[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: test my LDAP server ONLY using ssh?
First and foremost - thanks for the replies...
On Thu, 2003-01-23 at 11:24, Tony Earnshaw wrote:
>
> > I've edited my /etc/pam.d/sshd (it's gone through several iterations)
> > file so it looks like this (right now):
>
> Does it work?
>
Well, I can't log in via ssh, so I'd say 'no', but I don't know if it's
due to an error in the specified file, or if I screwed something else
up, which is why there was so much info in the original post.
> > Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128
>
> This is an anonymous bind. Is that what you want to find things with?
> Difficult to know without knowing what your ACLs look like.
Do you mean that SSHD is binding to the server anonoymously? So *me*
and, separately, the *sshd* daemon have to bind to the ldap server? I
suppose this makes some sense when you see the log entries that show a
connection essentially coming in from the local host. What's
recommended procedure here? I added 'binddn' to my /etc/ldap.conf file,
so now 'BIND dn=""' has an actual DN to bind with, but I don't know the
proper syntax for ldap.conf to get this working. What I got after doing
this was
=================================================================
Jan 23 12:03:28 current slapd[5973]: conn=2 fd=12 ACCEPT from
IP=128.112.6.64:39105 (IP=0.0.0.0:389)
Jan 23 12:03:28 current slapd[6078]: conn=2 op=0 BIND
dn="cn=daproot,dc=cs,dc=princeton,dc=edu" method=128
Jan 23 12:03:28 current slapd[6078]: conn=2 op=0 RESULT tag=97 err=53
text=unwilling to allow anonymous bind with non-empty DN
Jan 23 12:03:28 current slapd[6078]: conn=2 op=1 UNBIND
Jan 23 12:03:28 current slapd[6078]: conn=2 fd=12 closed
=====================================================================
Now I googled for that 'non-empty DN' bit, and it returned NOTHING. A
search of this mailing list returned one thread, which provided a
*little* help.
"The fast solution:
Put the following line into slapd.conf:
allow bind_v2 bind_anon_dn"
But this doesn't explain why the error occurs. The error apparently
occurs because there's some sort of default set somewhere to bind
anonymously, so I put "disallow bind_anon" in my /etc/ldap.conf file.
The hope is that since it doesn't allow anon binds with a non-empty dn,
it will now be forced to use the non-empty dn to perform a
'non-anonymous' bind. Now I get only slightly different, and,
unbelievably, LESS useful log messages...
====================================================================
Jan 23 12:21:45 current slapd[6222]: conn=0 fd=12 ACCEPT from
IP=128.112.6.64:39111 (IP=0.0.0.0:389)
Jan 23 12:21:45 current slapd[6251]: conn=0 op=0 BIND
dn="cn=daproot,dc=cs,dc=princeton,dc=edu" method=128
Jan 23 12:21:45 current slapd[6251]: conn=0 op=0 RESULT tag=97 err=48
text=
Jan 23 12:21:45 current slapd[6251]: conn=0 op=1 UNBIND
Jan 23 12:21:45 current slapd[6251]: conn=0 fd=12 closed
========================================================================
I only have a single ACL in my slapd.conf file.
=================================
access to *
by * read
by anonymous auth
by users read
=================================
I feel like I'm the only person in the whole world who can't get this to
work. I must've missed something completely crucial. I just can't seem
to move forward! When's it gonna click!? ACK!
>
> Get GQ, compile it for Red Hat - jump from www.biot.com :-)
I HATE GQ. THERE'S NO DOCS and I can't even connect to my server with
it. I hate it, I hate it, I hate it. I'm tired of trying to figure out
the syntax it's looking for for the configuration fields. I'm not up
for trying to figure out the magical incantations with a GUI when the
CLI tools are already known to work well. Not that I wouldn't LOVE a
tool to make this stuff easier, but I don't think GQ is for me -
personally. My $.02