Looks like you are only logging conn and acl. Try config and stats for more useful information about what exactly is being queried and returned.
On 03/25/2010 01:29 PM, Lynn York wrote: > Below is part of the log from slapd…. > > > > Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn > Testing,CN=Users,dc=ldaptest,DC=com> > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn > Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn > testing,cn=users,dc=ldaptest,dc=com> > > Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn > Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn > Testing,cn=Users,dc=ldaptest,dc=com" > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 > dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr objectClass > > Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state > (objectClass) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid > > Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state > (uid) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber > > Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state > (uidNumber) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber > > Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state > (gidNumber) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter > > Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access > to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr loginShell > > Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state > (loginShell) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry > "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by > "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying > read(=rscxd) (stop) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: > read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access > granted by read(=rscxd) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3 exit. > > > Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1 p=3 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0 matched="" > text="" > > Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 > tag=101 err=0 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT tag=101 > err=0 nentries=127 text= > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on: > > Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r > > Mar 25 13:25:16 hltraindb01 slapd[28836]: > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got connid=3 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking for > input on id=3 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed > errno=0 (Success) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input > error=-2 id=3, closing. > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying > conn=3 sd=14 for close > > Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy: fetching > conn 3 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14 > > Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed (connection > lost) > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 > active_threads=0 tvp=NULL > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 > active_threads=0 tvp=NULL > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on: > > Mar 25 13:25:16 hltraindb01 slapd[28836]: > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 > active_threads=0 tvp=NULL > > Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 > active_threads=0 tvp=NULL > > > > *From:* Benjamin Griese [mailto:[email protected]] > *Sent:* Thursday, March 25, 2010 11:56 AM > *To:* Lynn York > *Cc:* Tyler Gates; [email protected] > *Subject:* Re: Problem with getent passwd > > > > Hi, > could you please also provide the appropriate log entries that show the > query to the slapd from the client? > > thanks > > On Thu, Mar 25, 2010 at 13:52, Lynn York <[email protected]> wrote: > > I attempted to use "setup" to setup ldap auth. That did not work. When > I run "getent passwd" it prints all the local users, then hangs for about > 5 seconds and doesn't print the ldap users. However, it does query the > ldap server, I can see the queries in the ldap logs. I have added copies > of my configs with hopes someone can help me more :) > > /etc/ldap.conf > ---------------- > base cn=users,dc=ldaptest,dc=com > uri ldap://ldaphost/ > binddn cn=mwldap,cn=users,dc=ldaptest,dc=com > bindpw password > scope sub > timelimit 120 > bind_policy soft > bind_timelimit 120 > idle_timelimit 3600 > ssl no > pam_password ad > # nss_ldap configurations > nss_base_passwd cn=users,dc=ldaptest,dc=com?sub > nss_base_shadow > cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) > nss_base_group > cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) > nss_map_attribute user SAMACCOUNTNAME > sasl_secprops maxssf=0 > #tls_cacertdir /etc/openldap/cacerts > > Slapd.conf > ---------------- > ###################################################### > # database definitions > ###################################################### > database ldap > suffix "cn=users,dc=ldaptest,dc=com" > uri "ldap://ads.ldaptest.com"; > overlay rwm > rebind-as-user > chase-referrals no > > acl-bind > bindmethod=simple > binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" > credentials=password > > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/lib/ldap > > # Indices to maintain for this database > #index objectClass eq > #index ou,cn,mail,surname,givenname eq,pres,sub > #index uidNumber,gidNumber,loginShell eq,pres > #index uid,memberUid eq,pres,sub > #index nisMapName,nisMapEntry eq,pres,sub > > rwm-map objectclass posixAccount organizationalPerson > rwm-map attribute uid sAMAccountname > rwm-map attribute uidNumber uidNumber > rwm-map attribute gidNumber gidNumber > rwm-map attribute givenName cn > rwm-map attribute unixHomeDirectory homeDirectory > rwm-map attribute unixUserPassword UserPassword > > > > Any help is greatly appreciated... > > -----Original Message----- > From: Tyler Gates [mailto:[email protected]] > > Sent: Wednesday, March 24, 2010 9:31 PM > To: Lynn York; [email protected] > Subject: Re: Problem with getent passwd > > Actually I misspoke earlier -I meant run the command 'setup' from the > terminal and select authentication. From there you should see "User > Information" and "Authentication" columns. Just check LDAP in "User > Information" and you should see getent populate the passwords. > That normally does the trick.. pretty simple but if that doesn't work > I'd check your /etc/ldap.conf is setup correctly (I mostly have to just > add the host information and base dn). Other wise your LDAP server > doesn't have the attributes its' expecting from its queries to generate > user account information. > > On 03/24/2010 08:09 AM, Lynn York wrote: > >> Here is my /etc/pam.d/system-auth file >> >> >> >> cat /etc/pam.d/system-auth >> >> #%PAM-1.0 >> >> # This file is auto-generated. >> >> # User changes will be destroyed the next time authconfig is run. >> >> auth required pam_env.so >> >> auth sufficient pam_unix.so nullok try_first_pass >> >> auth requisite pam_succeed_if.so uid >= 500 quiet >> >> auth sufficient pam_ldap.so use_first_pass >> >> auth required pam_deny.so >> >> >> >> account required pam_unix.so broken_shadow >> >> account sufficient pam_succeed_if.so uid < 500 quiet >> >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> >> account required pam_permit.so >> >> >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> >> password sufficient pam_ldap.so use_authtok >> >> password required pam_deny.so >> >> >> >> session optional pam_keyinit.so revoke >> >> session required pam_limits.so >> >> session [success=1 default=ignore] pam_succeed_if.so service in >> > crond > >> quiet use_uid >> >> session required pam_unix.so >> >> session optional pam_ldap.so >> >> >> >> >> >> Also, when I ran authconfig, that didn't help. The server still queries >> > the > >> ldap server, but the users don't actually show when I run getent >> > passwd... > >> could it be something with the rwm mappings? >> >> >> >> *From:* Tyler Gates [mailto:[email protected]] >> *Sent:* Tuesday, March 23, 2010 8:26 PM >> *To:* Lynn York >> *Subject:* Re: Problem with getent passwd >> >> >> >> Sounds like it's a problem with your client side pam_ldap >> > authentication. > >> There's a whole buch of steps to get that working, just google it. If >> > you > >> have a redhat variant authconfig or setup will step you through it. It >> > would > >> help if you could post your system_auth file. >> >> On Mar 23, 2010, at 11:40 AM, Lynn York <[email protected]> wrote: >> >> Hello, >> >> >> >> When I issue "getent passwd" I can see it query the ldap >> server for all the information and the server is returning the correct >> information. However, "getent passwd" doesn't actually show the users >> > that > >> are in ldap. I am not sure where my problem might be. Can anyone offer >> > any > >> suggestions on where to look? >> >> >> >> Lynn York II >> >> MavenWire Hosting Admin >> >> www.mavenwire.com >> >> (866) 343-4870 x717 >> >> >> >> MavenWire - We DELIVER >> >> http://www.mavenwire.com >> >> >> >> This e-mail and any attached files may contain confidential and/or >> privileged material for the sole use of the intended recipient. Any >> > review, > >> use, distribution or disclosure by others is strictly prohibited. If you >> > are > >> not the intended recipient (or authorized to receive this e-mail for the >> recipient), you may not review, copy or distribute this message. Please >> contact the sender by reply e-mail and delete all copies of this >> > message. > >> >> >> MavenWire - We DELIVER >> >> http://www.mavenwire.com >> >> >> >> This e-mail and any attached files may contain confidential and/or >> privileged material for the sole use of the intended recipient. Any >> review, use, distribution or disclosure by others is strictly >> prohibited. If you are not the intended recipient (or authorized to >> receive this e-mail for the recipient), you may not review, copy or >> distribute this message. Please contact the sender by reply e-mail >> and delete all copies of this message. >> >> MavenWire - We DELIVER >> http://www.mavenwire.com >> >> This e-mail and any attached files may contain confidential and/or >> > privileged material for the sole use of the intended recipient. Any > review, use, distribution or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive this > e-mail for the recipient), you may not review, copy or distribute this > message. Please contact the sender by reply e-mail and delete all copies > of this message. > >> >> > MavenWire - We DELIVER > http://www.mavenwire.com > > This e-mail and any attached files may contain confidential and/or > privileged material for the sole use of the intended recipient. Any review, > use, distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorized to receive this e-mail for the > recipient), you may not review, copy or distribute this message. Please > contact the sender by reply e-mail and delete all copies of this message. > > > > >
