[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Patching openldap?



Am 13.10.2011 12:49, schrieb NetNinja:
> This is an example of the error I was talking about.
> 
> bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \

> Invalid use of option
> Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]
> 
>        ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]

You have to put '-v' before the 'manual' keyword, I believe.


> Also I noticed on many of the websites with how to's on this. There
> user accounts have a lot more stuff in them. What about your stuff.
> Can you post an example user, profile and proxy entry in LDAP?

See RFC 2307 for example: <http://www.faqs.org/rfcs/rfc2307.html>

That's for basic UNIX accounts and what you already had in your example
ldapsearch output.


> I will add make the changes you suggested when I get into work today.
> I have not been able to work on this much because I have been working
> with contrators on a thin client solution.
> 
> Thanks for your help. After I get this working I will wright up a
> document explaining how to do this. I have run into at least 2 other
> people on the forums with the same problem I have.
> 
> On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal
> <moenoel@informatik.uni-bremen.de> wrote:
>> Am 11.10.2011 22:12, schrieb NetNinja:
>>> I tryed your command today. I still can't get it to work. I listed all
>>> the files I have edited. Can you look over it and tell if I'm missing
>>> anything. Thanks for your help.
>>
>> Please keep your replies on the list. Others might run into similar
>> problems and find this helpful.
>>
>>
>>> I ran this:
>>> ldapclient manual -v
>>> -a defaultSearchBase="dc=test,dc=net"
>>> -a domainName="test.net"
>>> -a authenticationMethod="simple"
>>> -a defaultServerList="10.0.0.2"
>>> -a preferredServerList="10.0.0.2"
>>> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net"
>>> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net"
>>> 10.0.0.2
>>>
>>> I don't have TLS, automount or netgroups setup yet.
>>>
>>> bash-3.00# ldapclient  list
>>> NS_LDAP_FILE_VERSION= 2.0
>>> NS_LDAP_SERVERS= 10.0.0.2
>>> NS_LDAP_SEARCH_BASEDN= dc=test,dc=net
>>> NS_LDAP_CACHETTL= 0
>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net
>>> NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
>>>
>>> I tried to add more lines but I was getting a lot of errors.
>>
>> What kind of errors?
>>
>>
>>> /etc/nsswitch.conf
>>> passwd:     files ldap
>>> group:      files ldap
>>> host:         files ldap
>>
>> Are you sure you want to resolve hostnames via LDAP and not DNS?
>>
>>
>>> what i have running on RHEL
>>> ldapsearch -x
>>
>> <snip>
>>
>>> ---------------- I have added a proxy entry before I have not done so
>>> yet. Do I still need one if I'm useing manual and not init?
>>
>> If your data can be accessed anonymously, you don't need proxy credentials.
>>
>>
>>> My PAM file
>>>
>>> # login service (explicit because of pam_dial_auth)
>>> #
>>> login   auth requisite          pam_authtok_get.so.1
>>> login   auth required           pam_dhkeys.so.1
>>> login   auth required           pam_unix_cred.so.1
>>> login   auth sufficient         pam_unix_auth.so.1
>>> login   auth required           pam_dial_auth.so.1
>>> login   auth required           pam_ldap.so.1
>>
>> My "auth" blocks look like this:
>>
>> login   auth requisite          pam_authtok_get.so.1
>> login   auth required           pam_dhkeys.so.1
>> login   auth required           pam_unix_cred.so.1
>> login   auth required           pam_dial_auth.so.1
>> login   auth sufficient         pam_ldap.so.1 use_first_pass
>> ignore_unknown_user
>> login   auth required           pam_unix_auth.so.1
>>
>>
>>> #
>>> # rlogin service (explicit because of pam_rhost_auth)
>>> #
>>> rlogin  auth sufficient         pam_rhosts_auth.so.1
>>> rlogin  auth requisite          pam_authtok_get.so.1
>>> rlogin  auth required           pam_dhkeys.so.1
>>> rlogin  auth required           pam_unix_cred.so.1
>>> rlogin  auth sufficient         pam_unix_auth.so.1
>>> rlogin  auth required           pam_ldap.so.1
>>> #
>>> # Kerberized rlogin service
>>> #
>>> krlogin auth required           pam_unix_cred.so.1
>>> krlogin auth required           pam_krb5.so.1
>>> #
>>> # rsh service (explicit because of pam_rhost_auth,
>>> # and pam_unix_auth for meaningful pam_setcred)
>>> #
>>> rsh     auth sufficient         pam_rhosts_auth.so.1
>>> rsh     auth required           pam_unix_cred.so.1
>>> #
>>> # Kerberized rsh service
>>> #
>>> krsh    auth required           pam_unix_cred.so.1
>>> krsh    auth required           pam_krb5.so.1
>>> #
>>> # Kerberized telnet service
>>> #
>>> ktelnet auth required           pam_unix_cred.so.1
>>> ktelnet auth required           pam_krb5.so.1
>>> #
>>> # PPP service (explicit because of pam_dial_auth)
>>> #
>>> ppp     auth requisite          pam_authtok_get.so.1
>>> ppp     auth required           pam_dhkeys.so.1
>>> ppp     auth required           pam_unix_cred.so.1
>>> ppp     auth sufficient         pam_unix_auth.so.1
>>> ppp     auth required           pam_dial_auth.so.1
>>> ppp     auth required           pam_ldap.so.1
>>> #
>>> # Default definitions for Authentication management
>>> # Used when service name is not explicitly mentioned for authentication
>>> #
>>> other   auth requisite          pam_authtok_get.so.1
>>> other   auth required           pam_dhkeys.so.1
>>> other   auth required           pam_unix_cred.so.1
>>> other   auth sufficient         pam_unix_auth.so.1
>>> other   auth required           pam_dial_auth.so.1
>>> other   auth required           pam_ldap.so.1
>>> #
>>> # passwd command (explicit because of a different authentication module)
>>> #
>>> passwd  auth sufficient         pam_passwd_auth.so.1
>>> passwd  auth required           pam_ldap.so.1
>>> #
>>> # cron service (explicit because of non-usage of pam_roles.so.1)
>>> #
>>> cron    account required        pam_unix_account.so.1
>>> #
>>> # Default definition for Account management
>>> # Used when service name is not explicitly mentioned for account management
>>> #
>>> other   account sufficient      pam_ldap.so.1
>>> other   account requisite       pam_roles.so.1
>>> other   account required        pam_unix_account.so.1
>>
>> You can omit pam_ldap here. It only produces error messages in the logs
>> for me.
>>
>>
>>> #
>>> # Default definition for Session management
>>> # Used when service name is not explicitly mentioned for session management
>>> #
>>> other   session required        pam_unix_session.so.1
>>> #
>>> # Default definition for Password management
>>> # Used when service name is not explicitly mentioned for password management
>>> #
>>> other   password required       pam_dhkeys.so.1
>>> other   password requisite      pam_authtok_get.so.1
>>> other   password requisite      pam_authtok_check.so.1
>>> other   password required       pam_authtok_store.so.1
>>> #
>>>
>>>
>>> On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal
>>> <moenoel@informatik.uni-bremen.de> wrote:
>>>> Am 09.10.2011 14:33, schrieb NetNinja:
>>>>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal
>>>>> <moenoel@informatik.uni-bremen.de> wrote:
>>>>>> Am 07.10.2011 23:58, schrieb NetNinja:
>>>>>>> Ok that's good to know.
>>>>>>> I was reading in the book "Solaris 10 System Administration Essential"
>>>>>>> and it says on pg 365 that the openldap server needs to be patched so
>>>>>>> that the ldapclient init utility will configure properly.
>>>>>>>
>>>>>>> Do you happen to remeber how you setup the Solaris Native client? This
>>>>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all
>>>>>>> the Linux servers working with the ldap server but the Solaris servers
>>>>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
>>>>>>> get info on ldap users. I am in the process of troubleshooting the issue
>>>>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
>>>>>>> uatomount or replication. I will add these later when I know what i'm doing.
>>>>>>>
>>>>>>> Anyway thanks for your help. If you have any advice on ldapclient setup
>>>>>>> let me know.
>>>>>>>
>>>>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
>>>>>>> <moenoel@informatik.uni-bremen.de
>>>>>>> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>>>>>>>
>>>>>>>     Am 07.10.2011 20:25, schrieb NetNinja:
>>>>>>>     > Hello,
>>>>>>>     > I have been reading up on OpenLDAP. I have installed it on RHEL
>>>>>>>     5.5 but
>>>>>>>     > I have seen documention saying that openldap needs to be patched
>>>>>>>     to work
>>>>>>>     > with Solaris. Can someone tell me if this still the case and if so
>>>>>>>     where
>>>>>>>     > to get the patch. If not any info you can provide wold be great.
>>>>>>>     >
>>>>>>>     > Thanks
>>>>>>>     >
>>>>>>>     >
>>>>>>>
>>>>>>>     Hi,
>>>>>>>
>>>>>>>     I've been running OpenLDAP on Solaris 10 for years now. It works out of
>>>>>>>     the tarball, no patches needed.
>>>>>>>
>>>>>>>
>>>>>>>     Regards,
>>>>>>>     Christian Manal
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Here's an example of an ldapclient invocation that works for me:
>>>>>>
>>>>>> ldapclient manual \
>>>>>>  -a authenticationMethod="tls:simple" \
>>>>>>  -a credentialLevel="proxy" \
>>>>>>  -a defaultSearchBase="dc=example,dc=org" \
>>>>>>  -a defaultSearchScope="sub" \
>>>>>>  -a defaultServerList="ldap1.example.org,ldap2.example.org" \
>>>>>>  -a domainName="example.org" \
>>>>>>  -a preferredServerList="ldap1.example.org,ldap2.example.org" \
>>>>>>  -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
>>>>>>  -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
>>>>>>  -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
>>>>>>  -a
>>>>>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org"
>>>>>> \
>>>>>>  -a attributeMap="auto_home:automountMapName=ou" \
>>>>>>  -a attributeMap="auto_home:automountKey=cn" \
>>>>>>  -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
>>>>>>  -a proxyPassword="foobar"
>>>>>>
>>>>>>
>>>>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your
>>>>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
>>>>>> to put your TLS certs into /var/ldap in NSS format (you can
>>>>>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP
>>>>>> authentication.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Christian Manal
>>>>>>
>>>>>>
>>>>>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> I will try your command. Since you used ldapclient manual and not
>>>>> ldapclient init I don't need to add a profile of proxy ldif file to
>>>>> the ldap server, right?
>>>>
>>>> Right. It's possible to deposit most of those infos in a profile in the
>>>> DIT, but since I have a script for configuring LDAP clients it doesn't
>>>> make any difference for me. I have only one set of settings for Solaris
>>>> boxes. Though, it might be worth looking into for you, if you have
>>>> different setups.
>>>>
>>>>
>>>>> I have been using examples like the one you
>>>>> just gave me and I can only get the info from the server. The password
>>>>> seems to not work. I get the same erros on the prompt that I would get
>>>>> if the password or username where wrong. Though I have not tried the
>>>>> command with the serviceSearchDescriptor before maybe this is what I'm
>>>>> missing.
>>>>
>>>> You replaced the credentials with existing ones from your DIT, right? Do
>>>> they work with ldapsearch? Does the DN have read access to the user and
>>>> group data in your DIT?
>>>>
>>>> You might want to call ldapclient with '-v' to get some debugging info.
>>>>
>>>>
>>>>>  I'm also not using TLS or automount can I leave these out, for now?
>>>>> Sotls:simple would be simple, right.
>>>>
>>>> Right.
>>>>
>>>>
>>>>> Also could Solaris 10 not want to
>>>>> work because I'm not using TLS?
>>>>
>>>> I don't think so. It shouldn't make any difference. Though, I'd
>>>> recommend adding TLS support before putting anything in production.
>>>>
>>>>
>>>>> Anyway thanks for your time. I will let you know if it works.
>>>>>
>>>>
>>>>
>>>> Regards,
>>>> Christian Manal
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>