Re: [gentoo-user] LDAP authentification and management

[Andrew MacKenzie]

> Uh...why was the "management" in the subject line? Because I forgot yet
> another question:
> What dou you guys use for LDAP data management?
Check out phpldapadmin:

# eix phpldapadmin
* net-nds/phpldapadmin 
Available versions:  ~0.9.7_alpha6 ~0.9.7_rc1 
Installed:   no
Homepage:http://phpldapadmin.sourceforge.net
Description: phpLDAPadmin is a web-based tool
for managing all aspects of your LDAP server.


-- 
// Andrew MacKenzie  |  http://www.edespot.com
// GPG public key: http://www.edespot.com/~amackenz/public.key
// As Will Rogers would have said, "There is no such thing as a free
// variable."
// - Alan Perlis


pgp0ClCnyc5ym.pgp
Description: PGP signature

Re: [gentoo-user] LDAP authentification and management

[Eric Crossman]

On Thu, 2005-09-15 at 13:59 +0200, Matthias Bethke wrote:
> Uh...why was the "management" in the subject line? Because I forgot yet
> another question:
> What dou you guys use for LDAP data management?
> I've tried quite a few tools now. app-admin/diradm seems the only usable
> one so far. net-nds/directoryadministrator segfaults on startup;
> net-nds/gq works until you actually create a connection to the server,
> then segfaults; net-nds/luma hangs while receiving data. net-nds/led I
> haven't tried yet...
> 
> TIA!
>   Matthias

When I first migrated to OpenLDAP in the 1.x days, I created a bunch of
home grown perl utilities to make suitable replacements for things like
useradd, groupadd, passwd, etc. For new accounts we had to use our own
template so that an account would be valid for both unix and smb logins.
For management of existing accounts, we tried gq but found it only to be
stable for reading/browsing. We installed phpldapadmin on a web server
and that has worked really nicely. I know the current sysadmin continues
to use that on the OpenLDAP 2.x/Samba 3.0 combination.

Eric


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP authentification and management

[Matthias Bethke]

Uh...why was the "management" in the subject line? Because I forgot yet
another question:
What dou you guys use for LDAP data management?
I've tried quite a few tools now. app-admin/diradm seems the only usable
one so far. net-nds/directoryadministrator segfaults on startup;
net-nds/gq works until you actually create a connection to the server,
then segfaults; net-nds/luma hangs while receiving data. net-nds/led I
haven't tried yet...

TIA!
Matthias
-- 
I prefer encrypted and signed messages.   KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91


pgpMcNHI2am9q.pgp
Description: PGP signature

[gentoo-user] LDAP authentification and management

[Matthias Bethke]

I'm still trying to set up OpenLDAP here. For some reason, SASL doesn't
work, but from the error message I guess it has to do with a missing
entry in the LDAP database itself:

Sep 14 15:42:34 clue slapd[24202]: slapd starting
Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 ACCEPT from 
IP=XXX.XXX.XXX.XXX:49623 (IP=0.0.0.0:636)
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SRCH attr=supportedSASLMechanisms
Sep 14 15:42:40 clue slapd[4930]: conn=0 op=0 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Sep 14 15:42:40 clue ldapadd: GSSAPI Error: Miscellaneous failure (No 
credentials cache found)
Sep 14 15:42:40 clue slapd[13526]: conn=0 fd=13 closed

I *can* use ldapi{search,add} with the -x parameter though, so I suppose
if I add "sasl off" to /etc/ldap.conf (which I did for now), I should be
fine as I'll be using SSL with mutual authentication anyway.

Migrating the old server's data seems to have worked after I found that
you cannot just copy another machine's passwd file and migrate that
as the migrationtools will get the password hash from getpwuid(3) which
will fail if the account isn't on your machine. Maybe this should be
added to the guide -- a careful look would have told me, as there is no
mention of the shadow file, but who looks carefully when following a
guide? :)

So, pam_ldap and nss_ldap are in place and PAM seems to be OK. I still
cannot log in due to some nsswitch problem apparently:

[snipped a lot of output---I guess "slapd -s0" will shut that up once it
works?]
Sep 14 16:58:34 clue slapd[15571]: conn=3 op=1 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Sep 14 16:58:34 clue slapd[26321]: conn=3 fd=15 closed
Sep 14 16:58:34 clue sshd[5422]: Accepted keyboard-interactive/pam for msbethke 
from :::131.188.185.45 port 51711 ssh2
Sep 14 16:58:34 clue slapd[26321]: conn=2 fd=13 closed
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd(pam_unix)[8048]: session opened for user msbethke by 
(uid=0)
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: nss_ldap: could not search LDAP server - Can't 
contact LDAP server
Sep 14 16:58:34 clue sshd[8048]: fatal: PAM: pam_open_session(): Cannot 
make/remove an entry for the specified session

Hm. Shouldn't nss_ldap use the URI specified in /etc/ldap.conf to talk
to the server? I'm at a loss here.

Oh, and BTW: is there a way to allow high-ASCII characters in LDIF
files? We happen to have a few users with umlauts in their names and
not being able to retain them would be even more backwards than NIS...

regards
Matthias

-- 
I prefer encrypted and signed messages.   KeyID: 90CF8389
Fingerprint: 8E 1F 10 81 A4 66 29 46  B9 8A B9 E2 09 9F 3B 91


pgpMIt5GiIQVl.pgp
Description: PGP signature