FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-18-2011, 11:22 AM
"Neuhold Christian (TSA)"
 
Default NIS 389 Directory Server

Hello, for user
authentication we use NIS
on a Solaris System. Solaris 7/8/9 and Redhat 4/5 access this domain. Now I
want to migrate to fedora directoryserver.


*


What I have done:


* Installed
Redhat 5 x86_64


* Installed 389
from EPEL


* Imported NIS Data into 389 with LdapImport from Babel


* Authentication
over LDAP and LDAP SSL works. (POSIX Accounts)


* Installed
slapi-nis 0.24


* Configured
slapi-nis with nis-getting-started.txt


*


*


Working:


* Providing NIS MAPS


[root@xxxx ~]#
ypwhich -m


users
sux7292v.xxx.com


passwd.byuid
xxx.xx.com


passwd.byname
xxx.xx.com


group.byname
xxx.xx.com


group.bygid
xxx.xx.com


[root@xxx ~]#


*


*Get passwd and
groups


[root@xxx
slapd-xxx]# ypcat passwd | grep tst


tst:*:1346:21:Test:/user/tst:/bin/csh


*


*


My problem:


Authentification
is not working, login is not possible.


*


My des.ldif (only
nis entries):


dn: cn=NIS
Server,cn=plugins,cn=config


objectClass: top


objectClass:
nsSlapdPlugin


objectClass:
extensibleObject


cn: NIS Server


nsslapd-pluginPath:
nisserver-plugin.so


nsslapd-pluginInitfunc:
nis_plugin_init


nsslapd-pluginType:
postoperation


nsslapd-pluginEnabled:
on


nsslapd-pluginDescription:
NIS Server
Plugin


nsslapd-pluginVendor:
redhat.com


nsslapd-pluginVersion:
0.24


nsslapd-pluginId:
nis-plugin


nis-tcp-wrappers-name:
ypserv


nsslapd-pluginarg0:
541


modifiersName:
cn=directory manager


modifyTimestamp:
20110517110053Z


numSubordinates:
5n


*


dn:
nis-domain=xxx+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config


objectClass:
extensibleObject


objectClass: top


nis-domain: xxx


nis-map:
group.bygid


nis-base:
ou=Groups, dc=xxx, dc=com


*


dn:
nis-domain=xxx+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config


objectClass:
extensibleObject


objectClass: top


nis-domain: xxx


nis-map:
group.byname


nis-base:
ou=Groups, dc=xxx, dc=com


*


dn:
nis-domain=xxx+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=config


objectClass:
extensibleObject


objectClass: top


nis-domain: xxx


nis-map:
passwd.byname


nis-base:
ou=People, dc=xxx, dc=com


*


dn:
nis-domain=xxx+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config


objectClass:
extensibleObject


objectClass: top


nis-domain: xxx


nis-map:
passwd.byuid


nis-base: ou=People,
dc=xxx, dc=com


*


*


*


ypcat passwd old
system:


[root@xxx
slapd-xxx]# ypcat passwd | grep tst


tst:*:1346:21:Test:/user/tst:/bin/csh


*


ypcat passwd new
system:


[root@xxx ~]#
ypcat passwd | grep tst


tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh


*


Is it possible to
provide the password hash with slapi-nis/389-directory server?


*


Thanks, br cnu80




-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~



This message may contain confidential and/or privileged information intended

only for the addressee.



If you are not the addressee or authorized to receive this for the

addressee, you must not use, copy, disclose or take any action based

on this message or any information herein. If you have received this

message in error, please advise the sender immediately by reply e-mail and

delete this message. Any views expressed in this message are those of the

individual sender and may not necessarily reflect the

opinions of austriamicrosystems AG.



-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~



Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich

geschuetzte Informationen.



Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich

erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie

diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser

Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und

Meinungen stammen vom Versender dieser Nachricht und muessen nicht

notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG

uebereinstimmen.



~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-18-2011, 03:27 PM
Nalin Dahyabhai
 
Default NIS 389 Directory Server

On Wed, May 18, 2011 at 01:22:21PM +0200, Neuhold Christian (TSA) wrote:
> ypcat passwd old system:
>
> [root@xxx slapd-xxx]# ypcat passwd | grep tst
>
> tst:*:1346:21:Test:/user/tst:/bin/csh
>
> ypcat passwd new system:
>
> [root@xxx ~]# ypcat passwd | grep tst
>
> tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> Is it possible to provide the password hash with
> slapi-nis/389-directory server?

It should be. It's certainly the intention, at least.

By default, if an entry's userPassword attribute contains a
crypt-compatible hash (i.e., if it's marked as such by starting with
"{CRYPT}"), the value will be provided to clients as part of the entry
in the two passwd maps. Just to be clear, that's what you're after,
right?

Do you have the LDIF for a sample user?

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-18-2011, 08:28 PM
"Neuhold Christian (TSA)"
 
Default NIS 389 Directory Server

Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:

[root@xxx ~]# ypcat users | grep tst
tst:{crypt}xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh

--> Definition from users in dse.ldif:
dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}

--> So I tried with this definition:
dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users2
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
tory}:%{loginShell:-/bin/bash}


--> {crypt} vs. {CRYPT} but still:
[root@xxx ~]# ypcat users2 | grep tst
tst:*:1346:21:Test:/user/tst:/bin/csh


--> So I tried again with:
dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users3
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
y}:%{loginShell:-/bin/bash}

--> {crypt} vs. crypt} and now:
[root@xxx ~]# ypcat users3 | grep tst
tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh

But why ?

Br, cnu80


-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nalin Dahyabhai
Sent: Mittwoch, 18. Mai 2011 17:27
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] NIS 389 Directory Server

On Wed, May 18, 2011 at 01:22:21PM +0200, Neuhold Christian (TSA) wrote:
> ypcat passwd old system:
>
> [root@xxx slapd-xxx]# ypcat passwd | grep tst
>
> tst:*:1346:21:Test:/user/tst:/bin/csh
>
> ypcat passwd new system:
>
> [root@xxx ~]# ypcat passwd | grep tst
>
> tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> Is it possible to provide the password hash with
> slapi-nis/389-directory server?

It should be. It's certainly the intention, at least.

By default, if an entry's userPassword attribute contains a
crypt-compatible hash (i.e., if it's marked as such by starting with
"{CRYPT}"), the value will be provided to clients as part of the entry
in the two passwd maps. Just to be clear, that's what you're after,
right?

Do you have the LDIF for a sample user?

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~

This message may contain confidential and/or privileged information intended
only for the addressee.

If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.

-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~

Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.

Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.

~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-18-2011, 09:25 PM
Nalin Dahyabhai
 
Default NIS 389 Directory Server

On Wed, May 18, 2011 at 10:28:49PM +0200, Neuhold Christian (TSA) wrote:
> Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:
>
> [root@xxx ~]# ypcat users | grep tst
> tst:{crypt}xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> --> Definition from users in dse.ldif:
> dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}

That's probably not a good idea -- if you have a plaintext user
password, it'll show up in this field as plaintext. If you have
passwords hashed using mechanisms other than crypt() (like {SSHA}) the
hashes will show up here even though your client machines won't know
what to do with them, but that's less of an issue.

> --> So I tried with this definition:
> dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users2
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
> :%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
> tory}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. {CRYPT} but still:
> [root@xxx ~]# ypcat users2 | grep tst
> tst:*:1346:21:Test:/user/tst:/bin/csh

Quoting gets pretty complicated rather quickly here -- the way you've
written this expression, I think you'd want to start with "^{" to
include a literal "" in the regular expression. You can run
"nisserver-plugin-defs -m passwd.byname" to pull up the defaults.

> --> So I tried again with:
> dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users3
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
> uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
> y}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. crypt} and now:
> [root@xxx ~]# ypcat users3 | grep tst
> tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> But why ?

The "{CRYPT}" prefix is checked for in a case-sensitive manner, so if
the values you have actually start with "{crypt}", then that'd explain
why this nis-value-format causes the desired value to show up and the
default doesn't.

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-19-2011, 07:29 AM
"Neuhold Christian (TSA)"
 
Default NIS 389 Directory Server

Hello, thank you.

I changed passwd.byname and passwd.byuid map from

crypt}(..*)
to
^{crypt}(..*)

It works perfectly. Thanks for help!!!

Do you know if command passwd is possible? Because I get:
xxxxx tst# passwd
Changing password for user tst.
Changing password for tst
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: Failed preliminary check by password service

Br, cnu80


-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nalin Dahyabhai
Sent: Mittwoch, 18. Mai 2011 23:26
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] NIS 389 Directory Server

On Wed, May 18, 2011 at 10:28:49PM +0200, Neuhold Christian (TSA) wrote:
> Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:
>
> [root@xxx ~]# ypcat users | grep tst
> tst:{crypt}xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> --> Definition from users in dse.ldif:
> dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}

That's probably not a good idea -- if you have a plaintext user
password, it'll show up in this field as plaintext. If you have
passwords hashed using mechanisms other than crypt() (like {SSHA}) the
hashes will show up here even though your client machines won't know
what to do with them, but that's less of an issue.

> --> So I tried with this definition:
> dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users2
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
> :%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
> tory}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. {CRYPT} but still:
> [root@xxx ~]# ypcat users2 | grep tst
> tst:*:1346:21:Test:/user/tst:/bin/csh

Quoting gets pretty complicated rather quickly here -- the way you've
written this expression, I think you'd want to start with "^{" to
include a literal "" in the regular expression. You can run
"nisserver-plugin-defs -m passwd.byname" to pull up the defaults.

> --> So I tried again with:
> dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users3
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
> uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
> y}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. crypt} and now:
> [root@xxx ~]# ypcat users3 | grep tst
> tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> But why ?

The "{CRYPT}" prefix is checked for in a case-sensitive manner, so if
the values you have actually start with "{crypt}", then that'd explain
why this nis-value-format causes the desired value to show up and the
default doesn't.

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~

This message may contain confidential and/or privileged information intended
only for the addressee.

If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.

-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~

Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.

Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.

~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-19-2011, 02:09 PM
Nalin Dahyabhai
 
Default NIS 389 Directory Server

On Thu, May 19, 2011 at 09:29:15AM +0200, Neuhold Christian (TSA) wrote:
> Hello, thank you.
>
> I changed passwd.byname and passwd.byuid map from
>
> crypt}(..*)
> to
> ^{crypt}(..*)
>
> It works perfectly. Thanks for help!!!
>
> Do you know if command passwd is possible? Because I get:
> xxxxx tst# passwd
> Changing password for user tst.
> Changing password for tst
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: Failed preliminary check by password service

Sorry, but the module doesn't implement the yppasswd protocol (which is
also used for ypchfn and ypchsh). You'll need to use the web gateway or
other native LDAP tools for that.

A change request in that protocol includes the current password in
unhashed, unencrypted form, so I don't expect to add support for it in
the future.

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-19-2011, 02:09 PM
Nalin Dahyabhai
 
Default NIS 389 Directory Server

On Thu, May 19, 2011 at 09:29:15AM +0200, Neuhold Christian (TSA) wrote:
> Hello, thank you.
>
> I changed passwd.byname and passwd.byuid map from
>
> crypt}(..*)
> to
> ^{crypt}(..*)
>
> It works perfectly. Thanks for help!!!
>
> Do you know if command passwd is possible? Because I get:
> xxxxx tst# passwd
> Changing password for user tst.
> Changing password for tst
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: Failed preliminary check by password service

Sorry, but the module doesn't implement the yppasswd protocol (which is
also used for ypchfn and ypchsh). You'll need to use the web gateway or
other native LDAP tools for that.

A change request in that protocol includes the current password in
unhashed, unencrypted form, so I don't expect to add support for it in
the future.

HTH,

Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org