[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Patching openldap?



This is an example of the error I was talking about.

bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \
> -a domainName="test.net" -a authenticationMethod="simple" \
> -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" \
> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" \
> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" \
> 10.0.0.2
Parsing defaultSearchBase=dc=test,dc=net
Parsing domainName=test.net
Parsing authenticationMethod=simple
Parsing defaultServerList=10.0.0.2
Parsing preferredServerList=10.0.0.2
Parsing serviceSearchDescriptor=passwd:ou=People,dc=test,dc=net
Parsing serviceSearchDescriptor=group:ou=Group,dc=test,dc=net
Invalid use of option
Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]

       ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]

Set up a server or workstation as a client of an LDAP namespace.
<args> take the form of '-a attrName=attrVal' as described in the
man page: ldapclient(1M)
Error (1) setting serverList param.
Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]

       ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]

Set up a server or workstation as a client of an LDAP namespace.
<args> take the form of '-a attrName=attrVal' as described in the

Also I noticed on many of the websites with how to's on this. There
user accounts have a lot more stuff in them. What about your stuff.
Can you post an example user, profile and proxy entry in LDAP?

I will add make the changes you suggested when I get into work today.
I have not been able to work on this much because I have been working
with contrators on a thin client solution.

Thanks for your help. After I get this working I will wright up a
document explaining how to do this. I have run into at least 2 other
people on the forums with the same problem I have.

On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal
<moenoel@informatik.uni-bremen.de> wrote:
> Am 11.10.2011 22:12, schrieb NetNinja:
>> I tryed your command today. I still can't get it to work. I listed all
>> the files I have edited. Can you look over it and tell if I'm missing
>> anything. Thanks for your help.
>
> Please keep your replies on the list. Others might run into similar
> problems and find this helpful.
>
>
>> I ran this:
>> ldapclient manual -v
>> -a defaultSearchBase="dc=test,dc=net"
>> -a domainName="test.net"
>> -a authenticationMethod="simple"
>> -a defaultServerList="10.0.0.2"
>> -a preferredServerList="10.0.0.2"
>> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net"
>> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net"
>> 10.0.0.2
>>
>> I don't have TLS, automount or netgroups setup yet.
>>
>> bash-3.00# ldapclient Âlist
>> NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= 10.0.0.2
>> NS_LDAP_SEARCH_BASEDN= dc=test,dc=net
>> NS_LDAP_CACHETTL= 0
>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net
>> NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
>>
>> I tried to add more lines but I was getting a lot of errors.
>
> What kind of errors?
>
>
>> /etc/nsswitch.conf
>> passwd: Â Â files ldap
>> group: Â Â Âfiles ldap
>> host: Â Â Â Â files ldap
>
> Are you sure you want to resolve hostnames via LDAP and not DNS?
>
>
>> what i have running on RHEL
>> ldapsearch -x
>
> <snip>
>
>> ---------------- I have added a proxy entry before I have not done so
>> yet. Do I still need one if I'm useing manual and not init?
>
> If your data can be accessed anonymously, you don't need proxy credentials.
>
>
>> My PAM file
>>
>> # login service (explicit because of pam_dial_auth)
>> #
>> login  auth requisite     Âpam_authtok_get.so.1
>> login  auth required      pam_dhkeys.so.1
>> login  auth required      pam_unix_cred.so.1
>> login  auth sufficient     pam_unix_auth.so.1
>> login  auth required      pam_dial_auth.so.1
>> login  auth required      pam_ldap.so.1
>
> My "auth" blocks look like this:
>
> login  auth requisite     Âpam_authtok_get.so.1
> login  auth required      pam_dhkeys.so.1
> login  auth required      pam_unix_cred.so.1
> login  auth required      pam_dial_auth.so.1
> login  auth sufficient     pam_ldap.so.1 use_first_pass
> ignore_unknown_user
> login  auth required      pam_unix_auth.so.1
>
>
>> #
>> # rlogin service (explicit because of pam_rhost_auth)
>> #
>> rlogin Âauth sufficient     pam_rhosts_auth.so.1
>> rlogin Âauth requisite     Âpam_authtok_get.so.1
>> rlogin Âauth required      pam_dhkeys.so.1
>> rlogin Âauth required      pam_unix_cred.so.1
>> rlogin Âauth sufficient     pam_unix_auth.so.1
>> rlogin Âauth required      pam_ldap.so.1
>> #
>> # Kerberized rlogin service
>> #
>> krlogin auth required      pam_unix_cred.so.1
>> krlogin auth required      pam_krb5.so.1
>> #
>> # rsh service (explicit because of pam_rhost_auth,
>> # and pam_unix_auth for meaningful pam_setcred)
>> #
>> rsh   auth sufficient     pam_rhosts_auth.so.1
>> rsh   auth required      pam_unix_cred.so.1
>> #
>> # Kerberized rsh service
>> #
>> krsh  Âauth required      pam_unix_cred.so.1
>> krsh  Âauth required      pam_krb5.so.1
>> #
>> # Kerberized telnet service
>> #
>> ktelnet auth required      pam_unix_cred.so.1
>> ktelnet auth required      pam_krb5.so.1
>> #
>> # PPP service (explicit because of pam_dial_auth)
>> #
>> ppp   auth requisite     Âpam_authtok_get.so.1
>> ppp   auth required      pam_dhkeys.so.1
>> ppp   auth required      pam_unix_cred.so.1
>> ppp   auth sufficient     pam_unix_auth.so.1
>> ppp   auth required      pam_dial_auth.so.1
>> ppp   auth required      pam_ldap.so.1
>> #
>> # Default definitions for Authentication management
>> # Used when service name is not explicitly mentioned for authentication
>> #
>> other  auth requisite     Âpam_authtok_get.so.1
>> other  auth required      pam_dhkeys.so.1
>> other  auth required      pam_unix_cred.so.1
>> other  auth sufficient     pam_unix_auth.so.1
>> other  auth required      pam_dial_auth.so.1
>> other  auth required      pam_ldap.so.1
>> #
>> # passwd command (explicit because of a different authentication module)
>> #
>> passwd Âauth sufficient     pam_passwd_auth.so.1
>> passwd Âauth required      pam_ldap.so.1
>> #
>> # cron service (explicit because of non-usage of pam_roles.so.1)
>> #
>> cron  Âaccount required    Âpam_unix_account.so.1
>> #
>> # Default definition for Account management
>> # Used when service name is not explicitly mentioned for account management
>> #
>> other  account sufficient   Âpam_ldap.so.1
>> other  account requisite    pam_roles.so.1
>> other  account required    Âpam_unix_account.so.1
>
> You can omit pam_ldap here. It only produces error messages in the logs
> for me.
>
>
>> #
>> # Default definition for Session management
>> # Used when service name is not explicitly mentioned for session management
>> #
>> other  session required    Âpam_unix_session.so.1
>> #
>> # Default definition for Password management
>> # Used when service name is not explicitly mentioned for password management
>> #
>> other  password required    pam_dhkeys.so.1
>> other  password requisite   Âpam_authtok_get.so.1
>> other  password requisite   Âpam_authtok_check.so.1
>> other  password required    pam_authtok_store.so.1
>> #
>>
>>
>> On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal
>> <moenoel@informatik.uni-bremen.de> wrote:
>>> Am 09.10.2011 14:33, schrieb NetNinja:
>>>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal
>>>> <moenoel@informatik.uni-bremen.de> wrote:
>>>>> Am 07.10.2011 23:58, schrieb NetNinja:
>>>>>> Ok that's good to know.
>>>>>> I was reading in the book "Solaris 10 System Administration Essential"
>>>>>> and it says on pg 365 that the openldap server needs to be patched so
>>>>>> that the ldapclient init utility will configure properly.
>>>>>>
>>>>>> Do you happen to remeber how you setup the Solaris Native client? This
>>>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all
>>>>>> the Linux servers working with the ldap server but the Solaris servers
>>>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
>>>>>> get info on ldap users. I am in the process of troubleshooting the issue
>>>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
>>>>>> uatomount or replication. I will add these later when I know what i'm doing.
>>>>>>
>>>>>> Anyway thanks for your help. If you have any advice on ldapclient setup
>>>>>> let me know.
>>>>>>
>>>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
>>>>>> <moenoel@informatik.uni-bremen.de
>>>>>> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>>>>>>
>>>>>> Â Â Am 07.10.2011 20:25, schrieb NetNinja:
>>>>>> Â Â > Hello,
>>>>>> Â Â > I have been reading up on OpenLDAP. I have installed it on RHEL
>>>>>> Â Â 5.5 but
>>>>>> Â Â > I have seen documention saying that openldap needs to be patched
>>>>>> Â Â to work
>>>>>> Â Â > with Solaris. Can someone tell me if this still the case and if so
>>>>>> Â Â where
>>>>>> Â Â > to get the patch. If not any info you can provide wold be great.
>>>>>> Â Â >
>>>>>> Â Â > Thanks
>>>>>> Â Â >
>>>>>> Â Â >
>>>>>>
>>>>>> Â Â Hi,
>>>>>>
>>>>>> Â Â I've been running OpenLDAP on Solaris 10 for years now. It works out of
>>>>>> Â Â the tarball, no patches needed.
>>>>>>
>>>>>>
>>>>>> Â Â Regards,
>>>>>> Â Â Christian Manal
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> Here's an example of an ldapclient invocation that works for me:
>>>>>
>>>>> ldapclient manual \
>>>>> Â-a authenticationMethod="tls:simple" \
>>>>> Â-a credentialLevel="proxy" \
>>>>> Â-a defaultSearchBase="dc=example,dc=org" \
>>>>> Â-a defaultSearchScope="sub" \
>>>>> Â-a defaultServerList="ldap1.example.org,ldap2.example.org" \
>>>>> Â-a domainName="example.org" \
>>>>> Â-a preferredServerList="ldap1.example.org,ldap2.example.org" \
>>>>> Â-a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
>>>>> Â-a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
>>>>> Â-a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
>>>>> Â-a
>>>>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org"
>>>>> \
>>>>> Â-a attributeMap="auto_home:automountMapName=ou" \
>>>>> Â-a attributeMap="auto_home:automountKey=cn" \
>>>>> Â-a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
>>>>> Â-a proxyPassword="foobar"
>>>>>
>>>>>
>>>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your
>>>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
>>>>> to put your TLS certs into /var/ldap in NSS format (you can
>>>>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP
>>>>> authentication.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Christian Manal
>>>>>
>>>>>
>>>>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>>>>
>>>>
>>>> Thanks,
>>>>
>>>> I will try your command. Since you used ldapclient manual and not
>>>> ldapclient init I don't need to add a profile of proxy ldif file to
>>>> the ldap server, right?
>>>
>>> Right. It's possible to deposit most of those infos in a profile in the
>>> DIT, but since I have a script for configuring LDAP clients it doesn't
>>> make any difference for me. I have only one set of settings for Solaris
>>> boxes. Though, it might be worth looking into for you, if you have
>>> different setups.
>>>
>>>
>>>> I have been using examples like the one you
>>>> just gave me and I can only get the info from the server. The password
>>>> seems to not work. I get the same erros on the prompt that I would get
>>>> if the password or username where wrong. Though I have not tried the
>>>> command with the serviceSearchDescriptor before maybe this is what I'm
>>>> missing.
>>>
>>> You replaced the credentials with existing ones from your DIT, right? Do
>>> they work with ldapsearch? Does the DN have read access to the user and
>>> group data in your DIT?
>>>
>>> You might want to call ldapclient with '-v' to get some debugging info.
>>>
>>>
>>>> ÂI'm also not using TLS or automount can I leave these out, for now?
>>>> Sotls:simple would be simple, right.
>>>
>>> Right.
>>>
>>>
>>>> Also could Solaris 10 not want to
>>>> work because I'm not using TLS?
>>>
>>> I don't think so. It shouldn't make any difference. Though, I'd
>>> recommend adding TLS support before putting anything in production.
>>>
>>>
>>>> Anyway thanks for your time. I will let you know if it works.
>>>>
>>>
>>>
>>> Regards,
>>> Christian Manal
>>>
>>>
>>
>>
>>
>
>