Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks On Thu, Mar 25, 2010 at 13:52, Lynn York <[email protected]> wrote: > I attempted to use "setup" to setup ldap auth. That did not work. When > I run "getent passwd" it prints all the local users, then hangs for about > 5 seconds and doesn't print the ldap users. However, it does query the > ldap server, I can see the queries in the ldap logs. I have added copies > of my configs with hopes someone can help me more :) > > /etc/ldap.conf > ---------------- > base cn=users,dc=ldaptest,dc=com > uri ldap://ldaphost/ > binddn cn=mwldap,cn=users,dc=ldaptest,dc=com > bindpw password > scope sub > timelimit 120 > bind_policy soft > bind_timelimit 120 > idle_timelimit 3600 > ssl no > pam_password ad > # nss_ldap configurations > nss_base_passwd cn=users,dc=ldaptest,dc=com?sub > nss_base_shadow > cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) > nss_base_group > cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) > nss_map_attribute user SAMACCOUNTNAME > sasl_secprops maxssf=0 > #tls_cacertdir /etc/openldap/cacerts > > Slapd.conf > ---------------- > ###################################################### > # database definitions > ###################################################### > database ldap > suffix "cn=users,dc=ldaptest,dc=com" > uri "ldap://ads.ldaptest.com"; > overlay rwm > rebind-as-user > chase-referrals no > > acl-bind > bindmethod=simple > binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" > credentials=password > > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/lib/ldap > > # Indices to maintain for this database > #index objectClass eq > #index ou,cn,mail,surname,givenname eq,pres,sub > #index uidNumber,gidNumber,loginShell eq,pres > #index uid,memberUid eq,pres,sub > #index nisMapName,nisMapEntry eq,pres,sub > > rwm-map objectclass posixAccount organizationalPerson > rwm-map attribute uid sAMAccountname > rwm-map attribute uidNumber uidNumber > rwm-map attribute gidNumber gidNumber > rwm-map attribute givenName cn > rwm-map attribute unixHomeDirectory homeDirectory > rwm-map attribute unixUserPassword UserPassword > > > > Any help is greatly appreciated... > -----Original Message----- > From: Tyler Gates [mailto:[email protected]] > Sent: Wednesday, March 24, 2010 9:31 PM > To: Lynn York; [email protected] > Subject: Re: Problem with getent passwd > > Actually I misspoke earlier -I meant run the command 'setup' from the > terminal and select authentication. From there you should see "User > Information" and "Authentication" columns. Just check LDAP in "User > Information" and you should see getent populate the passwords. > That normally does the trick.. pretty simple but if that doesn't work > I'd check your /etc/ldap.conf is setup correctly (I mostly have to just > add the host information and base dn). Other wise your LDAP server > doesn't have the attributes its' expecting from its queries to generate > user account information. > > On 03/24/2010 08:09 AM, Lynn York wrote: > > Here is my /etc/pam.d/system-auth file > > > > > > > > cat /etc/pam.d/system-auth > > > > #%PAM-1.0 > > > > # This file is auto-generated. > > > > # User changes will be destroyed the next time authconfig is run. > > > > auth required pam_env.so > > > > auth sufficient pam_unix.so nullok try_first_pass > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > > auth sufficient pam_ldap.so use_first_pass > > > > auth required pam_deny.so > > > > > > > > account required pam_unix.so broken_shadow > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > > account required pam_permit.so > > > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > use_authtok > > > > password sufficient pam_ldap.so use_authtok > > > > password required pam_deny.so > > > > > > > > session optional pam_keyinit.so revoke > > > > session required pam_limits.so > > > > session [success=1 default=ignore] pam_succeed_if.so service in > crond > > quiet use_uid > > > > session required pam_unix.so > > > > session optional pam_ldap.so > > > > > > > > > > > > Also, when I ran authconfig, that didn't help. The server still queries > the > > ldap server, but the users don't actually show when I run getent > passwd... > > could it be something with the rwm mappings? > > > > > > > > *From:* Tyler Gates [mailto:[email protected]] > > *Sent:* Tuesday, March 23, 2010 8:26 PM > > *To:* Lynn York > > *Subject:* Re: Problem with getent passwd > > > > > > > > Sounds like it's a problem with your client side pam_ldap > authentication. > > There's a whole buch of steps to get that working, just google it. If > you > > have a redhat variant authconfig or setup will step you through it. It > would > > help if you could post your system_auth file. > > > > On Mar 23, 2010, at 11:40 AM, Lynn York <[email protected]> wrote: > > > > Hello, > > > > > > > > When I issue "getent passwd" I can see it query the ldap > > server for all the information and the server is returning the correct > > information. However, "getent passwd" doesn't actually show the users > that > > are in ldap. I am not sure where my problem might be. Can anyone offer > any > > suggestions on where to look? > > > > > > > > Lynn York II > > > > MavenWire Hosting Admin > > > > www.mavenwire.com > > > > (866) 343-4870 x717 > > > > > > > > MavenWire - We DELIVER > > > > http://www.mavenwire.com > > > > > > > > This e-mail and any attached files may contain confidential and/or > > privileged material for the sole use of the intended recipient. Any > review, > > use, distribution or disclosure by others is strictly prohibited. If you > are > > not the intended recipient (or authorized to receive this e-mail for the > > recipient), you may not review, copy or distribute this message. Please > > contact the sender by reply e-mail and delete all copies of this > message. > > > > > > > > MavenWire - We DELIVER > > > > http://www.mavenwire.com > > > > > > > > This e-mail and any attached files may contain confidential and/or > > privileged material for the sole use of the intended recipient. Any > > review, use, distribution or disclosure by others is strictly > > prohibited. If you are not the intended recipient (or authorized to > > receive this e-mail for the recipient), you may not review, copy or > > distribute this message. Please contact the sender by reply e-mail > > and delete all copies of this message. > > > > MavenWire - We DELIVER > > http://www.mavenwire.com > > > > This e-mail and any attached files may contain confidential and/or > privileged material for the sole use of the intended recipient. Any > review, use, distribution or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive this > e-mail for the recipient), you may not review, copy or distribute this > message. Please contact the sender by reply e-mail and delete all copies > of this message. > > > > > MavenWire - We DELIVER > http://www.mavenwire.com > > This e-mail and any attached files may contain confidential and/or > privileged material for the sole use of the intended recipient. Any review, > use, distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorized to receive this e-mail for the > recipient), you may not review, copy or distribute this message. Please > contact the sender by reply e-mail and delete all copies of this message. > > -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
