Hey all,

I'm trying to set up LDAP authentication and I think I'm almost there.
Here's what I get querying for testuser

sysadmin@server3:~$ ldapsearch -x uid=testuser
# extended LDIF
#
# LDAPv3
# base <dc=dupontmanual,dc=org> (default) with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, dupontmanual.org
dn: uid=testuser,ou=Users,dc=dupontmanual,dc=org
objectClass: account
objectClass: posixAccount
cn: testuser
uid: testuser
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: testuser
description: User account

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

As you can see, the user's password hash isn't visible. If I bind as
the ldap admin, I can see it:

sysadmin@server3:~$ ldapsearch -x -D cn=admin,dc=dupontmanual,dc=org
-W uid=testuser
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=dupontmanual,dc=org> (default) with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, dupontmanual.org
dn: uid=testuser,ou=Users,dc=dupontmanual,dc=org
objectClass: account
objectClass: posixAccount
cn: testuser
uid: testuser
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: testuser
description: User account
userPassword:: e1NTSEF9K1I4UmowRkRvVjFreXE5cDlLM1R3aTdtVEpPOWlodF k=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I've set up ldap-auth-config and libpam-ldap correctly, I think, so
that it queries the LDAP server when I ask for a user (it takes long
enough that I think it's contacting the server), but it can't find the
user.

sysadmin@server3:~$ id testuser
id: testuser: No such user

I suspect my ACLs are wrong, but I think anonymous users should be
able to authenticate users. Here's the ACL stuff:

sysadmin@server3:~$ ldapsearch -x -D cn=admin,cn=config -W -b
cn=config olcDatabase={1}hdb olcAccess
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: olcAccess
#

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=dupont
manual,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=dupontmanual,dc=org" write by * read

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Can anyone see what's going wrong? Or does anyone know what command
PAM is running to try to id/auth the user so that I could run that
command myself and see what's going wrong?

Todd

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

Todd O'Bryan kirjoitti:

> I'm trying to set up LDAP authentication and I think I'm almost there.

> Can anyone see what's going wrong? Or does anyone know what command
> PAM is running to try to id/auth the user so that I could run that
> command myself and see what's going wrong?

Have you seen this one?

https://help.ubuntu.com/community/UbuntuLTSP/OpenLDAP_NFS_SSL

I do not use this setup in any real server in production, but I know
this howto works. Hope you find something useful.

Best Regards Asmo Koskinen.

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

I looked through this, but it had some problems:

1. It doesn't use the cn=config style configuration within the LDAP
database itself that they're pushing with OpenLDAP 2.4.

2. It says to use openssl to create the certificates, which I have
been unable to get working with the latest version of openldap. I had
to use GnuTLS's certtool instead.

3. It depends on webmin, which I'd prefer to avoid, if I can.

I will happily write all this up when I get it working and can
replicate it. (I need to use it on three servers, so I'll have to have
instructions that work.)

Todd

On Thu, Oct 29, 2009 at 9:52 AM, Asmo Koskinen <asmo.koskinen@arkki.info> wrote:
> Todd O'Bryan kirjoitti:
>
>> I'm trying to set up LDAP authentication and I think I'm almost there.
>
>> Can anyone see what's going wrong? Or does anyone know what command
>> PAM is running to try to id/auth the user so that I could run that
>> command myself and see what's going wrong?
>
> Have you seen this one?
>
> https://help.ubuntu.com/community/UbuntuLTSP/OpenLDAP_NFS_SSL
>
> I do not use this setup in any real server in production, but I know this
> howto works. Hope you find something useful.
>
> Best Regards Asmo Koskinen.
>

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

Todd O'Bryan kirjoitti:

> I will happily write all this up when I get it working and can
> replicate it. (I need to use it on three servers, so I'll have to have
> instructions that work.)

I try my own howto tonight with my own howto for LTSP-Cluster on KVM-server.

https://help.ubuntu.com/community/UbuntuLTSP/LTSP-Cluster

That OpenLDAP howto was for 8.04, so I'll try to check what happens when
using 9.10 all the way - can I use my own howto ;-)

I'll try this kind of setup.

ltsp-root01 = Ubuntu Server 9.10 AMD64
ltsp-appserv01 = Ubuntu Alternate 9.10 AMD64
ltsp-openldap = Ubuntu Server 9.10 AMD64 (with /home over NFS)

Best Regards Asmo Koskinen.

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

Todd O'Bryan kirjoitti:

> 1. It doesn't use the cn=config style configuration within the LDAP
> database itself that they're pushing with OpenLDAP 2.4.

Yes, this is really changed from 8.04 to 9.10.

http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html

I'll try to figure out this new way.

"The old style slapd.conf(5) file is still supported, but must be
converted to the new slapd-config(5) format to allow runtime changes to
be saved."

http://www.openldap.org/doc/admin24/slapdconf2.html

Best Regards Asmo Koskinen.


--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

Finally, today, I was able to id and su to a user in the LDAP database
who wasn't on the local machine. I'll write up my long, painful saga
and post it somewhere.

Apparently, 9.10 doesn't bother to install any kind of basic LDAP
database when you install the packages, so someone will have to add
new code to get what I did on 9.04 to work on 9.10.

Todd

On Thu, Oct 29, 2009 at 4:16 PM, Asmo Koskinen <asmo.koskinen@arkki.info> wrote:
> Todd O'Bryan kirjoitti:
>
>> 1. It doesn't use the cn=config style configuration within the LDAP
>> database itself that they're pushing with OpenLDAP 2.4.
>
> Yes, this is really changed from 8.04 to 9.10.
>
> http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html
>
> I'll try to figure out this new way.
>
> "The old style slapd.conf(5) file is still supported, but must be converted
> to the new slapd-config(5) format to allow runtime changes to be saved."
>
> http://www.openldap.org/doc/admin24/slapdconf2.html
>
> Best Regards Asmo Koskinen.
>
>

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

Todd O'Bryan kirjoitti:

> Finally, today, I was able to id and su to a user in the LDAP database
> who wasn't on the local machine. I'll write up my long, painful saga
> and post it somewhere.
>
> Apparently, 9.10 doesn't bother to install any kind of basic LDAP
> database when you install the packages, so someone will have to add
> new code to get what I did on 9.04 to work on 9.10.

Well, I'll try fresh/latest/greatest stable one source package tonight.
Official guide is for same version (20091028).

ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20091028.tgz

OpenLDAP Software 2.4 Administrator's Guide
The OpenLDAP Project <http://www.openldap.org/>
28 October 2009

http://www.openldap.org/doc/admin24/

There is too much problems with Ubuntu's own package - an example:

https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/364531/comments/12

Best Regards Asmo Koskinen.

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users

On Fri, Oct 30, 2009 at 3:57 AM, Asmo Koskinen <asmo.koskinen@arkki.info> wrote:
> Todd O'Bryan kirjoitti:
>
>> Finally, today, I was able to id and su to a user in the LDAP database
>> who wasn't on the local machine. I'll write up my long, painful saga
>> and post it somewhere.
>>
>> Apparently, 9.10 doesn't bother to install any kind of basic LDAP
>> database when you install the packages, so someone will have to add
>> new code to get what I did on 9.04 to work on 9.10.
>
> Well, I'll try fresh/latest/greatest stable one source package tonight.
> Official guide is for same version (20091028).
>
> ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20091028.tgz
>
> OpenLDAP Software 2.4 Administrator's Guide
> The OpenLDAP Project <http://www.openldap.org/>
> 28 October 2009
>
> http://www.openldap.org/doc/admin24/
>
> There is too much problems with Ubuntu's own package - an example:
>
> https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/364531/comments/12
>
> Best Regards Asmo Koskinen.
>

I agree. It seems whoever is maintaining the slapd package has dropped
the ball pretty spectacularly, both with documentation and install
configuration. I tried last summer to learn enough about packaging
that I could be helpful in situations like this, but I didn't get very
far. And with school in session and me teaching six classes, I won't
have time to learn something new until winter break.

Todd

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users