On Fri, 2004-12-10 at 20:54 -1000, Chris Stark wrote: > Hi everyone, > > I've got an issue that I've been wrestling with for a couple of days, > and I have still had no luck. I searched google, the archives, and all > of my books. Nothing. I suppose it could be a bug, but I'd like some > feedback before I submit a report. > > I have just installed FC3 on a machine that previously had FC1. I am > trying to use OpenLDAP server to manage the user accounts, as I had done > previously with FC1. It worked perfectly before the upgrade. > > To make a long story a bit shorter, I transferred the LDAP directory's > contents using an LDIF dump file, as to avoid any database version issues. > > This seems to have worked because one of my PHP web applications can > authenticate against the server using TLS without a glitch. Also desktop > apps like thunderbird's addressbook return all of the entries using > LDAPS. Both TLS and SSL work without issue, and I can even execute > successful ldapsearch queries from the server's command-line. > > However, the server itself does not recognize the LDAP server as a > source for accounts; getent passwd or group only returns /etc/passwd and > /etc/group values. All of the previous home directories have numeric > values for their user and group owner permissions. > > Sorry if this is long. Here's the appropriate snippets from my config > files. Please let me know if you see anything obviously wrong. Also, any > troubleshooting tips would be much appreciated. > > Aloha, > Chris Stark > > (example.com is for illustrative purposes) > > ----------------------- > # /etc/openldap/ldap.conf > > URI ldap://example.com > BASE dc=example,dc=com > TLS_CACERT /etc/ssl/certs/cacert/cacert.pem > TLS_REQCERT allow > > ------------------------ > # /etc/openldap/slapd.conf > > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > > disallow bind_anon > security ssf=1 update_ssf=112 simple_bind=112 > > password-hash {MD5} > pidfile /var/run/slapd.pid > > TLSCACertificateFile /etc/ssl/certs/cacert/cacert.pem > TLSCertificateFile /etc/ssl/certs/ldap/ldap-cert.pem > TLSCertificateKeyFile /etc/ssl/certs/ldap/ldap-key.pem > > access to attr=userPassword > by self write > by anonymous auth > by dn="cn=Manager,dc=example,dc=com" write > by * none > > access to attrs=sambaLmPassword,sambaNtPassword > by dn="cn=Manager,dc=example,dc=com" write > by * none > > access to dn=cn=Manager,dc=example,dc=com attr=entry > by self write > by dn="cn=Manager,dc=example,dc=com" write > by * none > > access to * > by users read > by self write > by dn="cn=Manager,dc=example,dc=com" write > by * none > > database ldbm > suffix "dc=example,dc=com" > rootdn "cn=Manager,dc=example,dc=com" > rootpw secret > directory /var/lib/ldap > mode 0700 > index objectClass eq,pres > index ou,cn,mail,surname,givenname eq,pres,sub > index uidNumber,gidNumber,loginShell eq,pres > index uid,memberUid eq,pres,sub > index nisMapName,nisMapEntry eq,pres,sub > > cachesize 2000 > loglevel 296 > > ------------------------ > # /etc/ldap.conf > > base dc=example,dc=com > uri ldap://example.com/ > ldap_version 3 > > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_password md5 > > nss_base_passwd ou=users,dc=example,dc=com?one > nss_base_shadow ou=users,dc=example,dc=com?one > nss_base_group ou=groups,dc=example,dc=com?one > > ssl start_tls > tls_checkpeer no --- wow - you got this all working on FC-1 without understanding all these things? Make life easy on yourself at first. Comment out the complexities and then add them back in after you get things working so you can gauge the effect of each change... comment out disallow anon_bind & security statements comment all the acl's out and simply 'access to * by * write' comment out ssl start_tls you don't have a binddn/rootbinddn in /etc/ldap.conf (does FC-3 use /etc/openldap/ldap.conf?) /etc/ldap.secret? Did you actually generate the certs? using certs and plaintext 'secret' for cn=Manager,dc=example,dc=com Logging is your friend logging from slapd.conf loglevel 256 (or whatever you feel is appropriate/man slapd.conf) add to /etc/syslog.conf local4.* /var/log/slapd.log (restart syslogd) FC-3 uses a much newer version of openldap and things have changed greatly from 2.0.7 to 2.2.13 and it's doubtful that you can simply migrate without modification - in fact, I am surprised that you can even get ldap service started - see the docs about converting from 2.0.x to 2.1.x to 2.2.x. Also, with 2.2.13, you probably want to use dbd instead of ldbm but that is a subject for another day. Craig