[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP Config Question

To: "Todd Lyons" <todd@mrball.net>, <openldap-software@OpenLDAP.org>
Subject: RE: OpenLDAP Config Question
From: "Redman, Greg" <Greg.Redman@MSFC.NASA.GOV>
Date: Wed, 5 Mar 2003 19:18:56 -0600
Cc: "Jim C" <jcllings@tsunamicomm.net>, "Jason C. Leach" <jleach@ocis.net>, "Adam Williams" <awilliam@whitemice.org>
Content-class: urn:content-classes:message
Thread-index: AcLiscuFxfRnSQ0vR2e39QjoRpgSEgAyDS3g
Thread-topic: OpenLDAP Config Question

First, thanks to everyone for the feedback!
Based on further testing, it looks like I may have sometype of configuration problem.
When I remove one user at a time from the /etc/passwd file, LDAP authentication continues to work correctly.
Since I have hundreds of users in the file, I haven't found where it breaks yet.

I also noticed that during a user authentication, slapd (started with full debug turned on (-1)) looked like it was doing a sequential read through the entire database.

The only things I have in LDAP at this point is User-ID's, Password's & Group's.

Here are my config files:

--------------------------------------------------------------------------
/etc/ldap.conf

# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

host 127.0.0.1
base ou=People,o=TEST
binddn cn=Directory Manager,o=TEST
bindpw xxxxxxxxx
ssl no
pam_password md5

--------------------------------------------------------------------------
/etc/openldap/ldap.conf

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#

HOST 127.0.0.1
BASE ou=People,o=TEST

--------------------------------------------------------------------------
/etc/openldap/slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/authusers.schema
include         /etc/openldap/schema/ignorelist.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#######################################################################
# ldbm database definitions
#######################################################################

defaultsearchbase  "o=TEST"
database        ldbm
suffix          "o=TEST"
rootdn          "cn=Directory Manager,o=TEST"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxx
directory       /usr/local/var/openldap-ldbm

# Replication information
replica         host=lxdev005.xx.xxxx.xxxx.xxx:636
                suffix="o=TEST"
                bindmethod=simple
                binddn="cn=Replication Manager,o=TEST"
                credentials=
replogfile      /etc/openldap/replica.log

# SSL Directives
TLSCertificateFile      /etc/openldap/server.pem
TLSCertificateKeyFile   /etc/openldap/serverkey.pem
TLSCACertificateFile    /etc/openldap/ca.pem

# Indices to maintain
index   cn,sn,uid pres,eq

# Include slapd.access
include /etc/openldap/slapd.access

--------------------------------------------------------------------------
/etc/openldap/slapd.access

# ldap access control definitions
access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Directory Manager,dc=lxdev024,dc=xx,dc=xxxx,dc=xxxx,dc=xxx" write
        by * none
access to *
        by dn="cn=Directory Manager,dc=lxdev024,dc=xx,dc=xxxx,dc=xxxx,dc=xxx" write
        by * read

--------------------------------------------------------------------------
/etc/libnss.conf  - NOT FOUND

I did do a find of libnss* and only found shared objects "libnss*.so"



-----Original Message-----
From: Todd Lyons [mailto:todd@mrball.net]
Sent: Tuesday, March 04, 2003 6:39 PM
To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP Config Question


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greg Redman wanted us to know:

>   Now I'd like to remove the "user level" entries in the /etc/passwd and
>   /etc/shadow files.
>   Whenever  I do that user authentication stops working.  Does this mean
>   LDAP is not working ?

That is correct.  Post some config files:
/etc/ldap.conf
/etc/openldap/ldap.conf (if you have that one)
/etc/openldap/slapd.conf

That should be a good start.
- -- 
Blue skies...	Todd 	Public key: http://www.mrball.net/todd.asc
P.S. Before I clicked 'send'  on this composition  I decided to consult
the oracle, I mean Google,  on the question of...    --Clay Claiborne
Linux kernel 2.4.19-16mdk   4 users,  load average: 0.99, 0.92, 0.48
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: http://www.mrball.net/todd.asc

iD8DBQE+ZUcSIBT1264ScBURAkq9AJ9Y8ie4ddWENxNw6Ma2GSAXcWWuvwCgyG/R
+jd4hHIV3Mm+eSdWgplnUDE=
=1urg
-----END PGP SIGNATURE-----

Follow-Ups:
- RE: OpenLDAP Config Question
  - From: "nate" <ldap@aphroland.org>
- Re: OpenLDAP Config Question
  - From: Todd Lyons <todd@mrball.net>
- RE: OpenLDAP Config Question
  - From: Adam Williams <awilliam@whitemice.org>

Prev by Date: Re: Restricting Logon permission
Next by Date: RE: OpenLDAP Config Question
Index(es):
- Chronological
- Thread