On 03/05/2010, at 9:16 PM, Daniel Troeder wrote:
> I haven't set this up on gentoo, only on debian-server with
> ubuntu-clients...
>
> Does NSS work already? Do you see the LDAP users/group after the
> passwd-users when you run
> $ getent passwd
> $ getent group
>
Both show the correct user and group as defined in the ldap attributes
passwd
william:*:10000:10000:William Brown,,,,:/home/william:/bin/bash
and group
login:*:20000:william
> Assuming you have configured /etc/nsswitch.conf:
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
> ("files ldap" is OK too.)
>
> As long as that does not work, it doesn't make sense to continue to PAM.
>
> Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see
> if the password for cn=Manager,dc=chocolate,dc=lan in there does have
> possibly problematic characters.
The password is in there, and it does bind successfully (I accidentally posted
the wrong output from slapd, I have been documenting my success / failures to
try and piece this together)
slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:39936 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=0 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 ACCEPT from IP=127.0.0.1:23394 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=1 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=13 closed (connection lost)
conn=2 fd=13 ACCEPT from IP=127.0.0.1:38351 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" method=128
conn=2 op=0 BIND dn="cn=Manager,dc=chocolate,dc=lan" mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> I need to use nscd on the clients.
>
> BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for
> User/Samba/DNS/DHCP/Mail management with LDAP. It's really good.
Ill take a look at it, thank you for the hint.
>
> The most trickiest part of setting up LDAP-clients is always PAM :(
> Fortunately for debian/ubuntu there are good guides. If you find out how
> to do it with gentoo, that info would be appreciated (gentoo-wiki?).
I agree, and i most likely will do a write up if i get it to work happily
>
> Good luck,
> Daniel
>
> --
> PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
> # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
>
William
