FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-16-2009, 07:58 PM
Craig White
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote:
> On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> > I think not as well. The tactest user has been blown back out. I can
> > re-add it from ldif again.
> >
> > [root@ldap home]# getent passwd | grep example
> > [root@ldap home]#
> >
> > [root@ldap home]# cat /etc/nsswitch.conf | grep -v #
> >
> >
> > passwd: files ldap
> > shadow: files ldap
> > group: files ldap
> >
> > hosts: files dns
> >
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers: files
> > netmasks: files
> > networks: files
> > protocols: files
> > rpc: files
> > services: files
> >
> > netgroup: nisplus
> >
> > publickey: nisplus
> >
> > automount: files nisplus
> > aliases: files nisplus
> >
> > [root@ldap home]# cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password sufficient pam_ldap.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_limits.so
> > session optional pam_mkhomedir.so
> > session [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session required pam_unix.so
> > session optional pam_ldap.so
> >
> > [root@ldap home]# cat /etc/ldap.conf | grep -v #
> >
> >
> > BASE dc=tncionline, dc=net
> > URI ldap://MailScanner warning: numerical links are often malicious:
> > 127.0.0.1
> > port 389
> >
> > SIZELIMIT 12
> > TIMELIMIT 15
> > DEREF never
> > timelimit 600
> > bind_timelimit 600
> > bind_policy soft
> > idle_timelimit 3600
> >
> > nss_initgroups_ignoreusers
> > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> > base dc=tncionline, dc=net
> > pam_password md5
> ----
> here's a big problem... /etc/ldap.conf
>
> you need to add...(assuming this is where you have People/Groups)
>
> nss_base_passwd ou=People,tncionline,dc=net?one
> nss_base_shadow ou=People,tncionline,dc=net?one
> nss_base_group ou=Groups,tncionline,dc=net?one
>
> take the space out of base...
> base dc=tncionline,dc=net
>
> I'd also add (until you can deal)...
> ssl no
----
oh...

nss_initgroups_ignoreusers
pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus

you can remove pserwe,dgates from the list unless you have daemon services running as those users prior to LDAP start (highly unlikely)

and if the above doesn't work, it is because your slapd.conf ACL's are blocking anonymous binds at the indicated dn's

So you might want to either simplify your ACL's, permit anonymous binds to the 'people/groups' or let us see what you've got for ACL's

these are some rules that I've found good to have in /etc/openldap/slapd.conf - YMMV

allow bind_anon_dn

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none

access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$"
by self read
by anonymous auth
by * none

# a bottom catchall rule...
access to *
by anonymous read
by * read

access to dn.base="cn=Subschema" by * read

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:02 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

getent still fails, now I'm getting can't connect messages again.

Dec 16 12:59:58 ldap nscd: nss_ldap: could not search LDAP server - Server is unavailable

Also, the People container was removed and not re-added when I re-created the tree with webmin,

hence, I modified the lines in /etc/ldap.conf to reflect:

nss_base_passwd******** dc=tncionline,dc=net
nss_base_shadow******** dc=tncionline,dc=net
nss_base_group********* dc=tncionline,dc=net

Peter


On Wed, Dec 16, 2009 at 12:47 PM, Craig White <craigwhite@azapple.com> wrote:

On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:

> I think not as well. *The tactest user has been blown back out. *I can

> re-add it from ldif again.

>

----

and by the way... don't waste time trying to authenticate users/groups

that don't exist.



If they don't show up when you give commands like...



getent passwd

getent group



you aren't going to be able to authenticate... the system doesn't see

them. You can't authenticate users that don't exist. Likewise, groups

that don't exist or memberships to groups that don't exist are a

problem.



Craig





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:10 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

I just had those users in there because I didn't want to attempt to hit ldap for known local users.

Peter

On Wed, Dec 16, 2009 at 12:58 PM, Craig White <craigwhite@azapple.com> wrote:

On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote:

> On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:

> > I think not as well. *The tactest user has been blown back out. *I can

> > re-add it from ldif again.

> >

> > [root@ldap home]# getent passwd | grep example

> > [root@ldap home]#

> >

> > [root@ldap home]# cat /etc/nsswitch.conf | grep -v #

> >

> >

> > passwd: * * files ldap

> > shadow: * * files ldap

> > group: * * *files ldap

> >

> > hosts: * * *files dns

> >

> >

> > bootparams: nisplus [NOTFOUND=return] files

> >

> > ethers: * * files

> > netmasks: * files

> > networks: * files

> > protocols: *files

> > rpc: * * * *files

> > services: * files

> >

> > netgroup: * nisplus

> >

> > publickey: *nisplus

> >

> > automount: *files nisplus

> > aliases: * *files nisplus

> >

> > [root@ldap home]# cat /etc/pam.d/system-auth

> > #%PAM-1.0

> > # This file is auto-generated.

> > # User changes will be destroyed the next time authconfig is run.

> > auth * * * *required * * *pam_env.so

> > auth * * * *sufficient * *pam_unix.so nullok try_first_pass

> > auth * * * *requisite * * pam_succeed_if.so uid >= 500 quiet

> > auth * * * *sufficient * *pam_ldap.so use_first_pass

> > auth * * * *required * * *pam_deny.so

> >

> > account * * required * * *pam_unix.so broken_shadow

> > account * * sufficient * *pam_localuser.so

> > account * * sufficient * *pam_succeed_if.so uid < 500 quiet

> > account * * [default=bad success=ok user_unknown=ignore] pam_ldap.so

> > account * * required * * *pam_permit.so

> >

> > password * *requisite * * pam_cracklib.so try_first_pass retry=3

> > password * *sufficient * *pam_unix.so md5 shadow nullok try_first_pass

> > use_authtok

> > password * *sufficient * *pam_ldap.so use_authtok

> > password * *required * * *pam_deny.so

> >

> > session * * optional * * *pam_keyinit.so revoke

> > session * * required * * *pam_limits.so

> > session * * optional * * *pam_mkhomedir.so

> > session * * [success=1 default=ignore] pam_succeed_if.so service in

> > crond quiet use_uid

> > session * * required * * *pam_unix.so

> > session * * optional * * *pam_ldap.so

> >

> > [root@ldap home]# cat /etc/ldap.conf | grep -v #

> >

> >

> > BASE dc=tncionline, dc=net

> > URI ldap://MailScanner warning: numerical links are often malicious:

> > 127.0.0.1

> > port 389

> >

> > SIZELIMIT * *12

> > TIMELIMIT * *15

> > DEREF * * * *never

> > timelimit 600

> > bind_timelimit 600

> > bind_policy soft

> > idle_timelimit 3600

> >

> > nss_initgroups_ignoreusers

> > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus

> > base dc=tncionline, dc=net

> > pam_password md5

> ----

> here's a big problem... /etc/ldap.conf

>

> you need to add...(assuming this is where you have People/Groups)

>

> nss_base_passwd * * * * ou=People,tncionline,dc=net?one

> nss_base_shadow * * * * ou=People,tncionline,dc=net?one

> nss_base_group * * * * *ou=Groups,tncionline,dc=net?one

>

> take the space out of base...

> base dc=tncionline,dc=net

>

> I'd also add (until you can deal)...

> ssl no

----

oh...



nss_initgroups_ignoreusers

pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus



you can remove pserwe,dgates from the list unless you have daemon services running as those users prior to LDAP start (highly unlikely)



and if the above doesn't work, it is because your slapd.conf ACL's are blocking anonymous binds at the indicated dn's



So you might want to either simplify your ACL's, permit anonymous binds to the 'people/groups' or let us see what you've got for ACL's



these are some rules that I've found good to have in /etc/openldap/slapd.conf - YMMV



allow * * * * * bind_anon_dn



access to attrs=userPassword,sambaNTPassword,sambaLMPassword

* * * *by self write

* * * *by anonymous auth

* * * *by * none



access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$"

* * * *by self read

* * * *by anonymous auth

* * * *by * none



# a bottom catchall rule...

access to *

* * * *by anonymous read

* * * *by * read



access to dn.base="cn=Subschema" by * read



Craig





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:16 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, Dec 16, 2009 at 12:58 PM, Craig White <craigwhite@azapple.com> wrote:

allow * * * * * bind_anon_dn



access to attrs=userPassword,sambaNTPassword,sambaLMPassword

* * * *by self write

* * * *by anonymous auth

* * * *by * none



access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$"

* * * *by self read

* * * *by anonymous auth

* * * *by * none



# a bottom catchall rule...

access to *

* * * *by anonymous read

* * * *by * read



access to dn.base="cn=Subschema" by * read


Have all that now..

Had to take out the samba stuff, openldap complained on restart.

[root@ldap home]# getent passwd | grep example

[root@ldap home]#

Still nothing good from getent.

Peter

--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:35 PM
Craig White
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 13:02 -0800, Peter Serwe wrote:
> getent still fails, now I'm getting can't connect messages again.
>
> Dec 16 12:59:58 ldap nscd: nss_ldap: could not search LDAP server -
> Server is unavailable
>
> Also, the People container was removed and not re-added when I
> re-created the tree with webmin,
> hence, I modified the lines in /etc/ldap.conf to reflect:
>
> nss_base_passwd dc=tncionline,dc=net
> nss_base_shadow dc=tncionline,dc=net
> nss_base_group dc=tncionline,dc=net
----
I think I give up.

If you are going to ask for help and then discard - there's little
reason to try.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:38 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

Which part did I discard that was relevant?

I don't have a People container at the moment.

There was something that looked like ?one on the end of the string, I couldn't make sense of it.

Which part are you offended by the discard of?


Peter

On Wed, Dec 16, 2009 at 1:35 PM, Craig White <craigwhite@azapple.com> wrote:

On Wed, 2009-12-16 at 13:02 -0800, Peter Serwe wrote:

> getent still fails, now I'm getting can't connect messages again.

>

> Dec 16 12:59:58 ldap nscd: nss_ldap: could not search LDAP server -

> Server is unavailable

>

> Also, the People container was removed and not re-added when I

> re-created the tree with webmin,

> hence, I modified the lines in /etc/ldap.conf to reflect:

>

> nss_base_passwd * * * * dc=tncionline,dc=net

> nss_base_shadow * * * * dc=tncionline,dc=net

> nss_base_group * * * * *dc=tncionline,dc=net

----

I think I give up.



If you are going to ask for help and then discard - there's little

reason to try.



Craig





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:40 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

OMG.

My bad.

I thought ?one was an artifact of your copy of MailScanner.

I added it and logged in.

The People container is not present and I didn't put that back in.

I can now log in as "example@$host".


Peter

On Wed, Dec 16, 2009 at 1:38 PM, Peter Serwe <peter.serwe@gmail.com> wrote:

Which part did I discard that was relevant?

I don't have a People container at the moment.

There was something that looked like ?one on the end of the string, I couldn't make sense of it.

Which part are you offended by the discard of?



Peter

On Wed, Dec 16, 2009 at 1:35 PM, Craig White <craigwhite@azapple.com> wrote:


On Wed, 2009-12-16 at 13:02 -0800, Peter Serwe wrote:

> getent still fails, now I'm getting can't connect messages again.

>

> Dec 16 12:59:58 ldap nscd: nss_ldap: could not search LDAP server -

> Server is unavailable

>

> Also, the People container was removed and not re-added when I

> re-created the tree with webmin,

> hence, I modified the lines in /etc/ldap.conf to reflect:

>

> nss_base_passwd * * * * dc=tncionline,dc=net

> nss_base_shadow * * * * dc=tncionline,dc=net

> nss_base_group * * * * *dc=tncionline,dc=net

----

I think I give up.



If you are going to ask for help and then discard - there's little

reason to try.



Craig





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/




--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:42 PM
Peter Serwe
 
Default {Disarmed} Problems with nss_ldap - where to start?

And since I forgot.* Thanks!

Silly question, is any of this documented anywhere?

Peter

On Wed, Dec 16, 2009 at 1:40 PM, Peter Serwe <peter.serwe@gmail.com> wrote:

OMG.

My bad.

I thought ?one was an artifact of your copy of MailScanner.


I added it and logged in.

The People container is not present and I didn't put that back in.

I can now log in as "example@$host".


Peter

On Wed, Dec 16, 2009 at 1:38 PM, Peter Serwe <peter.serwe@gmail.com> wrote:


Which part did I discard that was relevant?

I don't have a People container at the moment.

There was something that looked like ?one on the end of the string, I couldn't make sense of it.

Which part are you offended by the discard of?




Peter

On Wed, Dec 16, 2009 at 1:35 PM, Craig White <craigwhite@azapple.com> wrote:



On Wed, 2009-12-16 at 13:02 -0800, Peter Serwe wrote:

> getent still fails, now I'm getting can't connect messages again.

>

> Dec 16 12:59:58 ldap nscd: nss_ldap: could not search LDAP server -

> Server is unavailable

>

> Also, the People container was removed and not re-added when I

> re-created the tree with webmin,

> hence, I modified the lines in /etc/ldap.conf to reflect:

>

> nss_base_passwd * * * * dc=tncionline,dc=net

> nss_base_shadow * * * * dc=tncionline,dc=net

> nss_base_group * * * * *dc=tncionline,dc=net

----

I think I give up.



If you are going to ask for help and then discard - there's little

reason to try.



Craig





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
Peter Serwe
http://truthlightway.blogspot.com/




--
Peter Serwe
http://truthlightway.blogspot.com/



--
Peter Serwe
http://truthlightway.blogspot.com/

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-16-2009, 08:45 PM
Craig White
 
Default {Disarmed} Problems with nss_ldap - where to start?

On Wed, 2009-12-16 at 13:38 -0800, Peter Serwe wrote:
> Which part did I discard that was relevant?
>
> I don't have a People container at the moment.
>
> There was something that looked like ?one on the end of the string, I
> couldn't make sense of it.
>
> Which part are you offended by the discard of?
----
After we fix the nss-ldap stuff, you change the DSA. I have to laugh.

You are flailing and changing things and configurations far beyond where
you were an hour ago and so there is no way to know where you are at.

Suggestion... LDAP System Administration by Gerald Carter

It will teach you what you need to know. The book is pure spoon feeding
and makes it simple. I am sure that you will waste a ton of time if you
don't read this book.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org