[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Perplexed

Hash: SHA1

On 9 Aug 2002, Tony Earnshaw wrote:

> Assertion: Openldap is still magic, but now it's black magic.
> Any comments?
> Red Hat 7.2, much modified, kernel.org 2.4.18 ACPI and iptables.
> I'm perfectly happy with 2.1.3 and Berkeley 4.0, openssl 0.9.6b, PADL's
> "do-it-yourself" pam-ldap/nss_ldap kit, Exim 4.10 smtp mail server, the
> pop3 and IMAP packets that I have (think they're the latest WU versions
> without SASL, but I haven't got any further than local SSL/TLS). No
> problems.
> However, having learned to use GQ, slapd debugging at 5 and 256 levels,
> ethereal and strace to resolve behavior, day after day, until I've
> become blue in the face, I'm perplexed.
> Apart from the Berkeley database, and after having worked hours on
> /etc/ldap.conf and the /etc/pam.d configs, *nothing* about PAM/NSS that
> people here find necessary seems to be necessary for or apply to my
> configuration(s). Much that I've read from the Admin guide, golden rules
> ("*never, never, never*") just isn't true. That's why I'm asking for
> comments.
> Why should I find that things that others seem to accept as gospel,
> don't apply to my configurations?
> "Never use IP numbers for hostnames, always use FQDNs". Well, for me
> TLS/SSL only works with my IP number (, not localhost. or
> 'uname -n' - the FQDN "billy.demon.nl". "Use pam_ldap for /etc/pam.d
> configs, use this, use that", etc. Well, I'm using my old Red Hat
> standard configs, and everything works - login, gdm and su. Obviously I
> need libnss*. Exclusively for the 'passwd' config do I need pam_ldap. No
> trouble in distinguishing between /etc/passwd&shadow and ldap, password
> changing with just one "type=billy" password.
> This is what I've done to date, since June:
> I only have my own test machine. However, if ldap breaks now I'm in deep
> trouble :-) I've had a couple of nasty examples that left me gasping.
> Like when I'd stopped slapd while Exim was receiving an Internet
> mailkick and wanted ldap for all user authentication. Ever seen a mail
> server wanting to send 80+ emails back (BSMTP), because it couldn't
> verify the recipients? Arrrrgh ...
> All local /etc/passd console and ldap logins and transactions under
> (encrypted, of course) TLS.
> Posix account "Virtual" users, most with mailboxes in other Internet
> domains. Almost complete integration with Ximian's Evolution for partial
> local user administration and centrally based contact database, with
> partial delegated user administration.
> Exim 4.10 smtp server admin with ldap-based user accounts an all mail
> aliases (/etc/aliases doesn't even exist any more) and virtual
> mailboxes. All imap and pop3 under TLS.
> Complete "virtual"=ldap user administration with GQ, with a
> mind-boggling wealth of info on each user (eat your heart out NIS+).
> Admin user/group (partial) administration of users and services.
> Automatic BDB 4 transactional log backups (thanks to Peter A. Savitch).
> To recap:
> I can do *so* much on a standard Linux machine that I'd never dreamed of
> being possible in May, that it still seems like magic. Reading, reading,
> more reading and practicing is why. But why should so much that others
> accept as gospel, be different for me?
> Best,
> Tony
> --
> Tony Earnshaw
> The usefulness of RTFM is vastly overrated.
> e-post:		tonni@billy.demon.nl
> www:		http://www.billy.demon.nl
> gpg public key:	http://www.billy.demon.nl/tonni.armor
> Telefoon:	(+31) (0)172 530428
> Mobiel:		(+31) (0)6 51153356
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
> 3BE7B981

Hey, Tony.

	Sun from Brazil, for everybody.
You are a very lucky man, and a suppose you worked a lot for it!
Me, i'm in deep troeble traying to make thinks work well around here.
Beeing franc, the first time i started to work with ldap, i was wondering
it could be at least better then 'Active Directory' from ms. Let's say,
a port from iplanet to the OpenSource community. I have near 6 years of
exp. in Linux, but all my brain power was not enough yet to make openldap
work for us as expected. I just can't make it work with TLS. So, i look
and browse all data trough gq and 'directory_adminitrator' but no chance
to insert or modify any content inside it. The reason is simple: i can not
log as manager in ldap  to make things happen.
	The last version of ''migration-tools' simply din't work for me,
forcing us to downgrade to the previous openldap version. Im in trouble
now. Any change i could think about in config of slapd, ldap.conf and
pam.d was donne, without any success, just the old adaggio: 'ldap_bind:
Invalid credentials'
	What the black magic did you find to make things happen? There is
already 2 weeks of work, for nothing! I'm at the point to give up about
all this shift (without the 'f').
	Thank you so much. I'm new in the list, and i appreciate your
strong skeel with openldap, maybe you could help us  to make thinks came a
little bit painless for us.
	But not last: what the address of the previous sended messages to
our list? I cant find it! Is it faq-o-matic?

- --


I wish you have a good day,
                   and a nice work donne with GNU-Linux.

Tenha um bom dia e um ótimo trabalho com linux

====================<<<<<< * >>>>>>>====================
===========  Renato Q. Salles UIN 143517540  ===========
===========  Linux Registered User nº 217696 ===========
====================<<<<<< * >>>>>>>====================
 \ /  Campanha da fita ASCII - Contra mail HTML
  X   ASCII ribbon campaign  - Against HTML mail
 / \

Version: GnuPG v1.0.7 (GNU/Linux)