Re: Trouble with nss|pam|openldap
On Wed, 24 May 2006 07:40:37 -0700 "Atom Powers" <[EMAIL PROTECTED]> wrote: > On 5/24/06, Jason Lixfeld > <[EMAIL PROTECTED]> wrote: > > On 23-May-06, at 8:48 PM, Atom Powers wrote: > > > > I have no all.log currently. The only thing showing up in > > messages though is: > > > > You have to enable all.log in syslog.conf, and then "touch > /var/log/all.log". I always turn this on because it can catch > messages that are not configured to go to another log file, and > sometimes it's nice to have all your logs in one place. But if you > have a noisy service it can fill your file system. > > > May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP > > server - Server is unavailable > > > > That error seems to creep up only when I restart slapd though. > > > > >> > > >> I searched through the bugs and it seems there is a bug in > > >> nss_ldap with regards to getpwuid, but that seems to be more > > >> if an indicator about why finger doesn't work, not why ssh > > >> does't work > > >> > > >> # id testuser seems to work, finger doesn't. Curious. > > >> Anyway, it still appears as though at least some portions of > > >> the system are using LDAP, which is good. > > >> $ id testuser > > >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) > > >> $ finger testuser > > >> finger: testuser: no such user > > >> $ > > > > > > id works because it's using the name service to look up the > > > user (you added ldap to your nsswitch.conf, right?) > > > > > > finger doesn't work because you don't have a /etc/pam.d/finger > > > file. Either create one or add pam_ldap to > > > your /etc/pam.d/system file. (I always create a new conf file > > > for my ldap enabled apps) > > On reflection I may be way off base with this. finger doesn't run > *as* another user, and you don't log into finger. So it shouldn't > need a pam.d file. > > Finger doesn't work for ldap accounts on my systems. > > > Interesting. Finger *did* work during some of my first attempts > > at getting this working. I changed something (I don't recall > > what) and then finger stopped working. > > > > This seems to all work now with built-in ssh. How strange. > > > > Now, I seem to have hit another snag and a bug (Both of which I > > remember reading about this in my travels:) > > > > $id testuser > > id: testuser: no such user > > # sudo su > > Password: > > # id testuser > > uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) > > # cd ~testuser > > # pwd > > /usr/home/testuser > > #ssh [EMAIL PROTECTED] > > %id testuser > > id: testuser: no such user > > %pwd > > /usr/home/testuser > > %ls -al > > Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != > > NULL), function do_init, file ldap-nss.c, line 1193. > > Abort (core dumped) > > % > > > > I don't seem to have this problem: > > [EMAIL PROTECTED]:~$finger apowers > finger: apowers: no such user > [EMAIL PROTECTED]:~$id apowers > uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) > [EMAIL PROTECTED]:~$ssh localhost > Password: > > FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006 > [EMAIL PROTECTED]:~$id apowers > uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) > [EMAIL PROTECTED]:~$pwd > /home/apowers > [EMAIL PROTECTED]:~$ls -al > total 53216 > > > What does your nsswitch.conf look like? > I have: > #nsswitch.conf > group: files ldap > hosts: files dns > networks: files > passwd: files ldap > shells: files On this note you may want to do something like this. I found this helps things along nicer at startup. group: files [success=return notfound=continue unavail=continue tryagain=continue] ldap passwd: files [success=return notfound=continue unavail=continue tryagain=continue] ldap I though that was the default, but startup goes a bit quicker with it like that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
In the last episode (May 24), Jason Lixfeld said: > On 24-May-06, at 6:15 PM, Ansar Mohammed wrote: > > >Have you tried nss_ldap without pam? > > How is that even possible? It's possible, but not too useful. If you always force people to ssh in via keys, for example, you don't need pam_ldap. PAM only job is authentication, NSS handles everything after that. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
On 24-May-06, at 6:15 PM, Ansar Mohammed wrote: Have you tried nss_ldap without pam? How is that even possible? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Trouble with nss|pam|openldap
Have you tried nss_ldap without pam? > -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of Atom Powers > Sent: May 24, 2006 3:23 PM > To: Jason Lixfeld > Cc: FreeBSD Questions Mailing List > Subject: Re: Trouble with nss|pam|openldap > > On 5/24/06, Jason Lixfeld <[EMAIL PROTECTED]> > wrote: > > On 23-May-06, at 8:48 PM, Atom Powers wrote: > > > > %ls -al > > Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), > > function do_init, file ldap-nss.c, line 1193. > > Abort (core dumped) > > % > > I was able to reproduce this problem when I removed my > /usr/local/etc/nss_ldap.conf file. > It seems that some applications look for the *ldap.conf in > /usr/local/etc and some in /usr/local/etc/openldap. > > I create links to /usr/local/etc/openldap/ldap.conf for all the oher > ldap.conf and nss_ldap.conf files. > > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
On 5/24/06, Jason Lixfeld <[EMAIL PROTECTED]> wrote: On 23-May-06, at 8:48 PM, Atom Powers wrote: %ls -al Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193. Abort (core dumped) % I was able to reproduce this problem when I removed my /usr/local/etc/nss_ldap.conf file. It seems that some applications look for the *ldap.conf in /usr/local/etc and some in /usr/local/etc/openldap. I create links to /usr/local/etc/openldap/ldap.conf for all the oher ldap.conf and nss_ldap.conf files. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
I don't seem to have this problem: [EMAIL PROTECTED]:~$finger apowers finger: apowers: no such user [EMAIL PROTECTED]:~$id apowers uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) [EMAIL PROTECTED]:~$ssh localhost Password: FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006 [EMAIL PROTECTED]:~$id apowers uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) [EMAIL PROTECTED]:~$pwd /home/apowers [EMAIL PROTECTED]:~$ls -al total 53216 What version of OpenLDAP/pam_ldap/nss_ldap are you running? I believe it's either a bug in OpenLDAP or NSS, can't remember which, but I do remember reading about something extremely similar to my issue out there. Need to refresh. What does your nsswitch.conf look like? I have: #nsswitch.conf group: files ldap hosts: files dns networks: files passwd: files ldap shells: files Mine is the same. On another note, I just tested pam_mkhomedir... sweeet! -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
On 5/24/06, Jason Lixfeld <[EMAIL PROTECTED]> wrote: On 23-May-06, at 8:48 PM, Atom Powers wrote: I have no all.log currently. The only thing showing up in messages though is: You have to enable all.log in syslog.conf, and then "touch /var/log/all.log". I always turn this on because it can catch messages that are not configured to go to another log file, and sometimes it's nice to have all your logs in one place. But if you have a noisy service it can fill your file system. May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP server - Server is unavailable That error seems to creep up only when I restart slapd though. >> >> I searched through the bugs and it seems there is a bug in nss_ldap >> with regards to getpwuid, but that seems to be more if an indicator >> about why finger doesn't work, not why ssh does't work >> >> # id testuser seems to work, finger doesn't. Curious. Anyway, it >> still appears as though at least some portions of the system are >> using LDAP, which is good. >> $ id testuser >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) >> $ finger testuser >> finger: testuser: no such user >> $ > > id works because it's using the name service to look up the user (you > added ldap to your nsswitch.conf, right?) > > finger doesn't work because you don't have a /etc/pam.d/finger file. > Either create one or add pam_ldap to your /etc/pam.d/system file. (I > always create a new conf file for my ldap enabled apps) On reflection I may be way off base with this. finger doesn't run *as* another user, and you don't log into finger. So it shouldn't need a pam.d file. Finger doesn't work for ldap accounts on my systems. Interesting. Finger *did* work during some of my first attempts at getting this working. I changed something (I don't recall what) and then finger stopped working. This seems to all work now with built-in ssh. How strange. Now, I seem to have hit another snag and a bug (Both of which I remember reading about this in my travels:) $id testuser id: testuser: no such user # sudo su Password: # id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) # cd ~testuser # pwd /usr/home/testuser #ssh [EMAIL PROTECTED] %id testuser id: testuser: no such user %pwd /usr/home/testuser %ls -al Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193. Abort (core dumped) % I don't seem to have this problem: [EMAIL PROTECTED]:~$finger apowers finger: apowers: no such user [EMAIL PROTECTED]:~$id apowers uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) [EMAIL PROTECTED]:~$ssh localhost Password: FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006 [EMAIL PROTECTED]:~$id apowers uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) [EMAIL PROTECTED]:~$pwd /home/apowers [EMAIL PROTECTED]:~$ls -al total 53216 What does your nsswitch.conf look like? I have: #nsswitch.conf group: files ldap hosts: files dns networks: files passwd: files ldap shells: files -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
On 23-May-06, at 8:48 PM, Atom Powers wrote: On 5/23/06, Jason Lixfeld [EMAIL PROTECTED]> wrote: I'm using openssh-portable and the latest versions of openldap, pam_ldap and nss_ldap. It appears as though the system is using ... I'm not using ssh-portable, but I have it working with the built-in ssh. built-in works? Interesting. Reason I'm using -portable was because I read that the built-in ssh didn't support PAM. I will try the built-in and see what happens. ... user password, even after I enter it in. I tried putting the pam_ldap lib in the password section of the /etc/pam.d/sshd file, but that was useless too. Local users can ssh in fine. The pam.d config would be my first guess. What gets logged to all.log? I have no all.log currently. The only thing showing up in messages though is: May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP server - Server is unavailable That error seems to creep up only when I restart slapd though. I searched through the bugs and it seems there is a bug in nss_ldap with regards to getpwuid, but that seems to be more if an indicator about why finger doesn't work, not why ssh does't work # id testuser seems to work, finger doesn't. Curious. Anyway, it still appears as though at least some portions of the system are using LDAP, which is good. $ id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) $ finger testuser finger: testuser: no such user $ id works because it's using the name service to look up the user (you added ldap to your nsswitch.conf, right?) finger doesn't work because you don't have a /etc/pam.d/finger file. Either create one or add pam_ldap to your /etc/pam.d/system file. (I always create a new conf file for my ldap enabled apps) Interesting. Finger *did* work during some of my first attempts at getting this working. I changed something (I don't recall what) and then finger stopped working. Here is my /etc/pam.d/sshd file, I use the exact same file for all my ldap enabled apps.: (if somebody sees a bug in there, or can suggest any improvement, by all means let me know.) -- # auth authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_ldap.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass This seems to all work now with built-in ssh. How strange. Now, I seem to have hit another snag and a bug (Both of which I remember reading about this in my travels:) $id testuser id: testuser: no such user # sudo su Password: # id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) # cd ~testuser # pwd /usr/home/testuser #ssh [EMAIL PROTECTED] %id testuser id: testuser: no such user %pwd /usr/home/testuser %ls -al Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193. Abort (core dumped) % -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Trouble with nss|pam|openldap
On 5/23/06, Jason Lixfeld <[EMAIL PROTECTED]> wrote: I'm using openssh-portable and the latest versions of openldap, pam_ldap and nss_ldap. It appears as though the system is using ... I'm not using ssh-portable, but I have it working with the built-in ssh. ... user password, even after I enter it in. I tried putting the pam_ldap lib in the password section of the /etc/pam.d/sshd file, but that was useless too. Local users can ssh in fine. The pam.d config would be my first guess. What gets logged to all.log? I searched through the bugs and it seems there is a bug in nss_ldap with regards to getpwuid, but that seems to be more if an indicator about why finger doesn't work, not why ssh does't work # id testuser seems to work, finger doesn't. Curious. Anyway, it still appears as though at least some portions of the system are using LDAP, which is good. $ id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) $ finger testuser finger: testuser: no such user $ id works because it's using the name service to look up the user (you added ldap to your nsswitch.conf, right?) finger doesn't work because you don't have a /etc/pam.d/finger file. Either create one or add pam_ldap to your /etc/pam.d/system file. (I always create a new conf file for my ldap enabled apps) Here is my /etc/pam.d/sshd file, I use the exact same file for all my ldap enabled apps.: (if somebody sees a bug in there, or can suggest any improvement, by all means let me know.) -- # auth authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_ldap.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"