hi,
installed openldap and configured nslcd.conf and nsswitch.conf on debian
squeeze server.
At the moment getent passwd doesn't show ldap user.
I create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
You can see some checks.
FIRST SHELL
nslcd -d
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
Opening /var/run/nslcd/socket it shows:
Error reading /var/run/nslcd/socket: No such device or address
Follow nslcd.conf and slapd.conf.
__________________________________________________ ________________
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
__________________________________________________ _________________
slapd.conf
slapd.conf
#Basics
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
You need libnss-ldapd for the "ldap" rule in the lines above.
> At the moment getent passwd doesn't show ldap user.
> I create a user nslcd_proc for nslcd lookups.
> this user belong to the System organizationalUnit.
This is unnecessary, nslcd functions fine without a DN.
> nslcd: [8b4567] DEBUG:
> ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=am ahoro,dc=bi","***")
> (uri="ldap://localhost:389")
> nslcd: [8b4567] ldap_result() failed: No such object
Looks like LDAP can't find the DN in the repository. Can you log in
manually as this user?
AFAIK the openldap server (binary package is called slapd in Debian)
packaged no longer use that file. Instead the config is stored in a
LDAP repository (/etc/ldap/slapd.d) and modified by using LDIF-files.
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOURYnDjhQpbrZFYd4urzp5ux8hHXHbaGB1XmCucNCw=JYcTF w@mail.gmail.com">http://lists.debian.org/CAOURYnDjhQpbrZFYd4urzp5ux8hHXHbaGB1XmCucNCw=JYcTF w@mail.gmail.com
04-23-2012, 01:29 PM
stefano malini
getent passwd doesn't show ldap user
Hi Per,
thanks for reply.
> Did you install nslcd by it self or in companion with libnss-ldapd and
> libpam-ldapd?
nslcd has been installed automatically installing libnss-ldapd.
> How does your /etc/nsswitch.conf look like? Here are the relevant
> lines from mine:
This is my /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
AFAIK the openldap server (binary package is called slapd in Debian)
packaged no longer use that file. Instead the config is stored in a
LDAP repository (/etc/ldap/slapd.d) and modified by using LDIF-files.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Did you install nslcd by it self or in companion with libnss-ldapd and
>> libpam-ldapd?
>
> nslcd has been installed automatically installing libnss-ldapd.
Ok.
> This is my /etc/nsswitch.conf:
>
> passwd: * * * * files ldap
> group: * * * * *files ldap
> shadow: * * * * files ldap
That's fine.
>> This is unnecessary, nslcd functions fine without a DN.
>
> ok, i removed it
Try stopping the caching daemon ("sudo service nscd stop") and try
again. getent still doesn't resolve?
I'm not 100% sure, but LDAP might bee needed in pam as well.
Installing libpam-ldapd should do that automatically. Look for
"pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
>> Looks like LDAP can't find the DN in the repository. Can you log in
>> manually as this user?
>
> Trying your command:
> root@amahoro:~# ldapsearch -xW -D
> "uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
That explains why nslcd didn't succeed binding.
> I don't know why but trying with this:
>
> root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=amahoro,dc=bi> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> I don't understand where is wrong.
Are you sure you have a working LDAP-database? Make sure you can
resolve things manually first. When that is working you can continue
working on nslcd.
>> Do you have a slapd.conf? Have you compiled it from source or
>> installed as a Debian package?
>
> I installed it as a Debian package:
>
> root@amahoro:~# apt-cache policy slapd
>
> slapd:
> *Installed: 2.4.23-7.2
> *Candidate: 2.4.23-7.2
> *Version table:
> **** 2.4.23-7.2 0
> * * * *500 http://ftp.us.debian.org/debian/ squeeze/main i386 Packages
> * * * *100 /var/lib/dpkg/status
In that case the configuration isn't done by slapd.conf. Check out the
documentation: "zless /usr/share/doc/slapd/README.Debian.gz"
> What do you think?
This command should give you the suffix and ACL's and some more info
(assuming a HDB database):
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAOURYnB3sSs6DJzmWvcWzXmwnah8H3aOeg-RCqziPpA8s7ESDg@mail.gmail.com">http://lists.debian.org/CAOURYnB3sSs6DJzmWvcWzXmwnah8H3aOeg-RCqziPpA8s7ESDg@mail.gmail.com
04-23-2012, 03:24 PM
stefano malini
getent passwd doesn't show ldap user
Hi Per,
> Try stopping the caching daemon ("sudo service nscd stop") and try
> again. getent still doesn't resolve?
i tried without success
> I'm not 100% sure, but LDAP might bee needed in pam as well.
> Installing libpam-ldapd should do that automatically. Look for
> "pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
i installed it and common-* files are updated automatically but it
didn't resolve it.
> Are you sure you have a working LDAP-database? Make sure you can
> resolve things manually first. When that is working you can continue
> working on nslcd.
This is unnecessary, nslcd functions fine without a DN.
ok, i removed it
Try stopping the caching daemon ("sudo service nscd stop") and try
again. getent still doesn't resolve?
I'm not 100% sure, but LDAP might bee needed in pam as well.
Installing libpam-ldapd should do that automatically. Look for
"pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
Looks like LDAP can't find the DN in the repository. Can you log in
manually as this user?
Trying your command:
root@amahoro:~# ldapsearch -xW -D
"uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
That explains why nslcd didn't succeed binding.
I don't know why but trying with this:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base<dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
I don't understand where is wrong.
Are you sure you have a working LDAP-database? Make sure you can
resolve things manually first. When that is working you can continue
working on nslcd.
Do you have a slapd.conf? Have you compiled it from source or
installed as a Debian package?
something is improved! now i can log manually, there was an error, a big
error, i didn't insert the root as ldif in the directory. Very big error!
Anyway, the problem with getent passwd is still there:
This is the output of nslcd -d typing getent passwd fro another shell:
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
This is unnecessary, nslcd functions fine without a DN.
ok, i removed it
Try stopping the caching daemon ("sudo service nscd stop") and try
again. getent still doesn't resolve?
I'm not 100% sure, but LDAP might bee needed in pam as well.
Installing libpam-ldapd should do that automatically. Look for
"pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
Looks like LDAP can't find the DN in the repository. Can you log in
manually as this user?
Trying your command:
root@amahoro:~# ldapsearch -xW -D
"uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
That explains why nslcd didn't succeed binding.
I don't know why but trying with this:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base<dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
I don't understand where is wrong.
Are you sure you have a working LDAP-database? Make sure you can
resolve things manually first. When that is working you can continue
working on nslcd.
Do you have a slapd.conf? Have you compiled it from source or
installed as a Debian package?
getent passwd doesn't show ldap user
