[Date Prev][Date Next] [Chronological] [Thread] [Top]

getent fails to deliver LDAP entries

To: openldap-software@OpenLDAP.org
Subject: getent fails to deliver LDAP entries
From: Andreas Heilwagen <andreas.heilwagen@jamba.net>
Date: Tue, 06 May 2003 09:54:33 +0200
Organization: Jamba! AG
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

Hello,

I've set up a LDAP v3 system according to Turbo Fredriksson's HOWTO. There are still some aspects to fix, but basically I should have everything in place to get

  getent passwd

running with all people from /etc/passwd and from the LDAP directory. My test user (uid=experimental) just does not get listed with getent and I have no idea where my config error is.

getent accesses slapd (debug output shows it) and gets the experimental user, but that user is not included in the getent output. There are no errors in the slapd output.

I attached some configurations etc. and hope that Turbo or sbd else can give me a hint or ask specific questions so that I can deliver the required log output etc.


Looking forward,

Andreas


PAM CONFIG (/etc/pam.d/login)
auth       requisite  pam_nologin.so
auth       sufficient /lib/security/pam_ldap.so debug
auth       required   pam_env.so
auth       required   pam_unix.so nullok

account    sufficient /lib/security/pam_ldap.so debug
account    required   pam_unix.so

session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv

password   sufficient /lib/security/pam_ldap.so debug
password   required   pam_unix.so nullok obscure min=4 max=8 md5


TEST USER

dn: cn=Experimental User,ou=People,dc=office-b,dc=jamba,dc=net
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaAccount
objectClass: krb5Principal
objectClass: organizationalPerson
sn: Surname
cn: Experimental User
ou: People
gecos: Experimental User
krb5PrincipalName: experimental@OFFICE-B.JAMBA.NET
userPassword: {KERBEROS}experimental@OFFICE-B.JAMBA.NET
uid: experimental
uidNumber: 1100
gidNumber: 100
homeDirectory: /home/experimental
loginShell: /bin/bash
shadowLastChange:10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
rid: 1100


CURRENT AUTHENTICATION/AUTHORIZATION CONFIGURATION
(The config is based on Turbo Fredriksson's LDAPv3 HOWTO)

  - Kerberos V master and slave server working fine (DNS lb not activated)

  - OpenLDAP master and slave are working

      o slurpd fails with auth problems

        (DNS lb not activated so the slave is not yet in use)

      o ldapsearch -x -D "<some user>" -W -b "" -s base \
                   -LLL -H ldaps://<ldap-server>/ supportedSASLMechanisms
        fails after I reinstalled everything (Turbo has no solution to that
        problem in his HOWTO yet, any suggestions based on the fact that
        all other tests of Turbo work?)

  - /etc/nsswitch.conf
         passwd:         files ldap
         group:          files ldap
         shadow:         files ldap
         [...]

  - /etc/libnss-ldap.conf
          base ou=People,dc=office-b,dc=jamba,dc=net
          host <ldap-server>
          ldap_version 3
          port 389
          scope sub
          ssl true
          sslpath /etc/ldap
          uri ldaps://<ldap-server>/

  - /etc/pam_ldap.conf
          base ou=People,dc=office-b,dc=jamba,dc=net
          ldap_version 3
          pam_check_host_attr no
          pam_password clear
          port 389
          scope sub
          ssl yes
          sslpath /etc/ldap
          uri ldaps://<ldap-server>/

  - /etc/ldap/ldap.conf (also link /etc/ldap.conf)
          HOST            <ldap-server>
          BASE            dc=com
          PORT            389
          SASL_SECPROPS   none

  - /etc/ldap/slapd.conf
          include         /etc/ldap/schema/core.schema
          include         /etc/ldap/schema/cosine.schema
          include         /etc/ldap/schema/inetorgperson.schema
          include         /etc/ldap/schema/nis.schema
          include         /etc/ldap/schema/krb5-kdc.schema
          include         /etc/ldap/schema/trust.schema
          include         /etc/ldap/schema/samba.schema

          schemacheck     on
          pidfile         /var/run/slapd.pid
          argsfile        /var/run/slapd.args
          loglevel        0
          database        ldbm

          suffix          "dc=office-b,dc=jamba,dc=net"
          directory       "/var/lib/ldap"

          replica         host=cvs.dmz-net.office-b.jamba.net
                          tls=yes
                          bindmethod=sasl
                          saslmech=GSSAPI
          replogfile      /var/lib/ldap/replication.log

          index           default pres,eq
          index           objectClass,uid,uidnumber,gidnumber,cn
          index           mail eq

          lastmod on

          include         /etc/ldap/slapd.access (as in Turbo's HOWTO)

          sasl-realm              OFFICE-B.JAMBA.NET
          sasl-host               grobi.private-ip.office-b.jamba.net
          TLSCertificateFile      /etc/ldap/grobi_PACK.pem
          TLSCertificateKeyFile   /etc/ldap/grobi_PACK.pem
          TLSCACertificateFile    /etc/ldap/SCAfile.pem


CURRENT SYSTEM SOFTWARE/HARDWARE

  - Kerberos V 1.2.4
  - openldap-2.0.23
  - cyrus-sasl-mit-1.5.24
  - libnss-ldap-1.8.6
  - libpam-ldap-1.4.0
  - libssl-0.9.6
  - Debian 3.0, unpatched kernel 2.5.66 (necessary pkgs updated),
    libc6-2.3.1
  - Dual-Xeon, 4G memory

Prev by Date: RH 9 packages
Next by Date: difference between ldaps and startTLS
Index(es):
- Chronological
- Thread