Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. This method has been recommended by many sites and tutorials, so I guess it should be approved ;-) The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log Thanks, I did so and found several usefull messages in the log. sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? Sorry, yes, copy-and-paste mistake. NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. Due to a recommendation not to use NSCD with FreeBSD and SAMBA I switched that off. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Great!! That did the trick and it is very helpful in saving a lot of time and prevented me from loosing more hairs. Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken & Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? Too many switches switched at the same time, so I guess I messed up things and couldn't get a clear sight anymore. The point is, without any TLS the user authetication works fine for SSHD/LOGIN and SU, even password changes via a patched 'passwd' works fine, but when trying using TLS/OpenSSL everything gets messed up again, I'll report this at the end. The main reason for blocking access was the ACL misbehaviour. I took the example slapd.conf and especially the line describing access to everything access to * ... The line 'by anonymous auth' needs to be changed into 'by anonymous read' otherwise LDAP won't let you even access for authetication. I found this by watching exhaustive logs ... One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. Yes, but OpenLDAP openldap-server-2.3.38 seems to reject connections via TLS when used with self-signed certificacates. nss_ldap-1.257 <<=== openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein Well, thanks a lot for helping. At this moment OpenLDAP seems to work with the OpenLDAP-Clients (only) and for authetication via ssh/login. I tried to install the famous and often mentioned 'smbldap-tools' as recommended in many tutorials and I followed the setup instruc
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: > All right, here I am. nss_ldap.conf and ldap.conf are located in > /usr/local/etc and are identical (link). I copied all tags I use and deleted > commented out tags: Seems ok to me, though I don't claim to be an expert. > The slapd.conf is this, comments roped: > > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > # additional schema > include /usr/local/share/examples/samba/LDAP/samba.schema > pidfile /var/run/openldap/slapd.pid > argsfile/var/run/openldap/slapd.args > logfile /var/log/slapd.log > loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log > sizelimit unlimited > allow bind_v2 > modulepath /usr/local/libexec/openldap > moduleload back_bdb > everse-lookup off typo I guess? > NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. > group: cache ldap[ unavail=continue notfound=continue ] files > passwd: cache ldap [ unavail=continue notfound=continue ] files > #group_compat: nis > hosts: compat > networks: files > #passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > And I changed some lines in /etc/pam.d/sshd,login,system,other like this > *commented out due to system gets stuck forever when enab;ed > nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) > Some errors from console: > > (At boot time) > Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: > could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken & Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. > Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: > could not search LDAP server - Server is unavailable > Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could > not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? > One point: what is about compile time options of OpenLDAP? Does LDAP forces > itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. > nss_ldap-1.257 <<=== > openldap-client-2.3.38 > openldap-server-2.3.38 > pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann <[EMAIL PROTECTED]> wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub Well, on a test machine, I setup a testenvironment equal or nearly equal to that which is not working on a potentially production box. First of all, I think there is a misunderstanding in how to setup /etc/nsswitch.conf, because most trouble seems to be sourced there. When setting # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files restarting OpenLDAP results in this, but after two minutes or so it starts up (the time is inacceptable and it does not change anything reverting the order from 'files ldap' to 'ldap files' for passwd and group). The great question is: Do I need to have these entries? Neither in the nsswitch.conf manpage nor in nss_ldap manpage it's mentioned to set 'ldap' as an option, I took this from one of the many tutorials out there. Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 <20.6> thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Oct 27 15:55:31 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:31 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:31 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:31 <20.6> thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Oct 27 15:55:39 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:39 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:39 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:39 <20.6> thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Oct 27 15:55:55 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:55 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:55 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:55 <20.6> thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Oct 27 15:56:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:56:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:56:27 <20.6> thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:56:27 <20.6> thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann <[EMAIL PROTECTED]> wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ... no difference ... slapd won't start when ldap is first entry in nsswitch.conf and gets not searched when last. maybe there is a problem with the nss_ldap library? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann <[EMAIL PROTECTED]> wrote: > playing with ldapsearch gets results as expected. Doing ldapsearch witch > -D and dn of the admin results in the whole DIT as expected, accessing > the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server > from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann <[EMAIL PROTECTED]> wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann <[EMAIL PROTECTED]> wrote: > Ulrich Spoerlein wrote: > > On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: > > > >> At this point it seems senseless to try out what's going wrong and I need > >> some hints or tipps. I read about others successfully running OpenLDAP on > >> FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... Good to hear, but it doesn't on mine ... :-( P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: host 192.168.2.210 (or 127.0.0.1 alternatively) base dc=office,dc=de # Filter to AND with uid=%s pam_filter objectclass=posixAccount # Specify a minium or maximum UID number allowed pam_min_uid 1000 pam_max_uid 3 pam_passwordssha nss_base_passwd ou=users,dc=office,dc=de?one nss_base_shadow ou=users,dc=office,dc=de?one nss_base_group ou=group,dc=office,dc=de?one pam_filter objectClass=posixAccount The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off access to * by self write by users read by anonymous auth databasebdb suffix dc=office,dc=de rootdn cn=admin,dc=office,dc=de rootpw directory /data/openldap-data/nuggad/ index objectClass eq,pres index uid,memberUid pres,eq,sub index ou,cn,mail,surname,givennameeq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index nisMapName,nisMapEntry eq,pres,sub NSCD is up and running, my nsswitch.conf looks like this: group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): system: # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so #accountsufficient /usr/local/lib/pam_ldap.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok passwordrequiredpam_unix.so no_warn try_first_pass sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: > At this point it seems senseless to try out what's going wrong and I need > some hints or tipps. I read about others successfully running OpenLDAP on > FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... > P.S. If someone wants me to offer config details and/or log excerpts, please > contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. Your should run tcpdump in some window to actuall see what's going on. It also helps to turn on massive debugging in slapd.conf and tail(1)ing /var/log/debug.log I'm running the following versions on 7-CURRENT from 30. September nss_ldap-1.256 openldap-sasl-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Per olof Ljungmark wrote: O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per Well, great, I appreciate your help and by teh way, you're the first one telling he's running FBSD 7 AND OpenLDAP/nss_ldap/pam_ldap. OpenLDAP is running well on the server, I can access the DIT via some tools like LUMA and the OpenLDAP clients from remote machines. A major problem seems to be the pam_ldap/nss_ldap configuration. Can you please tell me how you edited /etc/pam.d/ files and /etc/nsswitch.conf properly? At this very moment it seems that I shot myself into the foot - the box running the LDAP service does not start OpenLDAP service slapd after rebooting, the console is stuck at the message shown when 'additional ABI's' get started. So, I'm sorry having no logs handy at this very moment, I will offer them as soon as possible included with my config files, if this will not bother you. Thanks in advance, Oliver -- Planetology and Remote Sensing FU Berlin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. Calling ldapsearch from both the localhost running the slapd and from a client in the network runs well, I receive a dump of every object created in the LDAP tree. At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. In most cases when changing /etc/nsswitch.conf (renaming password/group: compat to password/group: files ldap as suggested in most of the tutorials) the box gets unusable running the request (eithe looking for an user id, starting a xterm, login in as root via console). Everything which seems to look for an user ID takes more than a minute to startup or dump errors. Even if I try to log in as a user that is only on local machine (root and a special user) it seems that fallback to 'files' doesn't work properly or the timeout takes thta long. I'm not a professional in OpenLDAP, but I tried several configs found in LinuxWiki on Gentoo or Debian boxes without problems. Even the simplest config seems not to work on FreeBSD 7! In many cases ACLs seem to be the culprit, but even setting 'access to * by * write' or configuring binddn and binddnpw in /usr/local/etc/ldap.conf and nss_ldap.conf as the same as the rootdn in slapd.conf doesn't work and results in the same problem. If anyone willing to help and running ldap services on a FreeBSD 7.0-PRE box, he or she is welcome! Thanks in advance, Oliver P.S. If someone wants me to offer config details and/or log excerpts, please contact me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pam_ldap nss_ldap
pam_ldap, nss_ldap not found. -- GANBARE! NIPPON! Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE PARTNER http://pr.mail.yahoo.co.jp/ganbare-nippon/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
account management pam_ldap+nss_ldap
Hello all, I would greatly appreciate if someone could help me or point me to the right place to find a solution to the following problem. I have a system (5.3-release) configured to do user authentication through pam and ldap using map_ldap.so and nss_ldap.so. Everything is fine with that configuration, I am able to login, ssh and ftp to the system using users configured only in ldap with no problem. What I'm looking for is a way to manage these accounts, I mean to temporarily disable (locking) an account or a group of accounts, like "pw lock username", set accounts expiration date and so on. I spent the last 2 days searching but found nothing, or maybe I was looking in wrong places? Please if someone did things like described above, help me. Actually, I'm most interested in disabling/enabling an ldap account/group without deleting it. I was trying to find a solution myself and have thought of following. To create an ldap schema file which will have an objectclass with the accountEnabled attribute (and maybe some others too). To include this objectclass for DNs containing users and somehow to create a filter in nss_ldap config file wich will do the filtering taking into account the accountEnabled flag. What do you think of this approach? I would appreciate any suggestions. Thanks, Cezar Fistik ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Setting up pam_ldap & nss_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2 Sep 2004, Curtis Vaughan wrote: On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP accounts via nss_ldap and pam_ldap. it works perfectly. /etc/nsswitch.conf - --- passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap shells: files hosts: files dns - --- /etc/pam.d/sshd - --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.sono_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.sono_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth required pam_unix.sono_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.sono_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so use_authok password required pam_unix.sono_warn try_first_pass - --- /usr/local/etc/nss_ldap.conf (without TLS stuff) - --- host ldap1.example.com ldap2.example.com base dc=example,dc=com ldap_version 3 port 389 scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one # debug testing #logdir /var/log #debug 9 - --- i use the same configuration for pam_ldap and nss_ldap, so create a symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or make an exact copy. all other entries in nss_ldap are commented out for me. Don't forget to change "dc=example,dc=com" and "ldap1.example.com ldap2.example.com" to your values. there is no need for a .secret file for pam_ldap or nss_ldap. to be clear, if you set a rootbinddn or binddn which has the right to read the userPassword attribute, a getpwent(3) call would return all password hashes which is surely not what you want. the better way is to let nss_ldap only return the account information without the password and let pam_ldap try to bind as the users dn with the submitted password. another point is, that the whole pam_ldap stuff can be skipped if you use a binddn or rootbinddn with nss_ldap and this dn is allowed to read the userPassword attribute as the password is available to pam_unix and makes authentication possible. but remember the risk that someone is able to use getpwent(3) to get all password hashes that are stored in LDAP. if it's still not working for you, uncomment the "logdir" and "debug" line in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a new login you will find a file "ldap." in the directory specified as "logdir". the whole LDAP lookup and LDAP bind phase is written to this file so one can analyze whats working or not. feel free to ask again if you still have problems. regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq EA/iC/hSxEjtrBwnaBoIXAU= =GlqU -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Setting up pam_ldap & nss_ldap
On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. Thanks! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
