I found that you can put the following in /etc/libnss-ldap.conf to get some debug out debug 1 (where from 1-10 for increasing detail). 2. I also noticed that the LDAP database does not contain uidNumber or gidNumber values for entries - is it possible this is what is causing "getent passwd" to fail? If so, is there any way to work around this (i.e. get libnss-ldap to auto-generate uidNumbers on the fly?) thanks, -stephen stephen mulcahy wrote: > Hi, > > I'm trying to configure both an Ubuntu 8.10 system and a Debian Etch > 4.0 system to authenticate against an openldap server. I've done this in > the past against other openldap servers without problems but have failed > to get nss-ldap so far with this configuration. I suspect I'm missing > something in the LDAP search parameters but I'm having trouble debugging > this. Are there additional options I can give to nss-ldap to see what > query it is sending to the openldap server? I've tried wireshark but > since I'm using SSL it doesn't give me anything useful. > > An ldapsearch against the openldap server gives me the following, > > ldapsearch -xLLL -H ldaps://aaa.bbb.ie/ -b "ou=BBB > Users,dc=ie,dc=bbb,dc=ccc" -D "cn=aproxy,ou=Service Accounts,ou=BBB > Users,dc=ie,dc=bbb,dc=local" -wSecret > "(&(objectClass=posixAccount)(uid=*))" > > Returns an answer of the following format, > > dn: cn=Stephen Mulcahy,ou=Researchers,ou=Users,ou=BBB > Users,dc=ie,dc=bbb,dc= > ccc > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: posixAccount > cn: Stephen Mulcahy > sn: Mulcahy > givenName: Stephen > shadowLastChange: 128763417020503940 > uid: xxxxxx > mail: xxxxxxxx@... > > > So it seems to have valid data. > > If I install libnss-ldap and edit /etc/nsswitch.conf as follows > > passwd: files ldap > > and edit /etc/libnss-ldap.conf as follows > > base ou=BBB Users,dc=ie,dc=bbb,dc=ccc > uri ldaps://aaa.bbb.ie/ > ldap_version 3 > > binddn cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc > bindpw Secret > > scope sub > > pam_filter objectclass=posixAccount > pam_login_attribute uid > > > nss_schema rfc2307bis > > nss_base_passwd ou=Users,ou=BBB Users,dc=ie,dc=bbb,dc=ccc > > tls_checkpeer no > ssl on > > and then try running getent passwd, I still only get my local user list, > not the additional entries from LDAP. There are no error messages logged > in /var/log/auth.log, /var/log/messages or /var/log/syslog > > Any tips on how to proceed appreciated. > > Thanks, > > -stephen > |
|
|
|
|
|
Re: Re: getent passwd problems
by Josh Miller
::
Rate this Message:
charlie derr wrote:
> stephen mulcahy wrote: >> Hi, >> >> Some updates on this. >> >> 1. I found that you can put the following in /etc/libnss-ldap.conf to >> get some debug out >> >> debug 1 >> >> (where from 1-10 for increasing detail). >> >> 2. I also noticed that the LDAP database does not contain uidNumber or >> gidNumber values for entries - is it possible this is what is causing >> "getent passwd" to fail? If you do a slapcat on your ldap directory, do you see uidNumber or gidNumber attributes? If so you may have neglected to rerun slapindex after adding them as indexes (having made this mistake myself). If you need to run slapindex, shutdown openldap first, run slapindex, start back up after verifying permissions... -- Josh Miller, RHCE/VCP Seattle, WA |
|
|
Re: Re: getent passwd problems
by Bugzilla from bgmilne@mandriva.org
::
Rate this Message:
On Wednesday 11 February 2009 01:02:58 Josh Miller wrote:
> charlie derr wrote: > > stephen mulcahy wrote: > >> Hi, > >> > >> Some updates on this. > >> > >> 1. I found that you can put the following in /etc/libnss-ldap.conf to > >> get some debug out > >> > >> debug 1 > >> > >> (where from 1-10 for increasing detail). > >> > >> 2. I also noticed that the LDAP database does not contain uidNumber or > >> gidNumber values for entries - is it possible this is what is causing > >> "getent passwd" to fail? > > If you do a slapcat on your ldap directory, do you see uidNumber or > gidNumber attributes? If so you may have neglected to rerun slapindex > after adding them as indexes (having made this mistake myself). > > If you need to run slapindex, shutdown openldap first, run slapindex, > start back up after verifying permissions... Missing indexes for attributes you have told slapd are indexed would mean that searches on these attributes would not work (i.e., searching using the affected attribute in a filter). However, the attributes are still missing even though the entry is found. So, the most likely cause here is ACLs preventing reading of the uidNumber attribute (the uidNumber attribute *must* be present according to the schema definition for posixAccount objectclass, which is on the example). Regards, Buchan |
|
|
Re: Re: getent passwd problems
by stephen mulcahy-3
::
Rate this Message:
charlie derr wrote:
>> 2. I also noticed that the LDAP database does not contain uidNumber or >> gidNumber values for entries - is it possible this is what is causing >> "getent passwd" to fail? > > Yeah, I think that's definitely going to be a show stopper. Thanks for the quick reply - and the confirmation that this is the problem. > I'm certainly no expert, but if you don't have those values in LDAP (or > even if they're populated, but not visible to > cn=aproxy,ou=Service Accounts,ou=BBB Users,dc=ie,dc=bbb,dc=ccc ) then I > think you're not going to succeed. I'm curious about how you could have > managed to populate these entries in your directory (because for > objectClass: posixAccount they're both required attributes). Did you > turn off schema checking in your OpenLDAP? (I think you must have > because if you hadn't, you wouldn't have been able to add them without > valid integers being set for both uidNumber and gidNumber ). If so, I > imagine that you'll need to reload your entries with the correct values > all populated. I don't have access to the openldap server I'm working against but afaik it is a proxy for an AD server and is mapping some fields on the fly - so it may not be doing any schema validation. I've passed a request back up the chain to get uidNumber, gidNumber and other posixAccount fields added in but it may take some time to get that sorted out. Thanks, -stephen |
| Free embeddable forum powered by Nabble | Forum Help |
