Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. This method has been recommended by many sites and tutorials, so I guess it should be approved ;-) The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log Thanks, I did so and found several usefull messages in the log. sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? Sorry, yes, copy-and-paste mistake. NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. Due to a recommendation not to use NSCD with FreeBSD and SAMBA I switched that off. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Great!! That did the trick and it is very helpful in saving a lot of time and prevented me from loosing more hairs. Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? Too many switches switched at the same time, so I guess I messed up things and couldn't get a clear sight anymore. The point is, without any TLS the user authetication works fine for SSHD/LOGIN and SU, even password changes via a patched 'passwd' works fine, but when trying using TLS/OpenSSL everything gets messed up again, I'll report this at the end. The main reason for blocking access was the ACL misbehaviour. I took the example slapd.conf and especially the line describing access to everything access to * ... The line 'by anonymous auth' needs to be changed into 'by anonymous read' otherwise LDAP won't let you even access for authetication. I found this by watching exhaustive logs ... One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. Yes, but OpenLDAP openldap-server-2.3.38 seems to reject connections via TLS when used with self-signed certificacates. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein Well, thanks a lot for helping. At this moment OpenLDAP seems to work with the OpenLDAP-Clients (only) and for authetication via ssh/login. I tried to install the famous and often mentioned 'smbldap-tools' as recommended in many tutorials and I followed the setup
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub Well, on a test machine, I setup a testenvironment equal or nearly equal to that which is not working on a potentially production box. First of all, I think there is a misunderstanding in how to setup /etc/nsswitch.conf, because most trouble seems to be sourced there. When setting # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files restarting OpenLDAP results in this, but after two minutes or so it starts up (the time is inacceptable and it does not change anything reverting the order from 'files ldap' to 'ldap files' for passwd and group). The great question is: Do I need to have these entries? Neither in the nsswitch.conf manpage nor in nss_ldap manpage it's mentioned to set 'ldap' as an option, I took this from one of the many tutorials out there. Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... Good to hear, but it doesn't on mine ... :-( P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: host 192.168.2.210 (or 127.0.0.1 alternatively) base dc=office,dc=de # Filter to AND with uid=%s pam_filter objectclass=posixAccount # Specify a minium or maximum UID number allowed pam_min_uid 1000 pam_max_uid 3 pam_passwordssha nss_base_passwd ou=users,dc=office,dc=de?one nss_base_shadow ou=users,dc=office,dc=de?one nss_base_group ou=group,dc=office,dc=de?one pam_filter objectClass=posixAccount The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off access to * by self write by users read by anonymous auth databasebdb suffix dc=office,dc=de rootdn cn=admin,dc=office,dc=de rootpw directory /data/openldap-data/nuggad/ index objectClass eq,pres index uid,memberUid pres,eq,sub index ou,cn,mail,surname,givennameeq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index nisMapName,nisMapEntry eq,pres,sub NSCD is up and running, my nsswitch.conf looks like this: group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): system: # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so #accountsufficient /usr/local/lib/pam_ldap.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok passwordrequiredpam_unix.so no_warn try_first_pass sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ... no difference ... slapd won't start when ldap is first entry in nsswitch.conf and gets not searched when last. maybe there is a problem with the nss_ldap library? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. Your should run tcpdump in some window to actuall see what's going on. It also helps to turn on massive debugging in slapd.conf and tail(1)ing /var/log/debug.log I'm running the following versions on 7-CURRENT from 30. September nss_ldap-1.256 openldap-sasl-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Per olof Ljungmark wrote: O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per Well, great, I appreciate your help and by teh way, you're the first one telling he's running FBSD 7 AND OpenLDAP/nss_ldap/pam_ldap. OpenLDAP is running well on the server, I can access the DIT via some tools like LUMA and the OpenLDAP clients from remote machines. A major problem seems to be the pam_ldap/nss_ldap configuration. Can you please tell me how you edited /etc/pam.d/ files and /etc/nsswitch.conf properly? At this very moment it seems that I shot myself into the foot - the box running the LDAP service does not start OpenLDAP service slapd after rebooting, the console is stuck at the message shown when 'additional ABI's' get started. So, I'm sorry having no logs handy at this very moment, I will offer them as soon as possible included with my config files, if this will not bother you. Thanks in advance, Oliver -- Planetology and Remote Sensing FU Berlin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. Calling ldapsearch from both the localhost running the slapd and from a client in the network runs well, I receive a dump of every object created in the LDAP tree. At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. In most cases when changing /etc/nsswitch.conf (renaming password/group: compat to password/group: files ldap as suggested in most of the tutorials) the box gets unusable running the request (eithe looking for an user id, starting a xterm, login in as root via console). Everything which seems to look for an user ID takes more than a minute to startup or dump errors. Even if I try to log in as a user that is only on local machine (root and a special user) it seems that fallback to 'files' doesn't work properly or the timeout takes thta long. I'm not a professional in OpenLDAP, but I tried several configs found in LinuxWiki on Gentoo or Debian boxes without problems. Even the simplest config seems not to work on FreeBSD 7! In many cases ACLs seem to be the culprit, but even setting 'access to * by * write' or configuring binddn and binddnpw in /usr/local/etc/ldap.conf and nss_ldap.conf as the same as the rootdn in slapd.conf doesn't work and results in the same problem. If anyone willing to help and running ldap services on a FreeBSD 7.0-PRE box, he or she is welcome! Thanks in advance, Oliver P.S. If someone wants me to offer config details and/or log excerpts, please contact me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]