ldapsearch is fine but from authentication purpose its not doing anything
In other mail I've told you: use authconfig or authconfig-tui or system-config-authentication to setup system for ldap authentication. For example authconfig-tui has simple text-based interface, authconfig is CLI based and require arguments. Finally system-config-authentication has gui.
28-07-2012 16:50, "Fosiul Alam" <fosiul@gmail.com> napisał(a):
Hi
I have setup ldap server and from client its returning example :
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 04:58 PM
Fosiul Alam
ldapsearch is fine but from authentication purpose its not doing anything
hi yes.. i am not using ip . i am using fully host name
this is my nsswitch
cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
On Sat, Jul 28, 2012 at 7:13 PM, Grzegorz Dwornicki <gd1100@gmail.com> wrote:
> Do you have nss_ldap installed?
>
> 28-07-2012 18:58, "Fosiul Alam" <fosiul@gmail.com> napisał(a):
>
>> hi yes.. i am not using ip . i am using fully host name
>>
>> this is my nsswitch
>>
>> cat /etc/nsswitch.conf
>> #
>> # /etc/nsswitch.conf
>> #
>> # An example Name Service Switch config file. This file should be
>> # sorted with the most-used services at the beginning.
>> #
>> # The entry '[NOTFOUND=return]' means that the search for an
>> # entry should stop if the search in the previous entry turned
>> # up nothing. Note that if the search failed due to some other reason
>> # (like no NIS server responding) then the search continues with the
>> # next entry.
>> #
>> # Legal entries are:
>> #
>> # nisplus or nis+ Use NIS+ (NIS version 3)
>> # nis or yp Use NIS (NIS version 2), also called YP
>> # dns Use DNS (Domain Name Service)
>> # files Use the local files
>> # db Use the local database (.db) files
>> # compat Use NIS on compat mode
>> # hesiod Use Hesiod for user lookups
>> # [NOTFOUND=return] Stop searching if not found so far
>> #
>>
>> # To use db, put the "db" in front of "files" for entries you want to be
>> # looked up first in the databases
>> #
>> # Example:
>> #passwd: db files nisplus nis
>> #shadow: db files nisplus nis
>> #group: db files nisplus nis
>>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>>
>> #hosts: db files nisplus nis dns
>> hosts: files dns
>>
>> # Example - obey only what nisplus tells us...
>> #services: nisplus [NOTFOUND=return] files
>> #networks: nisplus [NOTFOUND=return] files
>> #protocols: nisplus [NOTFOUND=return] files
>> #rpc: nisplus [NOTFOUND=return] files
>> #ethers: nisplus [NOTFOUND=return] files
>> #netmasks: nisplus [NOTFOUND=return] files
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files
>> rpc: files
>> services: files
>>
>> netgroup: files ldap
>>
>> publickey: nisplus
>>
>> automount: files ldap
>> aliases: files nisplus
>>
>> sudoers: files ldap
>>
>>
>> and /etc/ldap
>>
>> [root@home cacerts]# grep -v "^#" /etc/ldap.conf | sed -e '/^$/d'
>> base dc=fosiul,dc=lan
>>
>> timelimit 120
>> bind_timelimit 120
>> idle_timelimit 3600
>> #nss_base_passwd ou=users,l=uk,dc=fosiul,dc=lan,?one
>> nss_initgroups_ignoreusers
>>
>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm
>> uri ldap://ldap-2.fosiul.lan/
>> ssl start_tls
>> tls_cacertfile /etc/openldap/cacerts/ds-ca.crt
>> pam_password clear
>>
>>
>> On Sat, Jul 28, 2012 at 5:23 PM, Grzegorz Dwornicki <gd1100@gmail.com>
>> wrote:
>> > I assume you are using TLS. You need to use fqdn not ip of centos
>> > directory
>> > server, configure firewall for 389 or 636 port.
>> >
>> > Please send content of /etc/nsswitch.conf and /etc/ldap.conf
>> >
>> > 28-07-2012 18:13, "Fosiul Alam" <fosiul@gmail.com> napisał(a):
>> >
>> >> Hi
>> >> I configured another pc
>> >> with authconfig-tui
>> >> but there is not any luck
>> >> its same thing ..
>> >>
>> >> Fosiul
>> >>
>> >> On Sat, Jul 28, 2012 at 4:04 PM, Grzegorz Dwornicki <gd1100@gmail.com>
>> >> wrote:
>> >> > In other mail I've told you: use authconfig or authconfig-tui or
>> >> > system-config-authentication to setup system for ldap authentication.
>> >> > For
>> >> > example authconfig-tui has simple text-based interface, authconfig is
>> >> > CLI
>> >> > based and require arguments. Finally system-config-authentication has
>> >> > gui.
>> >> >
>> >> > 28-07-2012 16:50, "Fosiul Alam" <fosiul@gmail.com> napisał(a):
>> >> >>
>> >> >> Hi
>> >> >> I have setup ldap server and from client its returning example :
>> >> >>
>> >> >> [root@home ~]# ldapsearch -x -ZZ -D "cn=Directory manager" -w xxx
>> >> >> -h
>> >> >> ldap-2.fosiul.lan -b "dc=fosiul,dc=lan" "(cn=Fosiul Alam)"
>> >> >> # extended LDIF
>> >> >> #
>> >> >> # LDAPv3
>> >> >> # base <dc=fosiul,dc=lan> with scope subtree
>> >> >> # filter: (cn=Fosiul Alam)
>> >> >> # requesting: ALL
>> >> >> #
>> >> >>
>> >> >> # falam, users, uk, fosiul.lan
>> >> >> dn: uid=falam,ou=users,l=uk,dc=fosiul,dc=lan
>> >> >> givenName: Fosiul
>> >> >> sn: Alam
>> >> >> loginShell: /bin/bash/bash
>> >> >> uidNumber: 1000
>> >> >> gidNumber: 3000
>> >> >> objectClass: top
>> >> >> objectClass: person
>> >> >> objectClass: organizationalPerson
>> >> >> objectClass: inetorgperson
>> >> >> objectClass: posixAccount
>> >> >> uid: falam
>> >> >> cn: Fosiul Alam
>> >> >> homeDirectory: /home/falam
>> >> >> userPassword:: e1NTSEF9UGtqNjhvSU1pSR0RrSWNYYkVvYVU2V2c9PQ=
>> >> >> =
>> >> >>
>> >> >> # search result
>> >> >> search: 3
>> >> >> result: 0 Success
>> >> >>
>> >> >> # numResponses: 2
>> >> >> # numEntries: 1
>> >> >>
>> >> >> and in the access log :
>> >> >>
>> >> >> 28/Jul/2012:15:42:57 +0100] conn=229 fd=70 slot=70 connection from
>> >> >> 192.0.0.4 to 192.0.0.9
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 EXT
>> >> >> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 RESULT err=0 tag=120
>> >> >> nentries=0 etime=0
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 SSL 256-bit AES
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 BIND dn="cn=Directory
>> >> >> manager" method=128 version=3
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 RESULT err=0 tag=97
>> >> >> nentries=0 etime=0 dn="cn=directory manager"
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 SRCH
>> >> >> base="dc=fosiul,dc=lan" scope=2 filter="(cn=Fosiul Alam)" attrs=ALL
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 RESULT err=0 tag=101
>> >> >> nentries=1 etime=0
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 UNBIND
>> >> >> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 fd=70 closed - U1
>> >> >>
>> >> >>
>> >> >> But From command line , when i do
>> >> >> [root@home ~]# id falam
>> >> >> id: falam: No such user
>> >> >>
>> >> >>
>> >> >>
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 fd=70 slot=70 connection from
>> >> >> 192.0.0.4 to 192.0.0.9
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 EXT
>> >> >> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 RESULT err=0 tag=120
>> >> >> nentries=0 etime=0
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 SSL 256-bit AES
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 BIND dn="" method=128
>> >> >> version=3
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 RESULT err=0 tag=97
>> >> >> nentries=0 etime=0 dn=""
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 SRCH
>> >> >> base="dc=fosiul,dc=lan" scope=2
>> >> >> filter="(&(objectClass=posixAccount)(uid=falam))" attrs="uid
>> >> >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>> >> >> description objectClass"
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 RESULT err=0 tag=101
>> >> >> nentries=0 etime=0
>> >> >> [28/Jul/2012:15:44:26 +0100] conn=230 op=-1 fd=70 closed - B1
>> >> >>
>> >> >>
>> >> >> So basically, ldapsearch is working but authentication is not
>> >> >> working
>> >> >> ..
>> >> >>
>> >> >> Can any one please help me with this .
>> >> >> and i am using Centos 5.8
>> >> >>
>> >> >> Fosiul.
>> >> >> --
>> >> >> 389 users mailing list
>> >> >> 389-users@lists.fedoraproject.org
>> >> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >> >
>> >> >
>> >> > --
>> >> > 389 users mailing list
>> >> > 389-users@lists.fedoraproject.org
>> >> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >>
>> >>
>> >>
>> >> --
>> >> Regards
>> >> Fosiul Alam
>> >> 07877100621
>> >> http://www.fosiul.co.uk
>> >> --
>> >> 389 users mailing list
>> >> 389-users@lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >
>> >
>> > --
>> > 389 users mailing list
>> > 389-users@lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> Regards
>> Fosiul Alam
>> 07877100621
>> http://www.fosiul.co.uk
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Regards
Fosiul Alam
07877100621
http://www.fosiul.co.uk
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 07:31 PM
yersinia
ldapsearch is fine but from authentication purpose its not doing anything
Sorry for the top posting.
But your test is not sufficient. can you do a ldap simple bind with
the user , not with the directory admin, you want to authenticate ?
This is the first question to answer . so you can be sure no ldap acl
problem, no password mismatch and the like.
Regards
2012/7/28, Fosiul Alam <fosiul@gmail.com>:
> Hi
> I have setup ldap server and from client its returning example :
>
> [root@home ~]# ldapsearch -x -ZZ -D "cn=Directory manager" -w xxx -h
> ldap-2.fosiul.lan -b "dc=fosiul,dc=lan" "(cn=Fosiul Alam)"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=fosiul,dc=lan> with scope subtree
> # filter: (cn=Fosiul Alam)
> # requesting: ALL
> #
>
> # falam, users, uk, fosiul.lan
> dn: uid=falam,ou=users,l=uk,dc=fosiul,dc=lan
> givenName: Fosiul
> sn: Alam
> loginShell: /bin/bash/bash
> uidNumber: 1000
> gidNumber: 3000
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: falam
> cn: Fosiul Alam
> homeDirectory: /home/falam
> userPassword:: e1NTSEF9UGtqNjhvSU1pSR0RrSWNYYkVvYVU2V2c9PQ=
> =
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> and in the access log :
>
> 28/Jul/2012:15:42:57 +0100] conn=229 fd=70 slot=70 connection from
> 192.0.0.4 to 192.0.0.9
> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [28/Jul/2012:15:42:57 +0100] conn=229 SSL 256-bit AES
> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 BIND dn="cn=Directory
> manager" method=128 version=3
> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 SRCH
> base="dc=fosiul,dc=lan" scope=2 filter="(cn=Fosiul Alam)" attrs=ALL
> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 UNBIND
> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 fd=70 closed - U1
>
>
> But From command line , when i do
> [root@home ~]# id falam
> id: falam: No such user
>
>
>
> [28/Jul/2012:15:44:26 +0100] conn=230 fd=70 slot=70 connection from
> 192.0.0.4 to 192.0.0.9
> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [28/Jul/2012:15:44:26 +0100] conn=230 SSL 256-bit AES
> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 BIND dn="" method=128 version=3
> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 SRCH
> base="dc=fosiul,dc=lan" scope=2
> filter="(&(objectClass=posixAccount)(uid=falam))" attrs="uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass"
> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 RESULT err=0 tag=101
> nentries=0 etime=0
> [28/Jul/2012:15:44:26 +0100] conn=230 op=-1 fd=70 closed - B1
>
>
> So basically, ldapsearch is working but authentication is not working ..
>
> Can any one please help me with this .
> and i am using Centos 5.8
>
> Fosiul.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Inviato dal mio dispositivo mobile
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-28-2012, 07:39 PM
Fosiul Alam
ldapsearch is fine but from authentication purpose its not doing anything
now if i give a wrong password it will say , authentication failed
but with correct password..
It does not return anything ..
and i get this in the log
http://fpaste.org/SA47/
On Sat, Jul 28, 2012 at 8:31 PM, yersinia <yersinia.spiros@gmail.com> wrote:
> Sorry for the top posting.
>
> But your test is not sufficient. can you do a ldap simple bind with
> the user , not with the directory admin, you want to authenticate ?
> This is the first question to answer . so you can be sure no ldap acl
> problem, no password mismatch and the like.
>
> Regards
>
> 2012/7/28, Fosiul Alam <fosiul@gmail.com>:
>> Hi
>> I have setup ldap server and from client its returning example :
>>
>> [root@home ~]# ldapsearch -x -ZZ -D "cn=Directory manager" -w xxx -h
>> ldap-2.fosiul.lan -b "dc=fosiul,dc=lan" "(cn=Fosiul Alam)"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=fosiul,dc=lan> with scope subtree
>> # filter: (cn=Fosiul Alam)
>> # requesting: ALL
>> #
>>
>> # falam, users, uk, fosiul.lan
>> dn: uid=falam,ou=users,l=uk,dc=fosiul,dc=lan
>> givenName: Fosiul
>> sn: Alam
>> loginShell: /bin/bash/bash
>> uidNumber: 1000
>> gidNumber: 3000
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetorgperson
>> objectClass: posixAccount
>> uid: falam
>> cn: Fosiul Alam
>> homeDirectory: /home/falam
>> userPassword:: e1NTSEF9UGtqNjhvSU1pSR0RrSWNYYkVvYVU2V2c9PQ=
>> =
>>
>> # search result
>> search: 3
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> and in the access log :
>>
>> 28/Jul/2012:15:42:57 +0100] conn=229 fd=70 slot=70 connection from
>> 192.0.0.4 to 192.0.0.9
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [28/Jul/2012:15:42:57 +0100] conn=229 SSL 256-bit AES
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 BIND dn="cn=Directory
>> manager" method=128 version=3
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=directory manager"
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 SRCH
>> base="dc=fosiul,dc=lan" scope=2 filter="(cn=Fosiul Alam)" attrs=ALL
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=2 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 UNBIND
>> [28/Jul/2012:15:42:57 +0100] conn=229 op=3 fd=70 closed - U1
>>
>>
>> But From command line , when i do
>> [root@home ~]# id falam
>> id: falam: No such user
>>
>>
>>
>> [28/Jul/2012:15:44:26 +0100] conn=230 fd=70 slot=70 connection from
>> 192.0.0.4 to 192.0.0.9
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [28/Jul/2012:15:44:26 +0100] conn=230 SSL 256-bit AES
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 BIND dn="" method=128 version=3
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn=""
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 SRCH
>> base="dc=fosiul,dc=lan" scope=2
>> filter="(&(objectClass=posixAccount)(uid=falam))" attrs="uid
>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>> description objectClass"
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=2 RESULT err=0 tag=101
>> nentries=0 etime=0
>> [28/Jul/2012:15:44:26 +0100] conn=230 op=-1 fd=70 closed - B1
>>
>>
>> So basically, ldapsearch is working but authentication is not working ..
>>
>> Can any one please help me with this .
>> and i am using Centos 5.8
>>
>> Fosiul.
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> Inviato dal mio dispositivo mobile
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Regards
Fosiul Alam
07877100621
http://www.fosiul.co.uk
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
07-30-2012, 12:36 PM
Grzegorz Dwornicki
ldapsearch is fine but from authentication purpose its not doing anything
Hi again
all informations you provided looks ok. At times like this when error was hard to find I looked /var/log/dirsrv/slapd-instance_name/access log for debug info. Run tail -f on access log and try to use id command again. The logs will provide some tracing info commbined with information you provided already.
ldapsearch is fine but from authentication purpose its not doing anything
