Re: An LDAP authentication howto for Debian?
On Tue, May 22, 2001 at 03:17:17PM +0200, Russell Coker wrote: | On Tuesday 22 May 2001 11:58, Fredrik Steen wrote: | Hi I'm trying to get a 12-node cluster to use LDAP as authentication. | But I have ran into trouble. Importing of the users worked fine now | I'm trying to import the groups using the migration tools from | padl.com. Here is what I get. | | $ ldapadd -v -x -D cn=admin,dc=carambole,dc=com -W -f group.ldif | ldap_initialize( DEFAULT ) | Enter LDAP Password: | add objectClass: | posixGroup | top | add cn: | root | add userPassword: | {crypt}x | add gidNumber: | 0 | adding new entry cn=root,ou=Group,dc=carambole,dc=com | ldap_add: No such object | matched DN: dc=carambole, dc=com | | I just tried it using the data you supplied and it worked fine for me. | | Are you sure that the entry ou=Group,dc=carambole,dc=com exists and is OK? | | Currently I suspect that I may have found a bug in OpenLDAP 2.0.7 (the | version in Debian) because I found it to start doing some strange things when | I was doing modrdn operations which resulted in some of my data becoming | invisible to the ldap browser (but slapcat could still find it). I had to | run a slapcat then remove the database files and recreate them with slapadd | to get it going again! | | When I get some time I'll play with it some more and try to track it down. | If all else fails I suggest a slapcat/slapadd just in case... | [...] Florian Friesdorf pointed out that I may have forgotten to run the migrate_base.pl script from the MigrationTools supplied by www.padl.com. And indeed he was right. -- .Fredrik Steen - http://www.stone.nu - PGP signature
Re: An LDAP authentication howto for Debian?
On Tue, May 22, 2001 at 03:17:17PM +0200, Russell Coker wrote: | On Tuesday 22 May 2001 11:58, Fredrik Steen wrote: | Hi I'm trying to get a 12-node cluster to use LDAP as authentication. | But I have ran into trouble. Importing of the users worked fine now | I'm trying to import the groups using the migration tools from | padl.com. Here is what I get. | | $ ldapadd -v -x -D cn=admin,dc=carambole,dc=com -W -f group.ldif | ldap_initialize( DEFAULT ) | Enter LDAP Password: | add objectClass: | posixGroup | top | add cn: | root | add userPassword: | {crypt}x | add gidNumber: | 0 | adding new entry cn=root,ou=Group,dc=carambole,dc=com | ldap_add: No such object | matched DN: dc=carambole, dc=com | | I just tried it using the data you supplied and it worked fine for me. | | Are you sure that the entry ou=Group,dc=carambole,dc=com exists and is OK? | | Currently I suspect that I may have found a bug in OpenLDAP 2.0.7 (the | version in Debian) because I found it to start doing some strange things when | I was doing modrdn operations which resulted in some of my data becoming | invisible to the ldap browser (but slapcat could still find it). I had to | run a slapcat then remove the database files and recreate them with slapadd | to get it going again! | | When I get some time I'll play with it some more and try to track it down. | If all else fails I suggest a slapcat/slapadd just in case... | [...] Florian Friesdorf pointed out that I may have forgotten to run the migrate_base.pl script from the MigrationTools supplied by www.padl.com. And indeed he was right. -- .Fredrik Steen - http://www.stone.nu - pgpL4CuSHE0PV.pgp Description: PGP signature
Re: An LDAP authentication howto for Debian?
On Sun, May 20, 2001 at 05:19:27PM +0200, Florian Friesdorf wrote: | On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: | I wrote a howto about 6 months back. It was tricky setting up but I think | I cover most of the potential disaster areas in my howto. | | http://www.imaginator.com/~simon/ldap/ | [...] Hi I'm trying to get a 12-node cluster to use LDAP as authentication. But I have ran into trouble. Importing of the users worked fine now I'm trying to import the groups using the migration tools from padl.com. Here is what I get. $ ldapadd -v -x -D cn=admin,dc=carambole,dc=com -W -f group.ldif ldap_initialize( DEFAULT ) Enter LDAP Password: add objectClass: posixGroup top add cn: root add userPassword: {crypt}x add gidNumber: 0 adding new entry cn=root,ou=Group,dc=carambole,dc=com ldap_add: No such object matched DN: dc=carambole, dc=com ldif_record() = 32 $ ldapsearch -x -L -b dc=carambole, dc=com (objectClass=posixGroup) version: 1 # # filter: (objectClass=posixGroup) # requesting: ALL # # search result # numResponses: 1 $ cat group.ldif | head -n 7 dn: cn=root,ou=Group,dc=carambole,dc=com objectClass: posixGroup objectClass: top cn: root userPassword: {crypt}x gidNumber: 0 $ grep include /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/inetorgperson.schema How do I add the groups? -- .Fredrik Steen - http://www.stone.nu - PGP signature
Re: An LDAP authentication howto for Debian?
On Tuesday 22 May 2001 11:58, Fredrik Steen wrote: Hi I'm trying to get a 12-node cluster to use LDAP as authentication. But I have ran into trouble. Importing of the users worked fine now I'm trying to import the groups using the migration tools from padl.com. Here is what I get. $ ldapadd -v -x -D cn=admin,dc=carambole,dc=com -W -f group.ldif ldap_initialize( DEFAULT ) Enter LDAP Password: add objectClass: posixGroup top add cn: root add userPassword: {crypt}x add gidNumber: 0 adding new entry cn=root,ou=Group,dc=carambole,dc=com ldap_add: No such object matched DN: dc=carambole, dc=com I just tried it using the data you supplied and it worked fine for me. Are you sure that the entry ou=Group,dc=carambole,dc=com exists and is OK? Currently I suspect that I may have found a bug in OpenLDAP 2.0.7 (the version in Debian) because I found it to start doing some strange things when I was doing modrdn operations which resulted in some of my data becoming invisible to the ldap browser (but slapcat could still find it). I had to run a slapcat then remove the database files and recreate them with slapadd to get it going again! When I get some time I'll play with it some more and try to track it down. If all else fails I suggest a slapcat/slapadd just in case... -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ After successfully setting up ldap authentication according to your howto, I recommend you add a section about schemas. In order to get it running with a woody server and sid client, I needed to add more includes to the interactively generated /etc/ldap/slapd.conf. # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/inetorgperson.schema Otherwise, the migration tools will fail, as they use attributetypes not defined in core.schema. I also had problems, finding documentation to pam. Which modules are available? What arguments do those take? Perhaps you can point me to a good source of information, or add some links to the HOWTO. tia florian -- Florian Friesdorf [EMAIL PROTECTED] OpenPGP key available on public key servers -- Save the future of Open Source -- - Online-Petition against Software Patents - -- http://petition.eurolinux.org --- PGP signature
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ After successfully setting up ldap authentication according to your howto, I recommend you add a section about schemas. In order to get it running with a woody server and sid client, I needed to add more includes to the interactively generated /etc/ldap/slapd.conf. # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/inetorgperson.schema Otherwise, the migration tools will fail, as they use attributetypes not defined in core.schema. I also had problems, finding documentation to pam. Which modules are available? What arguments do those take? Perhaps you can point me to a good source of information, or add some links to the HOWTO. tia florian -- Florian Friesdorf [EMAIL PROTECTED] OpenPGP key available on public key servers -- Save the future of Open Source -- - Online-Petition against Software Patents - -- http://petition.eurolinux.org --- pgpXBOJTMbu4n.pgp Description: PGP signature
Re: An LDAP authentication howto for Debian?
On Saturday 05 May 2001 06:48, [EMAIL PROTECTED] wrote: Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, May 06, 2001 at 11:22:09AM +0200, Russell Coker wrote: On Saturday 05 May 2001 06:48, [EMAIL PROTECTED] wrote: Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. I think I tried all that. What attributes? All the ones I tried are being limitted to a single value. Tim -- Tim Sailer (at home) Coastal Internet, Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED][EMAIL PROTECTED] (631) 924-3728 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sunday 06 May 2001 16:10, [EMAIL PROTECTED] wrote: When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. I think I tried all that. What attributes? All the ones I tried are being limitted to a single value. mailLocalAddress for the address that mail is to be sent on to (the target of the alias). mail AKA rfc822Mailbox for the address that people will send mail to. This should be in the documentation of your mail server. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
[EMAIL PROTECTED] wrote: On Sun, May 06, 2001 at 11:22:09AM +0200, Russell Coker wrote: On Saturday 05 May 2001 06:48, [EMAIL PROTECTED] wrote: Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. I think I tried all that. What attributes? All the ones I tried are being limitted to a single value. Tim Well, you may try MailAlternateAddress, this attribute is multi-valued. for example here's the ldapsource i use for a postfix configuration: ldapsource_server_host = $myhostname ldapsource_server_port = 389 ldapsource_search_base = dc=test,dc=org ldapsource_timeout = 5 ldapsource_query_filter = ((objectclass=mailrecipient)(mailalternateaddress=%s)) ldapsource_result_attribute = mail well you have to put it on virtual_maps = ldap:ldapsource alias_maps = ldap:ldapsource It was pretty simple with postfix as usual :) I dont know if you can set a query_filter with sendmail but this is not an ldap problem, that's why you dont have to hate LDAP for that ! Hugh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Saturday 05 May 2001 06:48, [EMAIL PROTECTED] wrote: Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: An LDAP authentication howto for Debian?
On Sun, May 06, 2001 at 11:22:09AM +0200, Russell Coker wrote: On Saturday 05 May 2001 06:48, [EMAIL PROTECTED] wrote: Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. I think I tried all that. What attributes? All the ones I tried are being limitted to a single value. Tim -- Tim Sailer (at home) Coastal Internet, Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED]/[EMAIL PROTECTED] (631) 924-3728
Re: An LDAP authentication howto for Debian?
On Sunday 06 May 2001 16:10, [EMAIL PROTECTED] wrote: When using LDAP for email aliases you have multi-valued attributes for both the incoming address and the delivery address. This allows you to have one user with multiple email addresses, an alias expansion to multiple users, or a multi-user alias with multiple addresses. I think I tried all that. What attributes? All the ones I tried are being limitted to a single value. mailLocalAddress for the address that mail is to be sent on to (the target of the alias). mail AKA rfc822Mailbox for the address that people will send mail to. This should be in the documentation of your mail server. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: An LDAP authentication howto for Debian?
Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? Tim -- Tim Sailer (at home) Coastal Internet, Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED]/[EMAIL PROTECTED] (631) 924-3728
Re: An LDAP authentication howto for Debian?
"Jeremy L. Gaddis" wrote: Out of curiousity, has anyone come across a sort of "LDAP authentication howto for Debian?" Today, I found two more HOWTOs devoted to LDAP. They' re probably not Debian specyfic (haven't read them yet). They can be found probably on every sunsite mirror, but these come from Polish: http://sunsite.icm.edu.pl/Linux/Documentation/HOWTO/LDAP-HOWTO.html http://sunsite.icm.edu.pl/Linux/Documentation/HOWTO/LDAP-Implementation-HOWTO/index.html -- Regards, Marek L. Kozak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
Since we're on the subject of LDAP, one thing I hate about LDAP, and it may be just my ignorance, is this: I'm use to using PH for mail routing. Within PH, for the user record, you can add many aliases for them, which sendmail happily uses. I can't figure out how to do this with LDAP! Does anyone have an eyedeer? Tim -- Tim Sailer (at home) Coastal Internet, Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED][EMAIL PROTECTED] (631) 924-3728 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
Jeremy L. Gaddis wrote: Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? Today, I found two more HOWTOs devoted to LDAP. They' re probably not Debian specyfic (haven't read them yet). They can be found probably on every sunsite mirror, but these come from Polish: http://sunsite.icm.edu.pl/Linux/Documentation/HOWTO/LDAP-HOWTO.html http://sunsite.icm.edu.pl/Linux/Documentation/HOWTO/LDAP-Implementation-HOWTO/index.html -- Regards, Marek L. Kozak
Re: An LDAP authentication howto for Debian?
At 4/29/01 02:53 PM, you wrote: I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. [snip] In my case, I'm quite familiar with the way PAM, LDAP, etc. work individually. It was getting them all to play well with each other that was the problem. I made a half-hearted attempt at it a week or so ago, but wasn't really into the idea then. After posting, I set about installing libpam-ldap and libnss-ldap and happened to find the LDAP Implementation howto on LDP. That gave me a nudge in the general direction, however, it still took in excess of five hours to get it all to work. So far I've just managed to get logins, etc. to work and haven't migrated any user accounts to LDAP. Also, I've only got it working on the one machine. I haven't tried to set it up for the other machines yet. In the meantime, I was quite impressed that... [jeremy@HURRICANE:pts/2:~]$ finger ldaptest Login: ldaptest Name: LDAP Test User Directory: /home/ldaptest Shell: /bin/bash Last login Sun Apr 29 03:11 (EST) on pts/5 from localhost No mail. No Plan. ...this worked, considering... [jeremy@HURRICANE:pts/2:~]$ grep ^ldaptest /etc/passwd [jeremy@HURRICANE:pts/2:~]$ :) I haven't messed with anything besides login (e.g. `telnet localhost`) and logging in as user ldaptest. I'll give that a go on my next day off (or the next time I'm sitting around bored at work). :) As has been stated, documention on Debian-specific LDAP+PAM+NSS is severely lacking (or my google skills are). I see great possibilities for centralized authentication using LDAP, however. Sure beats creating user accounts on several machines and trying to synch uid and gid's (NFS, etc.) -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
quote who=Stephane Bortzmeyer The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.) Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) I'm doing some LDAP migrations in the next few weeks too, and can assign some manpower to this task. Groovy. - Jeff -- Ever had a morning where you were not kissed and told I love you, when the night before you SCREWED so wildly that you could not remember? GOOD MORNING - Andre Hedrick, Linux ATA Dude -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
Hi On Tue, May 01, 2001 at 12:21:20AM +1000, Jeff Waugh wrote: quote who=Stephane Bortzmeyer XML.. *runningaway* Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... But, if you compare my pseudo-documentation with this of Simon, You can easy find that my documentation is just like 'an add-on' of Simon's documentation. I needed to practice the ldap-authentification to install an ISP with cyrus/postfix/proftpd/imp on a ldap directory. I have taken too much time to understand this solution. So, I decided to do a french documentation. But, it can be more judicious just to complete the great documentation of simon : http://www.imaginator.com/~simon/ldap/ bye. -- Pascal Pucci : [EMAIL PROTECTED] Recommander un site à ses amis : http://www.BeeTell.com Participer à la promotion du logiciel libre : http://www.linuxpien.org http://www.pascalou.org, sur le portable : [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
quote who=Alexander Reelsen quote who=Stephane Bortzmeyer XML.. *runningaway* SGML as it turns out. Does that make it un-buzzwordy enough? ;) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... Indeed - duplication bad. Perhaps my gentle nudging and offer of help will convince him to do it soon. :D I will have to find out if we have any French-readers here, mine tres crap. (See?) :) - Jeff -- What do you get when you cross a web server and a hen? Apoache. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
At 4/29/01 02:53 PM, you wrote: I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. [snip] In my case, I'm quite familiar with the way PAM, LDAP, etc. work individually. It was getting them all to play well with each other that was the problem. I made a half-hearted attempt at it a week or so ago, but wasn't really into the idea then. After posting, I set about installing libpam-ldap and libnss-ldap and happened to find the LDAP Implementation howto on LDP. That gave me a nudge in the general direction, however, it still took in excess of five hours to get it all to work. So far I've just managed to get logins, etc. to work and haven't migrated any user accounts to LDAP. Also, I've only got it working on the one machine. I haven't tried to set it up for the other machines yet. In the meantime, I was quite impressed that... [EMAIL PROTECTED]:pts/2:~]$ finger ldaptest Login: ldaptest Name: LDAP Test User Directory: /home/ldaptest Shell: /bin/bash Last login Sun Apr 29 03:11 (EST) on pts/5 from localhost No mail. No Plan. ...this worked, considering... [EMAIL PROTECTED]:pts/2:~]$ grep ^ldaptest /etc/passwd [EMAIL PROTECTED]:pts/2:~]$ :) I haven't messed with anything besides login (e.g. `telnet localhost`) and logging in as user ldaptest. I'll give that a go on my next day off (or the next time I'm sitting around bored at work). :) As has been stated, documention on Debian-specific LDAP+PAM+NSS is severely lacking (or my google skills are). I see great possibilities for centralized authentication using LDAP, however. Sure beats creating user accounts on several machines and trying to synch uid and gid's (NFS, etc.) -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script.
Re: An LDAP authentication howto for Debian?
quote who=Stephane Bortzmeyer The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.) Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) I'm doing some LDAP migrations in the next few weeks too, and can assign some manpower to this task. Groovy. - Jeff -- Ever had a morning where you were not kissed and told I love you, when the night before you SCREWED so wildly that you could not remember? GOOD MORNING - Andre Hedrick, Linux ATA Dude
Re: An LDAP authentication howto for Debian?
Hi On Tue, May 01, 2001 at 12:21:20AM +1000, Jeff Waugh wrote: quote who=Stephane Bortzmeyer XML.. *runningaway* Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
Re: An LDAP authentication howto for Debian?
Okay, I'm convinced. I think the best way of going about it would be to take the LDP's two LDAP documents (LDAP HOWTO LDAP Authentication HOWTO), add some very practical Debian guidelines (preferably as note points so other distribution users can add their directions) and combining them into one great tome. :) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... But, if you compare my pseudo-documentation with this of Simon, You can easy find that my documentation is just like 'an add-on' of Simon's documentation. I needed to practice the ldap-authentification to install an ISP with cyrus/postfix/proftpd/imp on a ldap directory. I have taken too much time to understand this solution. So, I decided to do a french documentation. But, it can be more judicious just to complete the great documentation of simon : http://www.imaginator.com/~simon/ldap/ bye. -- Pascal Pucci : [EMAIL PROTECTED] Recommander un site à ses amis : http://www.BeeTell.com Participer à la promotion du logiciel libre : http://www.linuxpien.org http://www.pascalou.org, sur le portable : [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
quote who=Alexander Reelsen quote who=Stephane Bortzmeyer XML.. *runningaway* SGML as it turns out. Does that make it un-buzzwordy enough? ;) Now let's not duplicate work. Pascal Pucci only needs to translate his document from french to English instead of writing it. So, perhaps wait until this is done, and the extent his documentation instead of starting from scratch, even though you might have some manpower :-)... Indeed - duplication bad. Perhaps my gentle nudging and offer of help will convince him to do it soon. :D I will have to find out if we have any French-readers here, mine tres crap. (See?) :) - Jeff -- What do you get when you cross a web server and a hen? Apoache.
Re: An LDAP authentication howto for Debian?
quote who=Sami Haahtinen the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. Indeed - best place to learn about this is in the book, Understanding and Deploying LDAP Directory Services by Howes, Smith and Good. Not only does it give a thorough theoretical overview, there are a number of case studies at the back. Good stuff. :) - Jeff -- ASCII stupid question, get a stupid ANSI. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. Jeremy L. Gaddis wrote: Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Simon D Tennant, Consultant Linuxcare, Inc. 415.577 6719 tel, 415-701-0792 fax [EMAIL PROTECTED], http://www.linuxcare.com/ Linuxcare. Putting open source to work. pgp id: 6410974D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. i recommend you add description about Objectclass: ShadowAccount there too.. it tells nss_ldap not to pull the passwords with 'getent passwd' Sami -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh [EMAIL PROTECTED] wrote a message of 21 lines which said: The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. I certainly would not say to a LDAP beginner, read the fucking manual because it is clearly a domain where manuals are suboptimal (I know, I should write one but it is easier to complain). The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh wrote: quote who=Jeremy L. Gaddis Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. i have been thinking about collecting these into a package which would ease the installation if the first machine.. the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C - pgpYFde5QXIfl.pgp Description: PGP signature
Re: An LDAP authentication howto for Debian?
quote who=Sami Haahtinen the biggest case imho is understanding LDAP, LDIF and the permissions in the database.. then it's just a matter of adding the correct objectclass and filling in the blanks.. Indeed - best place to learn about this is in the book, Understanding and Deploying LDAP Directory Services by Howes, Smith and Good. Not only does it give a thorough theoretical overview, there are a number of case studies at the back. Good stuff. :) - Jeff -- ASCII stupid question, get a stupid ANSI.
Re: An LDAP authentication howto for Debian?
Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. I have made a LDAP authentication howto for Debian? http://www.pascalou.org/linux/doc/authentification-ldap.html But it's in French. I am ready to do a translation, but I need someone to correct my poor english ;-) bye -- Pascal Pucci : [EMAIL PROTECTED] Recommander un site à ses amis : http://www.BeeTell.com Participer à la promotion du logiciel libre : http://www.linuxpien.org http://www.pascalou.org, sur le portable : [EMAIL PROTECTED]
Re: An LDAP authentication howto for Debian?
I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. Jeremy L. Gaddis wrote: Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Simon D Tennant, Consultant Linuxcare, Inc. 415.577 6719 tel, 415-701-0792 fax [EMAIL PROTECTED], http://www.linuxcare.com/ Linuxcare. Putting open source to work. pgp id: 6410974D
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 04:52:54AM -0700, Simon Tennant wrote: I wrote a howto about 6 months back. It was tricky setting up but I think I cover most of the potential disaster areas in my howto. http://www.imaginator.com/~simon/ldap/ S. i recommend you add description about Objectclass: ShadowAccount there too.. it tells nss_ldap not to pull the passwords with 'getent passwd' Sami -- - Sami Haahtinen - - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C -
Re: An LDAP authentication howto for Debian?
On Sun, Apr 29, 2001 at 12:34:02PM +1000, Jeff Waugh [EMAIL PROTECTED] wrote a message of 21 lines which said: The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. I recently configured LDAP for my company and I 100% agree with the original poster. Documentation is thick but with a lot of holes, few explanations (so you can do things in a different way), and quite difficult to find. I certainly would not say to a LDAP beginner, read the fucking manual because it is clearly a domain where manuals are suboptimal (I know, I should write one but it is easier to complain). The most important problem, I believe, is that using LDAP means understanding many differents things and how they fit together. These things are often documented properly (setting a LDAP server...) but separately (setting LDAP clients is in a completely different place) and you cannot get a global picture easily. (for instance, the LDP HOWTOs about PAM and LDAP do not explain why you need, in most cases, to setup PAM *and* NSS.)
Re: An LDAP authentication howto for Debian?
quote who=Jeremy L. Gaddis Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. A Debian-specific section may be of use, however there's nothing all that different (apart from Debian being set up sanely to begin with). - Jeff -- Is Murphy's Law constitutional?