Re: [FC3] LDAP Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2004-12-10 at 20:54 -1000, Chris Stark wrote:
> Hi everyone,
> 
> I've got an issue that I've been wrestling with for a couple of days, 
> and I have still had no luck. I searched google, the archives, and all 
> of my books. Nothing. I suppose it could be a bug, but I'd like some 
> feedback before I submit a report.
> 
> I have just installed FC3 on a machine that previously had FC1. I am 
> trying to use OpenLDAP server to manage the user accounts, as I had done 
> previously with FC1. It worked perfectly before the upgrade.
> 
> To make a long story a bit shorter, I transferred the LDAP directory's 
> contents using an LDIF dump file, as to avoid any database version issues.
> 
> This seems to have worked because one of my PHP web applications can 
> authenticate against the server using TLS without a glitch. Also desktop 
> apps like thunderbird's addressbook return all of the entries using 
> LDAPS. Both TLS and SSL work without issue, and I can even execute 
> successful ldapsearch queries from the server's command-line.
> 
> However, the server itself does not recognize the LDAP server as a 
> source for accounts; getent passwd or group only returns /etc/passwd and 
> /etc/group values. All of the previous home directories have numeric 
> values for their user and group owner permissions.
> 
> Sorry if this is long. Here's the appropriate snippets from my config 
> files. Please let me know if you see anything obviously wrong. Also, any 
> troubleshooting tips would be much appreciated.
> 
> Aloha,
> Chris Stark
> 
> (example.com is for illustrative purposes)
> 
> -----------------------
> # /etc/openldap/ldap.conf
> 
> URI             ldap://example.com
> BASE            dc=example,dc=com
> TLS_CACERT      /etc/ssl/certs/cacert/cacert.pem
> TLS_REQCERT     allow
> 
> ------------------------
> # /etc/openldap/slapd.conf
> 
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> 
> disallow bind_anon
> security ssf=1 update_ssf=112 simple_bind=112
> 
> password-hash   {MD5}
> pidfile /var/run/slapd.pid
> 
> TLSCACertificateFile    /etc/ssl/certs/cacert/cacert.pem
> TLSCertificateFile      /etc/ssl/certs/ldap/ldap-cert.pem
> TLSCertificateKeyFile   /etc/ssl/certs/ldap/ldap-key.pem
> 
> access to attr=userPassword
>          by self write
>          by anonymous auth
>          by dn="cn=Manager,dc=example,dc=com" write
>          by * none
> 
> access to attrs=sambaLmPassword,sambaNtPassword
>          by dn="cn=Manager,dc=example,dc=com" write
>          by * none
> 
> access to dn=cn=Manager,dc=example,dc=com attr=entry
>          by self write
>          by dn="cn=Manager,dc=example,dc=com" write
>          by * none
> 
> access to *
>          by users read
>          by self write
>          by dn="cn=Manager,dc=example,dc=com" write
>          by * none
> 
> database        ldbm
> suffix          "dc=example,dc=com"
> rootdn          "cn=Manager,dc=example,dc=com"
> rootpw          secret
> directory       /var/lib/ldap
> mode            0700
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index uidNumber,gidNumber,loginShell    eq,pres
> index uid,memberUid                     eq,pres,sub
> index nisMapName,nisMapEntry            eq,pres,sub
> 
> cachesize       2000
> loglevel        296
> 
> ------------------------
> # /etc/ldap.conf
> 
> base dc=example,dc=com
> uri ldap://example.com/
> ldap_version 3
> 
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_password md5
> 
> nss_base_passwd         ou=users,dc=example,dc=com?one
> nss_base_shadow         ou=users,dc=example,dc=com?one
> nss_base_group          ou=groups,dc=example,dc=com?one
> 
> ssl start_tls
> tls_checkpeer no
---
wow - you got this all working on FC-1 without understanding all these
things?

Make life easy on yourself at first. Comment out the complexities and
then add them back in after you get things working so you can gauge the
effect of each change...

comment out disallow anon_bind & security statements
comment all the acl's out and simply 'access to * by * write'
comment out ssl start_tls
you don't have a binddn/rootbinddn in /etc/ldap.conf (does FC-3
use /etc/openldap/ldap.conf?)
/etc/ldap.secret?
Did you actually generate the certs? 
using certs and plaintext 'secret' for cn=Manager,dc=example,dc=com

Logging is your friend
logging from slapd.conf
loglevel 256 (or whatever you feel is appropriate/man slapd.conf)

add to /etc/syslog.conf
local4.*                                                /var/log/slapd.log
(restart syslogd)

FC-3 uses a much newer version of openldap and things have changed
greatly from 2.0.7 to 2.2.13 and it's doubtful that you can simply
migrate without modification - in fact, I am surprised that you can even
get ldap service started - see the docs about converting from 2.0.x to
2.1.x to 2.2.x. Also, with 2.2.13, you probably want to use dbd instead
of ldbm but that is a subject for another day.

Craig


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux