[Date Prev][Date Next] [Chronological] [Thread] [Top]
OPENLDAP ACL problems..

To: <OpenLDAP-software@OpenLDAP.org>
Subject: OPENLDAP ACL problems..
From: ajit k jena <ajit@cc.iitb.ac.in>
Date: Sun, 04 Aug 2002 11:27:55 +0530
Date: Sun, 4 Aug 2002 11:27:53 +0530 (IST)
In-reply-to: <3D4BCAE2.86D6492F@gmx.de>

Hi All,

I am sorry if this topic is off target in this august group. I am posting
this here because I could not get the answers in the archives and I did
not get any help in pam_ldap group also.

What I am after:

	I am trying to replace NIS with LDAP.

Environment:

	RedHat 7.2, openldap-2.0.11

Problem:

	I have setup PAM entries correctly so that I am able to log into
	the system via ssh. Changing passwd (I saw many postings related
	to this but it was not an issue for me) also works fine.

	The problem I face is that the system cannot map my uid and gid
	to proper string values. Just after I login I get the message

		id: cannot find name for user ID 50000

	The value 50000 happens to be my userid defined in the LDAP
	database.

Some Observations:

	When I execute "getent passwd" as a normal user I dont succeed
	but when root does the same, the LDAP users are shown properly.

	My guess is that this is a problem in access control definitions.
	I am enclosing /etc/openldap/slapd.conf and /etc/ldap.conf files
	below.

I hope I will get some useful answers.

Regards.

--ajit

----------------------------slapd.conf--------------------------------------

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include  	/etc/openldap/schema/qmail.schema
include		/etc/openldap/schema/redhat/rfc822-MailMember.schema
include		/etc/openldap/schema/redhat/autofs.schema
include		/etc/openldap/schema/redhat/kerberosobject.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

#pidfile	//var/run/slapd.pid
#argsfile	//var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
replogfile	/usr/home/ldap/master-slapd.replog

# Load dynamic backend modules:
#modulepath	/usr/sbin/openldap
#moduleload	back_ldap.la
moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
#TLSCertificateFile /usr/share/ssl/certs/slapd.pem
#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

access to attr=userPassword
        by dn="cn=manager,dc=iitb,dc=ac,dc=in" write
        by dn="cn=courier,dc=iitb,dc=ac,dc=in" read
        by dn="cn=qmail,dc=iitb,dc=ac,dc=in" read
        by self write
        by anonymous read
        by * auth

access to *
        by dn="cn=courier,dc=iitb,dc=ac,dc=in" read
        by dn="cn=qmail,dc=iitb,dc=ac,dc=in" read
        by dn="cn=manager,dc=iitb,dc=ac,dc=in" write
        by anonymous read
        by self read

#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
suffix		"dc=iitb,dc=ac,dc=in"
rootdn		"cn=manager,dc=iitb,dc=ac,dc=in"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw		xxxxxxxxxxx

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.

directory	/usr/home/ldap/dbfiles

# Indices to maintain
#index	objectClass,uid,uidNumber,gidNumber,memberUid	eq
#index	cn,mail,surname,givenname			eq,subinitial

index   uidNumber,gidNumber,memberUid   eq
index   givenname                       eq,subinitial
index   cn,sn,uid pres,eq
index   mail,mailAlternateAddress eq
index   objectClass eq

# Replicas to which we should propagate changes
#replica ldap-1.example.com:389 tls=yes
#	bindmethod=sasl saslmech=GSSAPI
#	authcId=host/ldap-master.example.com@EXAMPLE.COM

replica host=postbox.iitb.ac.in
	binddn="cn=manager,dc=iitb,dc=ac,dc=in"
	bindmethod=simple credentials=xxxxxxxxx

----------------------------end slapd.conf--------------------------------------

----------------------------/etc/ldap.conf--------------------------------------
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
host posten.iitb.ac.in

# The distinguished name of the search base.
base dc=iitb,dc=ac,dc=in

# Adding indices
index cn,sn,uid pres,eq
index mail,mailAlternateAddress eq
index objectClass eq

# Setting Access Control Lists

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#BINDDN cn=manager,dc=iitb,dc=ac,dc=in
#bindpw xxxxxxxxx

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)

rootbinddn cn=manager,dc=iitb,dc=ac,dc=in

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberuid

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password md5

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.

# Use the OpenLDAP password change
# extended operation to update the password.

#pam_password exop

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=example,dc=com?one
#nss_base_passwd	dc=iitb,dc=ac,dc=in?one
#nss_base_shadow	ou=People,dc=example,dc=com?one
#nss_base_group		ou=Group,dc=example,dc=com?one
#nss_base_hosts		ou=Hosts,dc=example,dc=com?one
#nss_base_services	ou=Services,dc=example,dc=com?one
#nss_base_networks	ou=Networks,dc=example,dc=com?one
#nss_base_protocols	ou=Protocols,dc=example,dc=com?one
#nss_base_rpc		ou=Rpc,dc=example,dc=com?one
#nss_base_ethers	ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks	ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=example,dc=com?one
#nss_base_aliases	ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client sertificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

ssl no

----------------------------end /etc/ldap.conf----------------------------------

|-----------------------------------------------------------------|
| Ajit K. Jena              Phone : (Office) +91-22-5767751       |
| Computer Centre                            +91-22-5722545 x8750 |
| Indian Institute of Technology    (Home)   +91-22-5722545 x8068 |
| POWAI, Bombay                     Fax   :  +91-22-5723894       |
| PIN 400076, India                 Email :  ajit@cc.iitb.ac.in   |
|-----------------------------------------------------------------|
Follow-Ups:
- Re: OPENLDAP ACL problems..
  - From: Adam Williams <awilliam@whitemice.org>
References:
- Again problems with slurpd
  - From: Harry Rüter <harry_rueter@gmx.de>
Prev by Date: Re: namingContexts not working?
Next by Date: Re: openldap 2.1.3 problems
Index(es):
- Chronological
- Thread