[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot ID LDAP User On LDAP Client

Here's the latest as to why I cannot ID my ldap user.  I set up hostObject attribute in my ldap server to enable host based authentication.  I then added the following in /etc/ldap.conf

On the client side, simply modify /etc/pam_ldap.conf to include these lines:

pam_check_host_attr yes
pam_filter |(host=client_hostname)(host=*)

I've added the host attribute to all my ldap users to login certain hosts.  That's when I cannot id my ldap users.

Somehow pam is not allowing caching when this host based authentication is turned on.  



On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu <anton.chu@telecommand.com> wrote:
NSCD daemon is the culprit. Here's the error when I do id tony:

[CODE] nscd -d
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248:     GETFDPW
Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248:     GETPWBYNAME (tony)
Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache!
Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache!
Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony"
Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:

[CODE]
cat /etc/nscd.conf | grep -v ^# | grep -v ^$
    debug-level        0
    paranoia        no
    enable-cache        passwd        yes
    positive-time-to-live    passwd        600
    negative-time-to-live    passwd        20
    suggested-size        passwd        211
    check-files        passwd        yes
    persistent        passwd        yes
    shared            passwd        yes
    max-db-size        passwd        33554432
    auto-propagate        passwd        yes
    enable-cache        group        yes
    positive-time-to-live    group        3600
    negative-time-to-live    group        60
    suggested-size        group        211
    check-files        group        yes
    persistent        group        yes
    shared            group        yes
    max-db-size        group        33554432
    auto-propagate        group        yes
    enable-cache        hosts        no
    positive-time-to-live    hosts        3600
    negative-time-to-live    hosts        20
    suggested-size        hosts        211
    check-files        hosts        yes
    persistent        hosts        yes
    shared            hosts        yes
    max-db-size        hosts        33554432
    enable-cache        services    yes
    positive-time-to-live    services    28800
    negative-time-to-live    services    20
    suggested-size        services    211
    check-files        services    yes
    persistent        services    yes
    shared            services    yes
    max-db-size        services    33554432

[/CODE]


On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu <anton.chu@telecommand.com> wrote:
On another machine, tried this howto after purging the above above packages.

http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2

sudo apt-get install libnss-ldapd libpam-ldapd

Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.

here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=example,dc=com
uri ldap://10.112.18.2
ldap_version 3
bindpw secret
rootbinddn cn=admin,dc=example,dc=com


bind_policy soft 

pam_check_host_attr yes
pam_password md5
nss_base_passwd        ou=People,dc=example,dc=com
nss_base_shadow        ou=People,dc=example,dc=com?one
nss_base_group        ou=Groups,dc=example,dc=com?one



On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu <anton.chu@telecommand.com> wrote:
Ok here's what you suggested:

root@webtest111:/etc/pam.d# id tony

id: tony: No such user 
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony
tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
 * Stopping Name Service Cache Daemon nscd                               [ OK ]
root@webtest111:/etc/pam.d# getent passwd | grep tony
tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d#

I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap. 

Thanks for the tips. 

Regards


On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
> I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server.
> I've install the following:
>
> sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db
> nscd ldap-utils pam_ccreds
>
> Here's my /etc/nsswitch.conf:
>
> passwd: files ldap [NOTFOUND=return] db
>
> > group: files ldap [NOTFOUND=return] db
> >
> > shadow: files ldap
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
>
> I can nss_updatedb ldap succssfully:
> # nss_updatedb ldap
> passwd... done.
> group... done.
>
> I can getent passwd, getent passwd shadow, getent group just fine and
> they all show all my ldap users.

Please compare these two:

$ getent passwd |grep tony
$ getent passwd tony

If the first succeeds (returns a line looking like /etc/passwd), and the
second fails (returns nothing), then you probably have a negative cache from
nscd. Stop nscd, and test again.

> However, I cannot do an id ldapuser
>
> ex:
> $ id tony
> id: tony: No such user

[...]

> ID works just fine with my local users on my local machine so somehow
> it's not able to read the ldap users.
>
> Any insights appreciated.

In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of
the newer options (e.g. sssd) may be a better option.

Regards,
Buchan