FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-22-2011, 03:18 AM
Clint Dilks
 
Default Help getting an Ubuntu Client to work with 389 Directory Server - specifically Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

Hi,

Can anyone point me to some good documentation that shows how
to get Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64) working as a
client with 389 Directory Server?

I have tried following https://help.ubuntu.com/community/FedoraDirectoryServerClientHowto but it seems to be old.* /etc/pam_ldap.conf being replaced by /etc/ldap.conf.




>From my experience setting up CentOS clients I expected there to also be
a config file similar to /etc/openldap/ldap.conf.* It appears this is
/etc/ldap/ldap.conf.

I have also looked at https://help.ubuntu.com/community/LDAPClientAuthentication




I then came across https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html#openldap-auth-config




And did


sudo dpkg-reconfigure ldap-auth-config
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update

Currently
a getent passwd or getent group is not returning any results from
ldap.* We can see the client making connections but it doesn't seem to
be asking for any information.




ldapsearch -vv -x -b 'ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz ' '(objectclass=*)' appears to work correctly.

Below are the two main config files

cat /etc/ldap.conf | grep -v '^#' | grep -v '^$'




base ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz
ldap_version 3
pam_member_attribute uniquemember
pam_password clear
uri ldap://inf2.cms.waikato.ac.nz/



tls_cacertdir /etc/ssl/certs

pam_password_prohibit_message Please visit https://secure.scms.waikato.ac.nz/password/ to change your password.
ssl start_tls
nss_base_passwd***** ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz? sub




nss_base_shadow***** ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz? sub
nss_base_group****** ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz? sub
nss_base_netgroup*** ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz? sub




nss_map_attribute uniqueMember memberUid
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,landscape, libuuid,list,lp,mail,man,messagebus,nagios,news,nt p,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data




nss_reconnect_tries 5******** # no. of times to double the sleep time
nss_reconnect_sleeptime 4**** # initial sleep value
nss_reconnect_maxsleeptime 64 # max sleep value to cap at
nss_reconnect_maxconntries 2






cat /etc/ldap/ldap.conf | grep -v '^#' | grep -v '^$'
URI ldap://inf2.cms.waikato.ac.nz/
BASE ou=Active,ou=People,dc=cms,dc=waikato,dc=ac,dc=nz




TLS_CACERTDIR /etc/ssl/certs

From /var/log/auth we see

Jun 22 13:52:28 wdm2 getent: nss_ldap: reconnecting to LDAP server...
Jun 22 13:52:28 wdm2 getent: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...




Jun 22 13:52:32 wdm2 getent: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Jun 22 13:56:50 wdm2 getent: nss_ldap: reconnecting to LDAP server...
Jun 22 13:56:50 wdm2 getent: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...




Jun 22 13:56:54 wdm2 getent: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Jun 22 13:57:02 wdm2 getent: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...

To see all config files go to http://www.scms.waikato.ac.nz/~clintd/ubuntu-ldap/etc/





Thank you for any insight you can offer relating to this issue.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-22-2011, 07:35 AM
Angel Bosch Mora
 
Default Help getting an Ubuntu Client to work with 389 Directory Server - specifically Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

----- Missatge original -----
> Hi,
>
> Can anyone point me to some good documentation that shows how to get
> Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64) working as a client
> with 389 Directory Server?
>


you need getent passwd to return results before getting into pam.

you can start with a very simple /etc/ldap.conf configuration:


base dc=waikato,dc=ac,dc=nz
uri ldap://inf2.cms.waikato.ac.nz/
ldap_version 3
pam_password md5


try to stay as high on the tree as you can and be sure you configure /etc/nsswitch.conf with ldap.


does that give any result?



abosch


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-23-2011, 12:13 AM
Clint Dilks
 
Default Help getting an Ubuntu Client to work with 389 Directory Server - specifically Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

Hi,

Thanks for your suggestion

Stripping our config back as you suggested showed that we could get an unsecured connection to the server but that any time we tried using a secure connection no result would be returned.



We had specified tls_cacertdir and thought that the system would find the required cert.* But it turns out that we need to specify tls_cacertfile and point it at the correct cert.

Have a nice day



On Wed, Jun 22, 2011 at 7:35 PM, Angel Bosch Mora <angbosch@conselldemallorca.net> wrote:




----- Missatge original -----

> Hi,

>

> Can anyone point me to some good documentation that shows how to get

> Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64) working as a client

> with 389 Directory Server?

>





you need getent passwd to return results before getting into pam.



you can start with a very simple /etc/ldap.conf configuration:





* *base dc=waikato,dc=ac,dc=nz

* *uri ldap://inf2.cms.waikato.ac.nz/

* *ldap_version 3

* *pam_password md5





try to stay as high on the tree as you can and be sure you configure /etc/nsswitch.conf with ldap.





does that give any result?







abosch





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 03:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org