[389-users] ldap authenticaion is not getting correct information (SSL/TLS) (all files, logs included- please give me light on this)
Hi, I need some help urgnelty.. as no idea why its acting funy. as far I belive, I have setup ldap server properly in test environment, but actiting wired.. no idea why ... example [root@test ~]# id tuser id: tuser: No such user bellow command shows the correct info : [root@test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -w 'x' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base dc=fosiul,dc=lan with scope subtree # filter: (objectclass=*) # requesting: ALL # # fosiul.lan dn: dc=fosiul,dc=lan dc: fosiul objectClass: domain objectClass: top # uk, fosiul.lan dn: l=uk,dc=fosiul,dc=lan l: uk objectClass: locality objectClass: top # groups, uk, fosiul.lan dn: ou=groups,l=uk,dc=fosiul,dc=lan ou: groups objectClass: organizationalUnit objectClass: top # users, uk, fosiul.lan dn: ou=users,l=uk,dc=fosiul,dc=lan ou: users objectClass: organizationalUnit objectClass: top # IT, groups, uk, fosiul.lan dn: cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan gidNumber: 3001 objectClass: posixGroup objectClass: top uniqueMember: uid=fosiula,ou=users,l=uk,dc=fosiul,dc=lan cn: IT # tuser, users, uk, fosiul.lan dn: uid=tuser,ou=users,l=uk,dc=fosiul,dc=lan givenName: Tuser sn: User uidNumber: 2001 gidNumber: 3001 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount cn: test User homeDirectory: /home/tuser userPassword:: e1NTSEF9cGlZclc1NjBaOXdtSGxkdVVKcGJ3TUhHZjN4eG55a2lUQUxhSVE9PQ= = uid: tuser # search result search: 3 result: 0 Success # numResponses: 7 # numEntries: 6 My : /etc/ldap.conf [root@test ~]# cat /etc/ldap.conf # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This config is managed by puppet, all changes will be reverted base dc=fosiul,dc=lan bind_policy soft # Search timelimit #timelimit 30 timelimit 1 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 1 #idle_timelimit 3600 idle_timelimit 1 bind_timeout 1 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon uri ldap://puppet-1.fosiul.lan ssl start_tls tls_cacertfile /etc/openldap/cacerts/CRT.crt pam_password md5 pam_groupdn cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan pam_member_attribute uniqueMember tls_cacertdir /etc/openldap/cacerts my /etc/openldap/ldap.conf : # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://puppet-1.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/CRT.crt The Log From ldap server for bellow command - [root@test ~]# id tuser id: tuser: No such user [root@test ~]# [29/Dec/2013:14:49:14 +] conn=111 op=3 UNBIND [29/Dec/2013:14:49:14 +] conn=111 op=3 fd=76 closed - U1 [29/Dec/2013:14:49:14 +] conn=115 fd=76 slot=76 connection from 192.168.0.40 to 192.168.0.35 [29/Dec/2013:14:49:14 +] conn=115 op=0 EXT oid=1.3.6.1.4.1.1466.20037 name=startTLS [29/Dec/2013:14:49:14 +] conn=115 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [29/Dec/2013:14:49:14 +] conn=115 SSL 256-bit AES [29/Dec/2013:14:49:14 +] conn=115 op=1 BIND dn= method=128 version=3 [29/Dec/2013:14:49:14 +] conn=115 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn= [29/Dec/2013:14:49:14 +] conn=115 op=2 SRCH base=dc=fosiul,dc=lan scope=2 filter=((objectClass=posixAccount)(uid=tuser)) attrs=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass [29/Dec/2013:14:49:14 +] conn=115 op=2 RESULT err=0 tag=101 nentries=0 etime=0 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ldap authenticaion is not getting correct information (SSL/TLS) (all files, logs included- please give me light on this)
-D 'cn=Directory Manager' It looks like your ldapsearch is using Directory Manager (the 389 equivalent to the root user). However I do not see where you have specified a bind DN in an ldap.conf file so possibly PAM is binding anonymously and an ACL is prohibiting the search? If this is a testing system you could specify Directory Manager as your bind DN for PAM just to test this assumption. Of course for production you'd want some non-DM DN to bind with. On Sun, Dec 29, 2013 at 02:54:13PM +, fosiul alam wrote: Hi, I need some help urgnelty.. as no idea why its acting funy. as far I belive, I have setup ldap server properly in test environment, but actiting wired.. no idea why ... example [root@test ~]# id tuser id: tuser: No such user bellow command shows the correct info : [root@test ~]# /usr/bin/ldapsearch -xZZ -D 'cn=Directory Manager' -w 'x' -b 'dc=fosiul,dc=lan' # extended LDIF # # LDAPv3 # base dc=fosiul,dc=lan with scope subtree # filter: (objectclass=*) # requesting: ALL # # fosiul.lan dn: dc=fosiul,dc=lan dc: fosiul objectClass: domain objectClass: top # uk, fosiul.lan dn: l=uk,dc=fosiul,dc=lan l: uk objectClass: locality objectClass: top # groups, uk, fosiul.lan dn: ou=groups,l=uk,dc=fosiul,dc=lan ou: groups objectClass: organizationalUnit objectClass: top # users, uk, fosiul.lan dn: ou=users,l=uk,dc=fosiul,dc=lan ou: users objectClass: organizationalUnit objectClass: top # IT, groups, uk, fosiul.lan dn: cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan gidNumber: 3001 objectClass: posixGroup objectClass: top uniqueMember: uid=fosiula,ou=users,l=uk,dc=fosiul,dc=lan cn: IT # tuser, users, uk, fosiul.lan dn: uid=tuser,ou=users,l=uk,dc=fosiul,dc=lan givenName: Tuser sn: User uidNumber: 2001 gidNumber: 3001 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount cn: test User homeDirectory: /home/tuser userPassword:: e1NTSEF9cGlZclc1NjBaOXdtSGxkdVVKcGJ3TUhHZjN4eG55a2lUQUxhSVE9PQ= = uid: tuser # search result search: 3 result: 0 Success # numResponses: 7 # numEntries: 6 My : /etc/ldap.conf [root@test ~]# cat /etc/ldap.conf # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This config is managed by puppet, all changes will be reverted base dc=fosiul,dc=lan bind_policy soft # Search timelimit #timelimit 30 timelimit 1 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 1 #idle_timelimit 3600 idle_timelimit 1 bind_timeout 1 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon uri ldap://puppet-1.fosiul.lan ssl start_tls tls_cacertfile /etc/openldap/cacerts/CRT.crt pam_password md5 pam_groupdn cn=IT,ou=groups,l=uk,dc=fosiul,dc=lan pam_member_attribute uniqueMember tls_cacertdir /etc/openldap/cacerts my /etc/openldap/ldap.conf : # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://puppet-1.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/CRT.crt The Log From ldap server for bellow command - [root@test ~]# id tuser id: tuser: No such user [root@test ~]# [29/Dec/2013:14:49:14 +] conn=111 op=3 UNBIND [29/Dec/2013:14:49:14 +] conn=111 op=3 fd=76 closed - U1 [29/Dec/2013:14:49:14 +] conn=115 fd=76 slot=76 connection from 192.168.0.40 to 192.168.0.35 [29/Dec/2013:14:49:14 +] conn=115 op=0 EXT oid=1.3.6.1.4.1.1466.20037 name=startTLS [29/Dec/2013:14:49:14 +] conn=115 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [29/Dec/2013:14:49:14 +] conn=115 SSL 256-bit AES [29/Dec/2013:14:49:14 +] conn=115 op=1 BIND dn= method=128 version=3 [29/Dec/2013:14:49:14 +] conn=115 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn= [29/Dec/2013:14:49:14 +] conn=115 op=2 SRCH base=dc=fosiul,dc=lan scope=2 filter=((objectClass=posixAccount)(uid=tuser)) attrs=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass [29/Dec/2013:14:49:14 +] conn=115 op=2 RESULT err=0 tag=101 nentries=0 etime=0 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ldap authenticaion is not getting correct information (SSL/TLS) (all files, logs included- please give me light on this)
Hi Thanks for the quick Reply. I was thinking that same that some where its missing the Bind dn and I can conferm that, its working with definning binddn and bindpw in ldap.conf but , I confiered this before and I never had to define binddn and bindpw in any where in ldap.conf and as you said that for production its not appropriate. which mean, something i have missed while configuring direcotory server, I guess, I will have to tell Directory server to bind annonomouse search with cn=Directory Manager or something like this. but currnelty its not cliking on my head. Any further help will really appreciate. Kind Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ldap authenticaion is not getting correct information (SSL/TLS) (all files, logs included- please give me light on this)
Hi Thanks for the quick Reply. I was thinking that same that some where its missing the Bind dn and I can conferm that, its working with definning binddn and bindpw in ldap.conf but , I confiered this before and I never had to define binddn and bindpw in any where in ldap.conf and as you said that for production its not appropriate. which mean, something i have missed while configuring direcotory server, I guess, I will have to tell Directory server to bind annonomouse search with cn=Directory Manager or something like this. but currnelty its not cliking on my head. Any further help will really appreciate. Kind Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ldap authenticaion is not getting correct information (SSL/TLS) (all files, logs included- please give me light on this)
On Sun, Dec 29, 2013 at 05:33:09PM +, fosiul alam wrote: Hi Thanks for the quick Reply. I was thinking that same that some where its missing the Bind dn and I can conferm that, its working with definning binddn and bindpw in ldap.conf but , I confiered this before and I never had to define binddn and bindpw in any where in ldap.conf and as you said that for production its not appropriate. Sounds like your previous setup either permitted anonymous binds to search for this information (had the ACLs permitting this) or had people bind as themselves and permitted them (via ACLs) to search for their own entries. Unfortunately it has been a bit of a while since I set this up with 389 and I don't recall specifically how. But in your place I would see if I could get PAM/LDAP to bind with authenticating users' credentials for logins, and bind anonymously for generic stuff like group info. which mean, something i have missed while configuring direcotory server, I guess, I will have to tell Directory server to bind annonomouse search with cn=Directory Manager or something like this. but currnelty its not cliking on my head. Any further help will really appreciate. Kind Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
