nss_ldap on FreeBSD 5.3
I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass That should be it. Assuming your librairies are up to date, you have a valid db/tree in ldap you can connect and search... then you should be able to login right away. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
On Mon, 2005-11-21 at 10:49 -0500, Nathan Vidican wrote: Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass Thanks, that was easy, I was just missing the part about nss_ldap.conf, I didn't realize there was a separate file for nss. I have the logins working with gnome well, but I noticed once I login as an LDAP user, I cannot su to root in terminal session... [EMAIL PROTECTED] su Password: su: Sorry [EMAIL PROTECTED] Can someone point out why this happens? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
Two things to check, first off, user must be in group 'wheel' (gid 0), in order to su, and also check settings in /etc/pam.d/su, (su has seperate settings). -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ Robert Fitzpatrick wrote: On Mon, 2005-11-21 at 10:49 -0500, Nathan Vidican wrote: Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass Thanks, that was easy, I was just missing the part about nss_ldap.conf, I didn't realize there was a separate file for nss. I have the logins working with gnome well, but I noticed once I login as an LDAP user, I cannot su to root in terminal session... [EMAIL PROTECTED] su Password: su: Sorry [EMAIL PROTECTED] Can someone point out why this happens? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
On Mon, 2005-11-21 at 13:05 -0500, Nathan Vidican wrote: Two things to check, first off, user must be in group 'wheel' (gid 0), in order to su, and also check settings in /etc/pam.d/su, (su has seperate settings). wheel, duh! sorry for asking such stupid questions. I hope this one is not so stupid - how can I get the users to show up on the user list in the gdm when using a template that shows a list of all users? I have /etc/pam.d/gdm all setup and can login no problem with LDAP users. Actually, this list does not even populate with the system users. BTW, after several years working with FreeBSD as a server, this is the first time using FreeBSD as a workstation with GUI, very nice. I think better than my Linux workstation as far as the number of bugs (haven't found any yet). But I'll have to admit, the setup for things like LDAP much easier in SuSE Linux, all integrated into GUI. But I choose stability over ease of use. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with nss_ldap in FreeBSD 5.3-RELEASE/AMD64
Hey All, Not entirely sure which list this should be sent to, so I figured sending to the general list would be a good start. If there's a more appropriate list, could someone kindly reply and direct me as to who else may be better able to help solve or at least point me in the right direction to solve this problem myself. - Thanks. That said, here goes; I am apparently encountering an overflow of sorts with nss_ldap on FreeBSD: - Currently running OpenLDAP server, to store all local usernames/passwords/groups/shells/homedirs info. The accounts are shared between the system on the FreeBSD side using posixAccount attributes, and on the Windows side using sambaSamAccount attributes. We are using the FreeBSD port of LAM to create/modify/manage users and groups internally through a web-based interface running on Apache/php. Further details, including version specifics, etc will follow, just prefer to give you an idea of the problem we're having before wasting your time reading all the really specific stuff. Here's the problem, only a few selected usernames (4 out of about 190 or so), root cannot do a 'cd ~username'. This seems to cause issues with samba, and the list just goes on from there. What happens when one logged in as root types in the command 'cd ~username', is apparently an overflow of some sort which leaves one connected to the LDAP session, a simple [CRTL]+D releases one back to console. This same condition occurs when ANY user (not just root) attempts to cd to one of these 4 user directories; what troubles me most, is this happens regardless of permission issues to the filesystem, as it is apparently during the username lookup that it happens, to what extent the open session can allow someone access as an intruder of sorts I do not know - but nonetheless fear as an administrator, that this could be a security risk as well. I have attached a UNICODE txt file of a session which shows what one gets on the console when one attempts to 'cd ~USERNAME', where 'USERNAME' was edited removing the original username. Here's what I've tried to resolve the issue: First tried re-creating the user objects in the LDAP tree, failing that, I removed them, and re-created them with different UID numbers; essentially making them different objects with different distinctive names (DN's) in the database - nothing, same problem. Removed and re-created the physical directory entries on the disk as well, including proper ownership and permissions each time I changed the associated entry in the LDAP tree as well - even tried changing where/which disk the homedir was physically stored on. Lastly, I tried removing the entire LDAP database, and restoring FIRST the troublesome users only - same problem still. Added in the rest of the users via an LDIF export (backup of db before I toasted it) - still same problem. I figure spelling can't really be an issue; all usernames here follow the same convention (first letter of first name, followed by first 7 characters of last name, no numeric nor punctual characters of any sort). All four usernames are phonetically distinct and do not share any alphabetic pattern whatsoever either (I'd prefer not to send them out to the general list, as this machine is currently in production, and given the nature of what these accounts are causing I'd prefer not opening up a whole new security risk here). More Detailed Information Follows: -- FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 03:50:01 UTC 2004 amd64 OpenLDAP nss_ldap pam_ldap installed from ports-tree, using versions as follows (pkg_info -a reports: openldap-client-2.2.15, openldap-server-2.2.15, pam_ldap-1.7.1_1, nss_ldap-1.204_5) Samba Version Samba-3.0.8, compiled with LDAP SAM support, acting as PDC for Win2K/WinXP Clients Still running GENERIC kernel (intent upon eventually getting around to making a new one, removing a lot of debugging and what-not once all is up and running well for a boost in performance). The machine is an AMD Opteron 146-based system, with 2GB ECC registered memory, (dual capable board, eventually going to go with dual 246 Opterons when we can take them from a workstation and upgrade the workstation to faster cpus). Using WDC RAID Edition S-ATA 250GB Drives, the on-board Broadcom GigE controllers (2), and on-board ATI video controller. The drives are configured in a RAID 5 array, attached each to an independent channel on a 3Ware Escalade 9500 series S-ATA controller, for a total of 705GB and change storage across 4 partitions (2GB /, 10GB /usr, 40GB /var, rest as /server). Attached is a copy of an (edited for username) session which details what happens when this error occurs. There are no errors reported in the OpenLDAP nor the system/auth logs to give you, but if anything else is needed please don't hesitate to ask.
Problem with nss_ldap in FreeBSD 5.3-RELEASE/AMD64 (2nd edition)
Hey All, - Sorry, forgot the attachement, same msg as earlier follows: Not entirely sure which list this should be sent to, so I figured sending to the general list would be a good start. If there's a more appropriate list, could someone kindly reply and direct me as to who else may be better able to help solve or at least point me in the right direction to solve this problem myself. - Thanks. That said, here goes; I am apparently encountering an overflow of sorts with nss_ldap on FreeBSD: - Currently running OpenLDAP server, to store all local usernames/passwords/groups/shells/homedirs info. The accounts are shared between the system on the FreeBSD side using posixAccount attributes, and on the Windows side using sambaSamAccount attributes. We are using the FreeBSD port of LAM to create/modify/manage users and groups internally through a web-based interface running on Apache/php. Further details, including version specifics, etc will follow, just prefer to give you an idea of the problem we're having before wasting your time reading all the really specific stuff. Here's the problem, only a few selected usernames (4 out of about 190 or so), root cannot do a 'cd ~username'. This seems to cause issues with samba, and the list just goes on from there. What happens when one logged in as root types in the command 'cd ~username', is apparently an overflow of some sort which leaves one connected to the LDAP session, a simple [CRTL]+D releases one back to console. This same condition occurs when ANY user (not just root) attempts to cd to one of these 4 user directories; what troubles me most, is this happens regardless of permission issues to the filesystem, as it is apparently during the username lookup that it happens, to what extent the open session can allow someone access as an intruder of sorts I do not know - but nonetheless fear as an administrator, that this could be a security risk as well. I have attached a UNICODE txt file of a session which shows what one gets on the console when one attempts to 'cd ~USERNAME', where 'USERNAME' was edited removing the original username. Here's what I've tried to resolve the issue: First tried re-creating the user objects in the LDAP tree, failing that, I removed them, and re-created them with different UID numbers; essentially making them different objects with different distinctive names (DN's) in the database - nothing, same problem. Removed and re-created the physical directory entries on the disk as well, including proper ownership and permissions each time I changed the associated entry in the LDAP tree as well - even tried changing where/which disk the homedir was physically stored on. Lastly, I tried removing the entire LDAP database, and restoring FIRST the troublesome users only - same problem still. Added in the rest of the users via an LDIF export (backup of db before I toasted it) - still same problem. I figure spelling can't really be an issue; all usernames here follow the same convention (first letter of first name, followed by first 7 characters of last name, no numeric nor punctual characters of any sort). All four usernames are phonetically distinct and do not share any alphabetic pattern whatsoever either (I'd prefer not to send them out to the general list, as this machine is currently in production, and given the nature of what these accounts are causing I'd prefer not opening up a whole new security risk here). More Detailed Information Follows: -- FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 03:50:01 UTC 2004 amd64 OpenLDAP nss_ldap pam_ldap installed from ports-tree, using versions as follows (pkg_info -a reports: openldap-client-2.2.15, openldap-server-2.2.15, pam_ldap-1.7.1_1, nss_ldap-1.204_5) Samba Version Samba-3.0.8, compiled with LDAP SAM support, acting as PDC for Win2K/WinXP Clients Still running GENERIC kernel (intent upon eventually getting around to making a new one, removing a lot of debugging and what-not once all is up and running well for a boost in performance). The machine is an AMD Opteron 146-based system, with 2GB ECC registered memory, (dual capable board, eventually going to go with dual 246 Opterons when we can take them from a workstation and upgrade the workstation to faster cpus). Using WDC RAID Edition S-ATA 250GB Drives, the on-board Broadcom GigE controllers (2), and on-board ATI video controller. The drives are configured in a RAID 5 array, attached each to an independent channel on a 3Ware Escalade 9500 series S-ATA controller, for a total of 705GB and change storage across 4 partitions (2GB /, 10GB /usr, 40GB /var, rest as /server). Attached is a copy of an (edited for username) session which details what happens when this error occurs. There are no errors reported in the OpenLDAP nor the system/auth logs to give
