[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Patching openldap?
Am 11.10.2011 22:12, schrieb NetNinja:
> I tryed your command today. I still can't get it to work. I listed all
> the files I have edited. Can you look over it and tell if I'm missing
> anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar
problems and find this helpful.
> I ran this:
> ldapclient manual -v
> -a defaultSearchBase="dc=test,dc=net"
> -a domainName="test.net"
> -a authenticationMethod="simple"
> -a defaultServerList="10.0.0.2"
> -a preferredServerList="10.0.0.2"
> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net"
> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net"
> 10.0.0.2
>
> I don't have TLS, automount or netgroups setup yet.
>
> bash-3.00# ldapclient list
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 10.0.0.2
> NS_LDAP_SEARCH_BASEDN= dc=test,dc=net
> NS_LDAP_CACHETTL= 0
> NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net
> NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
>
> I tried to add more lines but I was getting a lot of errors.
What kind of errors?
> /etc/nsswitch.conf
> passwd: files ldap
> group: files ldap
> host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
> what i have running on RHEL
> ldapsearch -x
<snip>
> ---------------- I have added a proxy entry before I have not done so
> yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
> My PAM file
>
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_ldap.so.1 use_first_pass
ignore_unknown_user
login auth required pam_unix_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth sufficient pam_unix_auth.so.1
> rlogin auth required pam_ldap.so.1
> #
> # Kerberized rlogin service
> #
> krlogin auth required pam_unix_cred.so.1
> krlogin auth required pam_krb5.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh auth required pam_unix_cred.so.1
> krsh auth required pam_krb5.so.1
> #
> # Kerberized telnet service
> #
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth required pam_krb5.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth sufficient pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> ppp auth required pam_ldap.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_unix_auth.so.1
> other auth required pam_dial_auth.so.1
> other auth required pam_ldap.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth sufficient pam_passwd_auth.so.1
> passwd auth required pam_ldap.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account sufficient pam_ldap.so.1
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs
for me.
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> #
>
>
> On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal
> <moenoel@informatik.uni-bremen.de> wrote:
>> Am 09.10.2011 14:33, schrieb NetNinja:
>>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal
>>> <moenoel@informatik.uni-bremen.de> wrote:
>>>> Am 07.10.2011 23:58, schrieb NetNinja:
>>>>> Ok that's good to know.
>>>>> I was reading in the book "Solaris 10 System Administration Essential"
>>>>> and it says on pg 365 that the openldap server needs to be patched so
>>>>> that the ldapclient init utility will configure properly.
>>>>>
>>>>> Do you happen to remeber how you setup the Solaris Native client? This
>>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all
>>>>> the Linux servers working with the ldap server but the Solaris servers
>>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
>>>>> get info on ldap users. I am in the process of troubleshooting the issue
>>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
>>>>> uatomount or replication. I will add these later when I know what i'm doing.
>>>>>
>>>>> Anyway thanks for your help. If you have any advice on ldapclient setup
>>>>> let me know.
>>>>>
>>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
>>>>> <moenoel@informatik.uni-bremen.de
>>>>> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>>>>>
>>>>> Am 07.10.2011 20:25, schrieb NetNinja:
>>>>> > Hello,
>>>>> > I have been reading up on OpenLDAP. I have installed it on RHEL
>>>>> 5.5 but
>>>>> > I have seen documention saying that openldap needs to be patched
>>>>> to work
>>>>> > with Solaris. Can someone tell me if this still the case and if so
>>>>> where
>>>>> > to get the patch. If not any info you can provide wold be great.
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> >
>>>>>
>>>>> Hi,
>>>>>
>>>>> I've been running OpenLDAP on Solaris 10 for years now. It works out of
>>>>> the tarball, no patches needed.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Christian Manal
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> Here's an example of an ldapclient invocation that works for me:
>>>>
>>>> ldapclient manual \
>>>> -a authenticationMethod="tls:simple" \
>>>> -a credentialLevel="proxy" \
>>>> -a defaultSearchBase="dc=example,dc=org" \
>>>> -a defaultSearchScope="sub" \
>>>> -a defaultServerList="ldap1.example.org,ldap2.example.org" \
>>>> -a domainName="example.org" \
>>>> -a preferredServerList="ldap1.example.org,ldap2.example.org" \
>>>> -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
>>>> -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
>>>> -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
>>>> -a
>>>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org"
>>>> \
>>>> -a attributeMap="auto_home:automountMapName=ou" \
>>>> -a attributeMap="auto_home:automountKey=cn" \
>>>> -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
>>>> -a proxyPassword="foobar"
>>>>
>>>>
>>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your
>>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
>>>> to put your TLS certs into /var/ldap in NSS format (you can
>>>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP
>>>> authentication.
>>>>
>>>>
>>>> Regards,
>>>> Christian Manal
>>>>
>>>>
>>>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>>>
>>>
>>> Thanks,
>>>
>>> I will try your command. Since you used ldapclient manual and not
>>> ldapclient init I don't need to add a profile of proxy ldif file to
>>> the ldap server, right?
>>
>> Right. It's possible to deposit most of those infos in a profile in the
>> DIT, but since I have a script for configuring LDAP clients it doesn't
>> make any difference for me. I have only one set of settings for Solaris
>> boxes. Though, it might be worth looking into for you, if you have
>> different setups.
>>
>>
>>> I have been using examples like the one you
>>> just gave me and I can only get the info from the server. The password
>>> seems to not work. I get the same erros on the prompt that I would get
>>> if the password or username where wrong. Though I have not tried the
>>> command with the serviceSearchDescriptor before maybe this is what I'm
>>> missing.
>>
>> You replaced the credentials with existing ones from your DIT, right? Do
>> they work with ldapsearch? Does the DN have read access to the user and
>> group data in your DIT?
>>
>> You might want to call ldapclient with '-v' to get some debugging info.
>>
>>
>>> I'm also not using TLS or automount can I leave these out, for now?
>>> Sotls:simple would be simple, right.
>>
>> Right.
>>
>>
>>> Also could Solaris 10 not want to
>>> work because I'm not using TLS?
>>
>> I don't think so. It shouldn't make any difference. Though, I'd
>> recommend adding TLS support before putting anything in production.
>>
>>
>>> Anyway thanks for your time. I will let you know if it works.
>>>
>>
>>
>> Regards,
>> Christian Manal
>>
>>
>
>
>