FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-16-2009, 06:24 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

I've been unsuccessfully trying to get nss_ldap to work.* I've chased down hundreds of google searches over the last 3 days, and I can't seem to get a centos system to authenticate against ldap.

Every daemon on the system is running into the same problem:


nss_ldap: could not search LDAP server - Server is unavailable
sshd, nscd, httpd, you name it..

slapd is clearly running, telnet localhost 389 actually connects me to it.

I've run authconfig, /etc/sysconfig/authconfig agrees.


I'm at a complete and utter loss.* I've followed every how-to out there, RH, Openldap, Debian, FreeBSD* I can verify ldap is working, I can't seem to get any PAM applications to use it.

Peter
--

Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 06:33 PM
Craig White
 
Default Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 11:24 -0800, Peter Serwe wrote:
> I've been unsuccessfully trying to get nss_ldap to work. I've chased
> down hundreds of google searches over the last 3 days, and I can't
> seem to get a centos system to authenticate against ldap.
>
> Every daemon on the system is running into the same problem:
>
> nss_ldap: could not search LDAP server - Server is unavailable
>
> sshd, nscd, httpd, you name it..
>
> slapd is clearly running, telnet localhost 389 actually connects me to
> it.
>
> I've run authconfig, /etc/sysconfig/authconfig agrees.
>
> I'm at a complete and utter loss. I've followed every how-to out
> there, RH, Openldap, Debian, FreeBSD I can verify ldap is working, I
> can't seem to get any PAM applications to use it.
----
forget 'telnet'

Can you do an ldapsearch?

ldapsearch -x -h localhost -D '$YOUR_ROOT_BIND_DN' -W '(ou=*)'

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 06:33 PM
 
Default Problems with nss_ldap - where to start?

> I've been unsuccessfully trying to get nss_ldap to work. I've chased down
> hundreds of google searches over the last 3 days, and I can't seem to get
> a
> centos system to authenticate against ldap.
>
> Every daemon on the system is running into the same problem:
>
> nss_ldap: could not search LDAP server - Server is unavailable
>
> sshd, nscd, httpd, you name it..
>
> slapd is clearly running, telnet localhost 389 actually connects me to it.
>
> I've run authconfig, /etc/sysconfig/authconfig agrees.
>
> I'm at a complete and utter loss. I've followed every how-to out there,
> RH, Openldap, Debian, FreeBSD I can verify ldap is working, I can't seem
> to get any PAM applications to use it.

First question: do you have tls enabled on the client, and not the server,
or vice versa?

Second question: on the server, can you do a search?

Handy tool: webmin has a whole ldap section, and can give you a *lot* of
clues as to what's going wrong.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 06:42 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

On Wed, Dec 16, 2009 at 11:33 AM, Craig White <craigwhite@azapple.com> wrote:

forget 'telnet'



Can you do an ldapsearch?



ldapsearch -x -h localhost -D '$YOUR_ROOT_BIND_DN' -W '(ou=*)'



Craig

Sure I can, this is the output, slightly sanitized.


# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (ou=*)
# requesting: ALL

#

# People, mynet.net
dn: ou=People,dc=mynet,dc=net
ou: People
objectClass: organizationalUnit

# testuser, People, mynet.net
dn: cn=testuser,ou=People,dc=mynet,dc=net

uid: testuser
cn: testuser
sn: Test
givenName: Test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: People
uidNumber: 10001
gidNumber: 10001
userPassword:: dGVzdA==

homeDirectory: /tmp
mail: test@mynet.net

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Peter

--
Peter Serwe

http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 06:47 PM
"nate"
 
Default Problems with nss_ldap - where to start?

Peter Serwe wrote:
> I've been unsuccessfully trying to get nss_ldap to work. I've chased down
> hundreds of google searches over the last 3 days, and I can't seem to get a
> centos system to authenticate against ldap.
>
> Every daemon on the system is running into the same problem:

Disable all SSL/TLS functions on the server and client and try it
in the most basic mode, if it still doesn't work run tcpdump to
look at what is actually being sent and what the response is.

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 06:49 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

I was going to say no TLS on either side.*

Specifically because I wanted to make sure that I was doing it with basic auth prior to using tls, but I found TLS lines in the /etc/ldap.conf.

I commented those out, and guess what, no more nss_ldap messages in /var/log/messages..


Now, I'm somewhat guessing that my directory doesn't have the right information in it.* Maybe I just need an ldif recipe for adding the users.

Peter

On Wed, Dec 16, 2009 at 11:33 AM, <m.roth@5-cent.us> wrote:



First question: do you have tls enabled on the client, and not the server,

or vice versa?



Second question: on the server, can you do a search?



Handy tool: webmin has a whole ldap section, and can give you a *lot* of

clues as to what's going wrong.



* * * mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 07:07 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

Found an ldif user recipe for CentOS5.2..

Added the user "tactest" with the password "tactest".


Dec 16 12:05:30 ldap sshd[11705]pam_unix(sshd:auth): check pass; user unknown
Dec 16 12:05:30 ldap sshd[11705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldap
Dec 16 12:05:30 ldap sshd[11705]: pam_succeed_if(sshd:auth): error retrieving information about user tactest


auth still fails.

Peter

On Wed, Dec 16, 2009 at 11:49 AM, Peter Serwe <peter.serwe@gmail.com> wrote:

I was going to say no TLS on either side.*

Specifically because I wanted to make sure that I was doing it with basic auth prior to using tls, but I found TLS lines in the /etc/ldap.conf.

I commented those out, and guess what, no more nss_ldap messages in /var/log/messages..



Now, I'm somewhat guessing that my directory doesn't have the right information in it.* Maybe I just need an ldif recipe for adding the users.

Peter


On Wed, Dec 16, 2009 at 11:33 AM, <m.roth@5-cent.us> wrote:



First question: do you have tls enabled on the client, and not the server,

or vice versa?



Second question: on the server, can you do a search?



Handy tool: webmin has a whole ldap section, and can give you a *lot* of

clues as to what's going wrong.



* * * mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 07:08 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

and, of course:*

Dec 16 12:05:31 ldap sshd[11705]: Failed password for invalid user tactest from 127.0.0.1 port 52949 ssh2

Peter


On Wed, Dec 16, 2009 at 12:07 PM, Peter Serwe <peter.serwe@gmail.com> wrote:

Found an ldif user recipe for CentOS5.2..

Added the user "tactest" with the password "tactest".



Dec 16 12:05:30 ldap sshd[11705]pam_unix(sshd:auth): check pass; user unknown
Dec 16 12:05:30 ldap sshd[11705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldap
Dec 16 12:05:30 ldap sshd[11705]: pam_succeed_if(sshd:auth): error retrieving information about user tactest



auth still fails.

Peter

On Wed, Dec 16, 2009 at 11:49 AM, Peter Serwe <peter.serwe@gmail.com> wrote:


I was going to say no TLS on either side.*

Specifically because I wanted to make sure that I was doing it with basic auth prior to using tls, but I found TLS lines in the /etc/ldap.conf.

I commented those out, and guess what, no more nss_ldap messages in /var/log/messages..




Now, I'm somewhat guessing that my directory doesn't have the right information in it.* Maybe I just need an ldif recipe for adding the users.

Peter


On Wed, Dec 16, 2009 at 11:33 AM, <m.roth@5-cent.us> wrote:



First question: do you have tls enabled on the client, and not the server,

or vice versa?



Second question: on the server, can you do a search?



Handy tool: webmin has a whole ldap section, and can give you a *lot* of

clues as to what's going wrong.



* * * mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/



--
Peter Serwe
http://truthlightway.blogspot.com/



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 07:24 PM
Craig White
 
Default Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 12:07 -0800, Peter Serwe wrote:
> Found an ldif user recipe for CentOS5.2..
>
> Added the user "tactest" with the password "tactest".
>
> Dec 16 12:05:30 ldap sshd[11705]pam_unix(sshd:auth): check pass; user
> unknown
> Dec 16 12:05:30 ldap sshd[11705]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldap
> Dec 16 12:05:30 ldap sshd[11705]: pam_succeed_if(sshd:auth): error
> retrieving information about user tactest
>
> auth still fails.
----
before you get into authorizations...

does the user show? I think not...

getent passwd |grep tactest

if that's the case, and you want help from the list...

what is in files...
/etc/nsswitch.com
/etc/pam.d/system-auth
/etc/ldap.conf

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 07:32 PM
Peter Serwe
 
Default Problems with nss_ldap - where to start?

On Wed, Dec 16, 2009 at 11:33 AM, <m.roth@5-cent.us> wrote:




First question: do you have tls enabled on the client, and not the server,

or vice versa?



Second question: on the server, can you do a search?



Handy tool: webmin has a whole ldap section, and can give you a *lot* of

clues as to what's going wrong.



* * * mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



*Tried webmin.* Blew out my whole ldap database and used webmin to create a new tree, and an example user.* Guess what?* My example user fails the same way.


I'm running slapd with -d 128 as well..

Peter

--*
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org