Re: nss_ldap and the linuxulator
Hi, if you look at the message of the linux base port, you will see that this part is discussed there. FreeBSD does not come with ldap by default, so does the linux base port. So far nobody complained loudly about the lack of a nss ldap port for the linuxulator, and nobody felt the pressure to create such a port and talk about it on the emulation list. Anyone who uses ldap in the linuxulator is free to create a corresponding port, quesions in case of problems creating such a port can be asked on the emulation mailinglist. Bye, Alexander. -- Send via an Android device, please forgive brevity and typographic and spelling errors. per...@pluto.rain.com hat geschrieben:Forwarding to emulation@, which is where the linuxulator gurus hang out (AFAIK). Please keep Da Rock in the Cc: Date: Mon, 02 Jan 2012 21:59:57 +1000 From: Da Rock freebsd-questi...@herveybayaustralia.com.au To: freebsd-questions@freebsd.org Subject: nss_ldap and the linuxulator I've just run into this snag again which I've resolved back in 7.x/8.1: the linuxulator cannot handle nss lookups from ldap. I ran a search for nss_ldap fedora 10 and simply extracted from the rpm the libnss_ldap*.so* in the usr/lib into the corresponding directory under /compat/linux. One then only has to copy or setup the ldap.conf in /compat/linux/etc/ and change /compat/linux/etc/nsswitch.conf so the it will check files and ldap as in the base. It works a charm when you have issues like the missus with acroread and others not working inexplicably. Run acroread from the command line will give you the clue: getpwuid_r(): failed due to unknown user id. This solution does fix this categorically. I hope this helps others, but I do have one question: why isn't this included in the ports already? I still haven't yet figured out cups and printer selection yet, but I have made some progress... :) Cheers ___ freebsd-emulat...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-emulation To unsubscribe, send any mail to freebsd-emulation-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
nss_ldap and the linuxulator
I've just run into this snag again which I've resolved back in 7.x/8.1: the linuxulator cannot handle nss lookups from ldap. I ran a search for nss_ldap fedora 10 and simply extracted from the rpm the libnss_ldap*.so* in the usr/lib into the corresponding directory under /compat/linux. One then only has to copy or setup the ldap.conf in /compat/linux/etc/ and change /compat/linux/etc/nsswitch.conf so the it will check files and ldap as in the base. It works a charm when you have issues like the missus with acroread and others not working inexplicably. Run acroread from the command line will give you the clue: getpwuid_r(): failed due to unknown user id. This solution does fix this categorically. I hope this helps others, but I do have one question: why isn't this included in the ports already? I still haven't yet figured out cups and printer selection yet, but I have made some progress... :) Cheers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
nss_ldap and the linuxulator
Forwarding to emulation@, which is where the linuxulator gurus hang out (AFAIK). Please keep Da Rock in the Cc: Date: Mon, 02 Jan 2012 21:59:57 +1000 From: Da Rock freebsd-questi...@herveybayaustralia.com.au To: freebsd-questions@freebsd.org Subject: nss_ldap and the linuxulator I've just run into this snag again which I've resolved back in 7.x/8.1: the linuxulator cannot handle nss lookups from ldap. I ran a search for nss_ldap fedora 10 and simply extracted from the rpm the libnss_ldap*.so* in the usr/lib into the corresponding directory under /compat/linux. One then only has to copy or setup the ldap.conf in /compat/linux/etc/ and change /compat/linux/etc/nsswitch.conf so the it will check files and ldap as in the base. It works a charm when you have issues like the missus with acroread and others not working inexplicably. Run acroread from the command line will give you the clue: getpwuid_r(): failed due to unknown user id. This solution does fix this categorically. I hope this helps others, but I do have one question: why isn't this included in the ports already? I still haven't yet figured out cups and printer selection yet, but I have made some progress... :) Cheers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Optimizing pam_ldap and nss_ldap
Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle 4773 ldap18 440 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 Processed /var/log/debug.log: Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches: 714964 Total compares: 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # UsesFilter ----- 615504 ((objectClass=posixAccount)(uid=mailer-daemon)) 90699 ((objectClass=posixGroup)) 6833((objectClass=posixAccount)(uid=root)) 2236((objectClass=posixAccount)(uid=hiddenuser1)) 669 ((objectClass=posixGroup)(memberUid=root)) 318 ((objectClass=posixAccount)(uid=testacc)) 87 ((objectClass=posixGroup)(memberUid=postfix)) 87 ((objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 ((objectClass=posixAccount)(uid=debian-exim)) 68 ((objectClass=posixGroup)(memberUid=Debian-exim)) 39 ((objectClass=posixAccount)(uid=normaluser)) 34 ((objectClass=posixAccount)(uidNumber=7333)) 30 ((objectClass=posixGroup)(memberUid=hiddenuser1)) 29 ((objectClass=posixGroup)(memberUid=chelovek)) 29 ((objectClass=posixAccount)(uid=chelovek)) 27 ((objectClass=posixAccount)(uid=user0)) 23 ((objectClass=posixAccount)(uid=nobody)) 21 ((objectClass=posixAccount)(uid=user1)) 18 ((objectClass=posixAccount)(uid=user2)) 16 ((objectClass=posixAccount)(uid=user3)) 15 ((objectClass=posixAccount)(uid=user4)) 12 ((objectClass=posixAccount)(uid=user5)) 11 ((objectClass=posixAccount)(uidNumber=7330)) 10 ((objectClass=posixAccount)(uid=user15)) 9 ((objectClass=posixAccount)(uid=user16)) 8 ((objectClass=posixAccount)(uidNumber=7333)) 6 ((objectClass=posixAccount)(uid=user6)) 5 ((objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 ((objectClass=posixAccount)(uidNumber=7228)) 4 ((objectClass=shadowAccount)(uid=user1)) 4 ((objectClass=posixAccount)(uid=user9)) 4 ((objectClass=posixAccount)(uid=user10)) 4 ((objectClass=posixAccount)(uid=user11)) 3 ((objectClass=posixAccount)(uid=user12)) 3 ((objectClass=posixAccount)(uid=user13)) 3 ((objectClass=posixAccount)(uid=user14)) ... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like us...@domain.com in rcpt to field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Optimizing pam_ldap and nss_ldap
Don't know ... I couldn't ever get pam_ldap to work. It was caught in a permanent wait state. The ldap server NEVER replied. Computer Assistant Nvita.org 12400 Midsummer Ln, Suite 201A Woodbridge, VA 22192 Phone - (202) 455-9065 Web - http://www.nvita.org/free-shells.aspx -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of c0re Sent: Thursday, April 07, 2011 1:38 AM To: FreeBSD Subject: Optimizing pam_ldap and nss_ldap Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle 4773 ldap18 440 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 Processed /var/log/debug.log: Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches: 714964 Total compares: 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # UsesFilter ----- 615504 ((objectClass=posixAccount)(uid=mailer-daemon)) 90699 ((objectClass=posixGroup)) 6833((objectClass=posixAccount)(uid=root)) 2236((objectClass=posixAccount)(uid=hiddenuser1)) 669 ((objectClass=posixGroup)(memberUid=root)) 318 ((objectClass=posixAccount)(uid=testacc)) 87 ((objectClass=posixGroup)(memberUid=postfix)) 87 ((objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 ((objectClass=posixAccount)(uid=debian-exim)) 68 ((objectClass=posixGroup)(memberUid=Debian-exim)) 39 ((objectClass=posixAccount)(uid=normaluser)) 34 ((objectClass=posixAccount)(uidNumber=7333)) 30 ((objectClass=posixGroup)(memberUid=hiddenuser1)) 29 ((objectClass=posixGroup)(memberUid=chelovek)) 29 ((objectClass=posixAccount)(uid=chelovek)) 27 ((objectClass=posixAccount)(uid=user0)) 23 ((objectClass=posixAccount)(uid=nobody)) 21 ((objectClass=posixAccount)(uid=user1)) 18 ((objectClass=posixAccount)(uid=user2)) 16 ((objectClass=posixAccount)(uid=user3)) 15 ((objectClass=posixAccount)(uid=user4)) 12 ((objectClass=posixAccount)(uid=user5)) 11 ((objectClass=posixAccount)(uidNumber=7330)) 10 ((objectClass=posixAccount)(uid=user15)) 9 ((objectClass=posixAccount)(uid=user16)) 8 ((objectClass=posixAccount)(uidNumber=7333)) 6 ((objectClass=posixAccount)(uid=user6)) 5 ((objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 ((objectClass=posixAccount)(uidNumber=7228)) 4 ((objectClass=shadowAccount)(uid=user1)) 4 ((objectClass=posixAccount)(uid=user9)) 4 ((objectClass=posixAccount)(uid=user10)) 4 ((objectClass=posixAccount)(uid=user11)) 3 ((objectClass=posixAccount)(uid=user12)) 3 ((objectClass=posixAccount)(uid=user13)) 3 ((objectClass=posixAccount)(uid=user14)) ... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like us...@domain.com in rcpt to field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look
nss_ldap for very large directory
Hello, I'm trying to set up ldap authentification and nsswitch stuff for freebsd 8. I configured pam with pam_krb5 for auth and pam_ldap for account I use nss_ldap for group and password database with sasl on, meaning that process with uid 0 bind to ldap with rootbinddn and users process bind with their GSSAPI/Kerberos credentials. Everything works fine except that I can't use nss_getgrent_skipmembers in nss_ldap.conf. If I set it to yes, users don't have their group set at all (only the gid one). This work well with Debian... We have a very large directory here (about 50 000 active users, 4000 groups, some with thousands of members...) so I definitely need freebsd not to lookup for every users in every group for each operation... Else, I haven't found usefull document for setting nscd for very large configuration. thanks in advance and sorry for my english, Pascal -- Pascal Levy Ingénieur système, réseaux, SI Université Paris 1 Panthéon-Sorbonne Centre de ressources informatiques et du réseau (CRIR) Pôle Infrastructures 90 rue de Tolbiac 75634 Paris Cedex 13 tél : 01 44 07 88 81 / 06 45 62 67 57 http://crir.univ-paris1.fr -- Ce message a ete verifie par MailScanner pour des virus ou des polluriels et rien de suspect n'a ete trouve. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem with sftp server, static linking, pam and nss_ldap.
Hi, problem solved. It is only FreeBSD 9 (CURRENT) issue. If anyone would have problem like this, solution is available here: http://lists.freebsd.org/pipermail/freebsd-current/2010-January/015236.html Regards -- Piotr Buliński Informatyka na Wydziale Elektrycznym Politechnika Warszawska
Problem with sftp server, static linking, pam and nss_ldap.
Hello, recently we moved our users database to LDAP server, but after that sftp stops working on our students server. We use: - OpenLDAP 2.4.21 - nss_ldap-1.265_3 - pam_ldap-1.8.5 - FreeBSD 9.0-CURRENT amd64 When I use sftp, it drops the connection: {volt}-{~}% sftp localhost Connecting to localhost... Connection closed {volt}-{~}% After short investigation, I've found that problem is in /usr/libexec/sftp-server program (which is our default subsystem in sshd): {volt}-{~}% /usr/libexec/sftp-server No user found for uid 5567 {volt}-{~}% what was quite weird, because sshd works perfectly with users from LDAP server (so I assume that PAM is configured correctly). After that, I've tried to make a simple test with program below: === #include sys/types.h #include pwd.h #include stdarg.h #include stdio.h #include unistd.h int main(int argc, char **argv) { struct passwd *user_pw; user_pw = getpwuid(getuid()); if ((user_pw = getpwuid(getuid())) == NULL) { fprintf(stderr, No user found for uid %lu\n, (u_long)getuid()); return 1; } else { fprintf(stderr, It works %s!\nYour uid is: %lu\n, user_pw-pw_name, (u_long)getuid()); } return 0; } === which is almost copy-pasted from /usr/src/crypto/openssh/sftp-server-main.c I've build it twice. Once with dynamic linking: {volt}-{~}% cc -o test test.c {volt}-{~}% ./test It works bulinskp! Your uid is: 5567 {volt}-{~}% another one with static linking: {volt}-{~}% cc -o test -static test.c {volt}-{~}% ./test No user found for uid 5567 {volt}-{~}% As you can see, it works great with dynamic linking, but if it's build with static linking it can't get user information from LDAP database. Could you be so kind and help me better understand this problem and find some solution for it (I spend some time trying to find it, but this is probably beyond my scope)? I would be really appreciate for any tip. Below are information about my PAM and NSS configuration: {volt}-{~}% cat /etc/nsswitch.conf | grep passwd passwd: files ldap {volt}-{~}% {volt}-{~}% cat /etc/pam.d/sshd | grep -v ^# | grep -v ^$ authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authrequisite /usr/local/lib/pam_af.sodebug authsufficient /usr/local/lib/pam_ldap.so no_warn authrequiredpam_unix.so no_warn try_first_pass account requiredpam_nologin.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass {volt}-{~}% regards -- Piotr Buliński Informatyka na Wydziale Elektrycznym Politechnika Warszawska
Strange behaviour of nss_ldap in 7.2
Hi, I am using nss_ldap without problem on a machine with FreeBSD 6.4 amd64. Now I wanted to make a similar configuration with a machine running FreeBSD 7.2 i386, but I have a problem: - as root, getent passwd gives me the list of users in /etc/passwd and in LDAP; - as user. getent passwd only gives me list of users in /etc/passwd. Example: samba1001: ls -l toto -rw-r--r-- 1 1001 30 0 Oct 31 13:21 toto samba1001: sudo ls -l toto Password: -rw-r--r-- 1 on staff 0 Oct 31 13:21 toto The group ID and user ID are not resolved. On the machine that is working: banyanon47: ls -l toto -rw-r--r-- 1 on csimstaff 0 Oct 31 13:46 toto banyanon48: sudo ls -l toto Password: -rw-r--r-- 1 on csimstaff 0 Oct 31 13:46 toto The user and grup ID are resolved. Note that I can authenticate against LDAP without problem (sudo with pam_ldap works and ssh work). I have copied nss_ldap.conf and nsswitch.conf from the 6.4 to the 7.2 machine (with needed name changing). Both LDAP servers are running almost the same thing, ACL are the same. I have tried to remove the ACL on LDAP server without success. I am stuck with a different behaviour between 6.4 and 7.2, any help will be greatly appreciated as I need to solve that problm urgently. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Strange behaviour of nss_ldap in 7.2
Bad bad bad me. I am using nss_ldap without problem on a machine with FreeBSD 6.4 amd64. Now I wanted to make a similar configuration with a machine running FreeBSD 7.2 i386, but I have a problem: - as root, getent passwd gives me the list of users in /etc/passwd and in LDAP; - as user. getent passwd only gives me list of users in /etc/passwd. Sorry for the disturbance, it was a CA file that was not user readable. Shame on me. Example: samba1001: ls -l toto -rw-r--r-- 1 1001 30 0 Oct 31 13:21 toto samba1001: sudo ls -l toto Password: -rw-r--r-- 1 on staff 0 Oct 31 13:21 toto The group ID and user ID are not resolved. On the machine that is working: banyanon47: ls -l toto -rw-r--r-- 1 on csimstaff 0 Oct 31 13:46 toto banyanon48: sudo ls -l toto Password: -rw-r--r-- 1 on csimstaff 0 Oct 31 13:46 toto The user and grup ID are resolved. Note that I can authenticate against LDAP without problem (sudo with pam_ldap works and ssh work). I have copied nss_ldap.conf and nsswitch.conf from the 6.4 to the 7.2 machine (with needed name changing). Both LDAP servers are running almost the same thing, ACL are the same. I have tried to remove the ACL on LDAP server without success. I am stuck with a different behaviour between 6.4 and 7.2, any help will be greatly appreciated as I need to solve that problm urgently. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem: FreeBSD 7.x ssh v2 nss_ldap
On Wed, 15.04.2009 at 12:14:48 -0700, Benjamin Lee wrote: On 04/15/2009 01:33 AM, Konrad Heuer wrote: I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? I recently submitted ports/133501 regarding this issue, but I have not yet received a response. My workaround was to disable pthread_atfork support, so the problem might be related to the change from libkse to libthr in RELENG_7. I tried your patch to see if it made any change for the nss_ldap UNIX socket leak, but sadly no change. I never observed the SSH2 problems you guys mention, but then again I'm usually using key authentication. I'll run with the patch anyway and see if it makes any change to the problem where login(1) is only able to authenticate me after 30s of idling. Cheers, Ulrich Spörlein -- None are more hopelessly enslaved than those who falsely believe they are free -- Johann Wolfgang von Goethe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem: FreeBSD 7.x ssh v2 nss_ldap
I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? Best regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, kheu...@gwdg.de ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem: FreeBSD 7.x ssh v2 nss_ldap
On 04/15/2009 01:33 AM, Konrad Heuer wrote: I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? I recently submitted ports/133501 regarding this issue, but I have not yet received a response. My workaround was to disable pthread_atfork support, so the problem might be related to the change from libkse to libthr in RELENG_7. -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
nss_ldap problems with pthread_atfork on RELENG_7
On 02/11/2009 04:20 PM, Benjamin Lee wrote: On 02/10/2009 10:08 PM, Arjun Singh wrote: Thanks for the advice. I tried to see if I could get nscd to solve anything, but it seems to just hide the problem, and not completely. With nscd enabled, the first login fails. After that, it's fine.. I get the following in auth.log corresponding with the failed first login (with the correct pw): Feb 10 22:03:23 new-hkn sshd[59371]: nss_ldap: could not search LDAP server - Server is unavailable Feb 10 22:03:23 new-hkn sshd[59371]: fatal: login_get_lastlog: Cannot find account for uid 1 Feb 10 22:03:23 new-hkn sshd[59371]: syslogin_perform_logout: logout() returned an error [...] It appears to be a bug when using nss_ldap with RELENG_7, as I have been unable to reproduce the issue on machines running 6.2-RELEASE and 6.3-RELEASE, regardless of the version of OpenLDAP. In my environment, the machines use pam_krb5 for authentication, so the problem is definitely not related to pam_ldap. Have you filed a problem report? [changing the subject to be more descriptive] I was able to work around the issue by removing pthread_atfork detection from the configure script. Specifically: b...@dot /usr/ports/net/nss_ldap/work/nss_ldap-264 $ diff -u configure.in{.orig,} --- configure.in.orig 2009-02-13 01:56:31.0 -0800 +++ configure.in2009-02-13 01:56:58.0 -0800 @@ -230,7 +230,6 @@ AC_CHECK_FUNCS(gethostbyname) AC_CHECK_FUNCS(nsdispatch) AC_CHECK_LIB(pthread_nonshared, main) -AC_CHECK_FUNCS(pthread_atfork) AC_CHECK_FUNCS(pthread_once) AC_CHECK_FUNCS(ether_aton) AC_CHECK_FUNCS(ether_ntoa) I assume, then, that the defect is related to the change from libkse to libthr in RELENG_7. Does anybody have any further insight into this issue? -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
Re: nss_ldap SSL/TLS problems..
On 02/10/2009 10:08 PM, Arjun Singh wrote: Thanks for the advice. I tried to see if I could get nscd to solve anything, but it seems to just hide the problem, and not completely. With nscd enabled, the first login fails. After that, it's fine.. I get the following in auth.log corresponding with the failed first login (with the correct pw): Feb 10 22:03:23 new-hkn sshd[59371]: nss_ldap: could not search LDAP server - Server is unavailable Feb 10 22:03:23 new-hkn sshd[59371]: fatal: login_get_lastlog: Cannot find account for uid 1 Feb 10 22:03:23 new-hkn sshd[59371]: syslogin_perform_logout: logout() returned an error [...] It appears to be a bug when using nss_ldap with RELENG_7, as I have been unable to reproduce the issue on machines running 6.2-RELEASE and 6.3-RELEASE, regardless of the version of OpenLDAP. In my environment, the machines use pam_krb5 for authentication, so the problem is definitely not related to pam_ldap. Have you filed a problem report? -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
nss_ldap SSL/TLS problems..
Hi, I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I installed all of the latest versions of openldap24-server, openldap24-client, nss_ldap, and pam_ldap. When I do any sort of ldapsearch or 'getent passwd' or anything, everything works perfectly. The only time I have trouble is when I'm logging in via SSH..then it gets really weird. 1.) When I log in as a user in LDAP only and give the incorrect password first and then supply the correct password, everything works fine. If the user is in wheel, I can sudo. 2.) When I log in as the same user and give only the correct password the first time, it hangs for roughly 45 seconds and then lets me in. Even though this user is in wheel, it says that the user is not in the sudoers file. Here are the log messages I get in auth.log that correspond to the events above: sshd[54031]: pam_ldap: error trying to bind as user uid=user..(cut)... (Invalid credentials) # This is the incorrect pw sshd[54029]: error: PAM: authentication error for user from localhost #Incorrect pw sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable # correct pw sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port 32935 ssh2 #correct pw When I enter just the right password, the first time, I get this in the log: sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port 51972 ssh2 sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server Again, when SSL/TLS are disabled, I get normal log output and none of the weird stuff above.. I turned on debugging in nss_ldap.conf and found that each time I gave only the correct password (corresponding with the 45 second hang) I found this in the debug output: ...bunch of normal looking output... ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 ldap_chkResponseList returns ld 0x801b31480 NULL ldap_int_select read1msg: ld 0x801b31480 msgid 5 all 0 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac --- what is the cause of this? ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result ld 0x801b31480 msgid 5 wait4msg ld 0x801b31480 msgid 5 (timeout 3000 usec) wait4msg continue ld 0x801b31480 msgid 5 all 0 ** ld 0x801b31480 Connections: ** ld 0x801b31480 Outstanding Requests: Empty ld 0x801b31480 request count 0 (abandoned 0) ** ld 0x801b31480 Response Queue: Empty I get the above regardless of whether I'm using start_tls or ssl. If you have any insight, it'd be really useful. I've spent tons of time scouring lists for help and haven't found anything yet.. Thanks, -Arjun ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: nss_ldap SSL/TLS problems..
Arjun Singh wrote: I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I installed all of the latest versions of openldap24-server, openldap24-client, nss_ldap, and pam_ldap. When I do any sort of ldapsearch or 'getent passwd' or anything, everything works perfectly. The only time I have trouble is when I'm logging in via SSH..then it gets really weird. 1.) When I log in as a user in LDAP only and give the incorrect password first and then supply the correct password, everything works fine. If the user is in wheel, I can sudo. 2.) When I log in as the same user and give only the correct password the first time, it hangs for roughly 45 seconds and then lets me in. Even though this user is in wheel, it says that the user is not in the sudoers file. Here are the log messages I get in auth.log that correspond to the events above: sshd[54031]: pam_ldap: error trying to bind as user uid=user..(cut)... (Invalid credentials) # This is the incorrect pw sshd[54029]: error: PAM: authentication error for user from localhost #Incorrect pw sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable # correct pw sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port 32935 ssh2 #correct pw When I enter just the right password, the first time, I get this in the log: sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port 51972 ssh2 sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server Again, when SSL/TLS are disabled, I get normal log output and none of the weird stuff above.. I turned on debugging in nss_ldap.conf and found that each time I gave only the correct password (corresponding with the 45 second hang) I found this in the debug output: ...bunch of normal looking output... ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 ldap_chkResponseList returns ld 0x801b31480 NULL ldap_int_select read1msg: ld 0x801b31480 msgid 5 all 0 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac --- what is the cause of this? ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result ld 0x801b31480 msgid 5 wait4msg ld 0x801b31480 msgid 5 (timeout 3000 usec) wait4msg continue ld 0x801b31480 msgid 5 all 0 ** ld 0x801b31480 Connections: ** ld 0x801b31480 Outstanding Requests: Empty ld 0x801b31480 request count 0 (abandoned 0) ** ld 0x801b31480 Response Queue: Empty I get the above regardless of whether I'm using start_tls or ssl. If you have any insight, it'd be really useful. I've spent tons of time scouring lists for help and haven't found anything yet.. I don't have any more insight into the problem other than to say we've had some similar issues in our environment. Initial password-based logins do not have groups initialized, but SSH key logins and /bin/login logins have groups initialized successfully. We were piloting nscd on some of our 7.0 boxes. It turns out that enabling nscd was a successful workaround. We have since enabled it on the rest of our 7.0 installations. Anyone out there have ideas? -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgp9oeSAgHp3M.pgp Description: PGP signature
Re: nss_ldap SSL/TLS problems..
Thanks for the advice. I tried to see if I could get nscd to solve anything, but it seems to just hide the problem, and not completely. With nscd enabled, the first login fails. After that, it's fine.. I get the following in auth.log corresponding with the failed first login (with the correct pw): Feb 10 22:03:23 new-hkn sshd[59371]: nss_ldap: could not search LDAP server - Server is unavailable Feb 10 22:03:23 new-hkn sshd[59371]: fatal: login_get_lastlog: Cannot find account for uid 1 Feb 10 22:03:23 new-hkn sshd[59371]: syslogin_perform_logout: logout() returned an error On Tue, Feb 10, 2009 at 1:00 PM, Chris Cowart ccow...@rescomp.berkeley.eduwrote: Arjun Singh wrote: I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I installed all of the latest versions of openldap24-server, openldap24-client, nss_ldap, and pam_ldap. When I do any sort of ldapsearch or 'getent passwd' or anything, everything works perfectly. The only time I have trouble is when I'm logging in via SSH..then it gets really weird. 1.) When I log in as a user in LDAP only and give the incorrect password first and then supply the correct password, everything works fine. If the user is in wheel, I can sudo. 2.) When I log in as the same user and give only the correct password the first time, it hangs for roughly 45 seconds and then lets me in. Even though this user is in wheel, it says that the user is not in the sudoers file. Here are the log messages I get in auth.log that correspond to the events above: sshd[54031]: pam_ldap: error trying to bind as user uid=user..(cut)... (Invalid credentials) # This is the incorrect pw sshd[54029]: error: PAM: authentication error for user from localhost #Incorrect pw sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable # correct pw sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port 32935 ssh2 #correct pw When I enter just the right password, the first time, I get this in the log: sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port 51972 ssh2 sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server Again, when SSL/TLS are disabled, I get normal log output and none of the weird stuff above.. I turned on debugging in nss_ldap.conf and found that each time I gave only the correct password (corresponding with the 45 second hang) I found this in the debug output: ...bunch of normal looking output... ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 ldap_chkResponseList returns ld 0x801b31480 NULL ldap_int_select read1msg: ld 0x801b31480 msgid 5 all 0 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac --- what is the cause of this? ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result ld 0x801b31480 msgid 5 wait4msg ld 0x801b31480 msgid 5 (timeout 3000 usec) wait4msg continue ld 0x801b31480 msgid 5 all 0 ** ld 0x801b31480 Connections: ** ld 0x801b31480 Outstanding Requests: Empty ld 0x801b31480 request count 0 (abandoned 0) ** ld 0x801b31480 Response Queue: Empty I get the above regardless of whether I'm using start_tls or ssl. If you have any insight, it'd be really useful. I've spent tons of time scouring lists for help and haven't found anything yet.. I don't have any more insight into the problem other than to say we've had some similar issues in our environment. Initial password-based logins do not have groups initialized, but SSH key logins and /bin/login logins have groups initialized successfully. We were piloting nscd on some of our 7.0 boxes. It turns out that enabling nscd was a successful workaround. We have since enabled it on the rest of our 7.0 installations. Anyone out there have ideas? -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
nss_ldap leaving sockets open
I seem to have encountered a rather annoying and puzzling problem, I am running nss_ldap on 7.0-STABLE with openldap-server 2.4.11 on the same server. I have nss_ldap configured to connect over a unix socket. This works great except for the fact it seems the connections are never being closed. When I checked earlier today with (netstat -n | grep -c slapd.sock) it reported 441 instances. I have bind_policy set to soft and nss_connect_policy set to oneshot and this still seems to be occuring. Any hints or clues on what may be causing this would be greatly appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap wants openldap 2.3.41 - have 2.4.8
On Wed, Mar 5, 2008 at 9:51 AM, Eddie C [EMAIL PROTECTED] wrote: Jason, I was willing to settle for openldap 23. Im my case however the problem is nscd daemon. new to 7.0 not in 6.3 We want to role this out across hundreds of servers and fear that without caching looks to a halt. I spoke to another guy about this this morning. We might setup a wiki or find a IRC chat room or something. Are you interested? Edward Edward, I would be absolutley interested. I am usually available from 1730 CST to 2200 or 2300 CST. Just let me know the details. On Tue, Mar 4, 2008 at 9:45 PM, Jason Garrett [EMAIL PROTECTED] wrote: On Tue, Mar 4, 2008 at 8:18 PM, Jason Garrett [EMAIL PROTECTED] wrote: This is most likely a dumb question, but how do I tell ports to build nss_ldap against openldap-2.4.8? WANT_OPENLDAP_VER=24 worked in /etc/make.conf snip errors ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap wants openldap 2.3.41 - have 2.4.8
On Tue, Mar 4, 2008 at 8:18 PM, Jason Garrett [EMAIL PROTECTED] wrote: This is most likely a dumb question, but how do I tell ports to build nss_ldap against openldap-2.4.8? WANT_OPENLDAP_VER=24 worked in /etc/make.conf snip errors ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap wants openldap 2.3.41 - have 2.4.8
This is most likely a dumb question, but how do I tell ports to build nss_ldap against openldap-2.4.8? The build of nss_ldap fails with conflicts. === Installing for openldap-client-2.3.41 === openldap-client-2.3.41 conflicts with installed package(s): openldap-client-2.4.8 They install files into the same place. Please remove them first with pkg_delete(1). *** Error code 1 Stop in /usr/ports/net/openldap23-client. *** Error code 1 Stop in /usr/ports/net/nss_ldap. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenLDAP 2.4.8 and FreeBSD/nss_ldap == not working?
Hello, apart from the fact that OpenLDAP 2.4.8 in conjunction with DB 4.6 ist absolutely BETA as mentioned in their docu, nevertheless I woul like asking about a problem I discovered. Bevor upgrading (I did becauso of the syncrepl-facility) I stopped slapd and dumped its DB via slapcat -l outfile.ldif into a secure dumpfile. Then I removed the old DB-files in the database directory. Then I used slapadd -l outfile.ldif for restoring the database and after I recompiled everthing dependend on the ldap-client libs (nss_ldap, pam_ldap, pam_mkhomedir, sudo, postgresql), I was able to safely restart slapd. Everything seemed to work on a glimpse, but something was wrong. I've group-objects (ou=groups, POSIX groups) in my DIT with attribute memberUID=. With OpenLDAP 2.3.41 'id' shows up a user's UID, GID and membership in additional groups, but with LDAP 2.4.8, only the UID and GID is shown: uid=2002(ohartmann) gid=2002(ohartmann) groups=2002(ohartmann) (OpenLDAP 2.4.8) but it should be uid=2002(ohartmann) gid=2002(ohartmann) groups=2002(ohartmann),512(Domain Admins),513(Domain Users),544(Administrators),2045(development) (2.3.41) Either something in the schemata has changed or something is wrong. I tried to find out via the doku at OpenLDAP.ORG, but can't find any revealing infos. Can anybody help? Regards, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. This method has been recommended by many sites and tutorials, so I guess it should be approved ;-) The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log Thanks, I did so and found several usefull messages in the log. sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? Sorry, yes, copy-and-paste mistake. NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. Due to a recommendation not to use NSCD with FreeBSD and SAMBA I switched that off. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Great!! That did the trick and it is very helpful in saving a lot of time and prevented me from loosing more hairs. Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? Too many switches switched at the same time, so I guess I messed up things and couldn't get a clear sight anymore. The point is, without any TLS the user authetication works fine for SSHD/LOGIN and SU, even password changes via a patched 'passwd' works fine, but when trying using TLS/OpenSSL everything gets messed up again, I'll report this at the end. The main reason for blocking access was the ACL misbehaviour. I took the example slapd.conf and especially the line describing access to everything access to * ... The line 'by anonymous auth' needs to be changed into 'by anonymous read' otherwise LDAP won't let you even access for authetication. I found this by watching exhaustive logs ... One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. Yes, but OpenLDAP openldap-server-2.3.38 seems to reject connections via TLS when used with self-signed certificacates. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein Well, thanks a lot for helping. At this moment OpenLDAP seems to work with the OpenLDAP-Clients (only) and for authetication via ssh/login. I tried to install the famous and often mentioned 'smbldap-tools' as recommended in many tutorials and I followed the setup
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub Well, on a test machine, I setup a testenvironment equal or nearly equal to that which is not working on a potentially production box. First of all, I think there is a misunderstanding in how to setup /etc/nsswitch.conf, because most trouble seems to be sourced there. When setting # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files restarting OpenLDAP results in this, but after two minutes or so it starts up (the time is inacceptable and it does not change anything reverting the order from 'files ldap' to 'ldap files' for passwd and group). The great question is: Do I need to have these entries? Neither in the nsswitch.conf manpage nor in nss_ldap manpage it's mentioned to set 'ldap' as an option, I took this from one of the many tutorials out there. Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... Good to hear, but it doesn't on mine ... :-( P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: host 192.168.2.210 (or 127.0.0.1 alternatively) base dc=office,dc=de # Filter to AND with uid=%s pam_filter objectclass=posixAccount # Specify a minium or maximum UID number allowed pam_min_uid 1000 pam_max_uid 3 pam_passwordssha nss_base_passwd ou=users,dc=office,dc=de?one nss_base_shadow ou=users,dc=office,dc=de?one nss_base_group ou=group,dc=office,dc=de?one pam_filter objectClass=posixAccount The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off access to * by self write by users read by anonymous auth databasebdb suffix dc=office,dc=de rootdn cn=admin,dc=office,dc=de rootpw directory /data/openldap-data/nuggad/ index objectClass eq,pres index uid,memberUid pres,eq,sub index ou,cn,mail,surname,givennameeq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index nisMapName,nisMapEntry eq,pres,sub NSCD is up and running, my nsswitch.conf looks like this: group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): system: # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so #accountsufficient /usr/local/lib/pam_ldap.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok passwordrequiredpam_unix.so no_warn try_first_pass sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ... no difference ... slapd won't start when ldap is first entry in nsswitch.conf and gets not searched when last. maybe there is a problem with the nss_ldap library? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. Your should run tcpdump in some window to actuall see what's going on. It also helps to turn on massive debugging in slapd.conf and tail(1)ing /var/log/debug.log I'm running the following versions on 7-CURRENT from 30. September nss_ldap-1.256 openldap-sasl-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Per olof Ljungmark wrote: O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per Well, great, I appreciate your help and by teh way, you're the first one telling he's running FBSD 7 AND OpenLDAP/nss_ldap/pam_ldap. OpenLDAP is running well on the server, I can access the DIT via some tools like LUMA and the OpenLDAP clients from remote machines. A major problem seems to be the pam_ldap/nss_ldap configuration. Can you please tell me how you edited /etc/pam.d/ files and /etc/nsswitch.conf properly? At this very moment it seems that I shot myself into the foot - the box running the LDAP service does not start OpenLDAP service slapd after rebooting, the console is stuck at the message shown when 'additional ABI's' get started. So, I'm sorry having no logs handy at this very moment, I will offer them as soon as possible included with my config files, if this will not bother you. Thanks in advance, Oliver -- Planetology and Remote Sensing FU Berlin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. Calling ldapsearch from both the localhost running the slapd and from a client in the network runs well, I receive a dump of every object created in the LDAP tree. At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. In most cases when changing /etc/nsswitch.conf (renaming password/group: compat to password/group: files ldap as suggested in most of the tutorials) the box gets unusable running the request (eithe looking for an user id, starting a xterm, login in as root via console). Everything which seems to look for an user ID takes more than a minute to startup or dump errors. Even if I try to log in as a user that is only on local machine (root and a special user) it seems that fallback to 'files' doesn't work properly or the timeout takes thta long. I'm not a professional in OpenLDAP, but I tried several configs found in LinuxWiki on Gentoo or Debian boxes without problems. Even the simplest config seems not to work on FreeBSD 7! In many cases ACLs seem to be the culprit, but even setting 'access to * by * write' or configuring binddn and binddnpw in /usr/local/etc/ldap.conf and nss_ldap.conf as the same as the rootdn in slapd.conf doesn't work and results in the same problem. If anyone willing to help and running ldap services on a FreeBSD 7.0-PRE box, he or she is welcome! Thanks in advance, Oliver P.S. If someone wants me to offer config details and/or log excerpts, please contact me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpCnHmG5AcZf.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 07:58:05AM +0900, Daniel Marsh wrote: I've run into this very same problem... but the way I got around it was putting OpenLDAP in a jail all by its lonesome and making sure that jail would start before anything on the host system would start that may need LDAP... (effectively meaning the LDAP server is a different machine) Hitting the Problem with a really big hammer. Thats cures only the symptoms not the Problem. As i see it the Problem is that the status/actions in nsswitch.conf not working. Since man nsswitch.conf stats that success=return is default an therefore ldap should never be asked for Users that are in the /etc/passwd file. I will file a Problemreport for this one. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpZd5cyZ2vQO.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers It takes a comma-separated list of users for whom the nss_ldap initgroups routine should immediately return NSS_STATUS_NOTFOUND. If you keep group information for all the system users in /etc/group only, and add them all to this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't tested this). Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
On 3/13/07, Jonathan McKeown [EMAIL PROTECTED] wrote: The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers Right, now I remember that once I had this problem too... Another workaround would be to have two different nsswitch.conf files, one with and another without the ldap database entry, and then switch between them as part of ldap start / stop routines. - your system has the nsswitch.conf w/out ldap by default - when ldap starts, it substitutes it with the nsswitch.ch file w/ ldap entries - when ldap stops, it restores the original file Jonathan -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Mar 2007, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. AFAICT, there is no bug. The behavior is completely correct as a look into the openldap code turns out. When starting up slapd, it tries to switch the credentials to the user and group specified, normally ldap:ldap. Therefor it uses getpwuid(3), getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user and group specified is okay, it then calls getuid(3) and initgroups(3). Reading initgroups(3) turns out the following: The initgroups() function uses the getgrouplist(3) function to calculate the group access list for the user specified in name. Reading getgrouplist(3) turns out the following: The getgrouplist() function reads through the group file and calculates the group access list for the user specified in name. [...] The getgrouplist() function uses the routines based on getgrent(3). Reading getgrent(3) turns out the following: The getgrent() function sequentially reads the group database and is intended for programs that wish to step through the complete list of groups. [...] The getgrent() and getgrent_r() functions make no attempt to suppress duplicate information if multiple sources are specified in nsswitch.conf(5). So after following the way through all man pages, it turns out that the behavior is fully correct as a lookup is done to find out all groups to which the specified slapd user belongs to. This includes lookups using nss_ldap when ldap is configured as source for groups in nsswitch.conf. As a side note, a short look into the bind and cron source turns out that these, and probably others too, also use the initgroups(3) function. HTH, Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFF9lwFSPOsGF+KA+MRAnI+AJ0Qu0Zr9IHHLrDL60boB3mauzMPkwCfQ3Lx Zq0odiQpNiLwC3CSDkXuepU= =S+3e -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote: On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. I think its still a bug. You are right that all groups should be found so the default for groups should be success=continue to have this done. But when I explicily specify that on success the process should abort, it should be done exacly this way. The only ``workaround'' I've seen suggested is the parameter introduced recently in nss_ldap: nss_initgroups_ignoreusers It takes a comma-separated list of users for whom the nss_ldap initgroups routine should immediately return NSS_STATUS_NOTFOUND. If you keep group information for all the system users in /etc/group only, and add them all to this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't tested this). This may fix the problem with nss_ldap but its still there with other modules. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpSRTSjZBJDk.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 09:08:34AM +0100, Joerg Pulz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Mar 2007, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Doesn't work. Tried the follwing nsswitch.conf group: files [success=return] ldap hosts: files dns networks: files passwd: files [success=return] ldap shells: files This doesn't change the delay. And the nss_ldap timeout is still reported. This is not supprising because the manpage states [success=return] is default. Seams there is a bug somewhere. AFAICT, there is no bug. The behavior is completely correct as a look into the openldap code turns out. When starting up slapd, it tries to switch the credentials to the user and group specified, normally ldap:ldap. Therefor it uses getpwuid(3), getpwnam(3), getgrgid(3) and getgrnam(3) functions. If lookup for the user and group specified is okay, it then calls getuid(3) and initgroups(3). Reading initgroups(3) turns out the following: The initgroups() function uses the getgrouplist(3) function to calculate the group access list for the user specified in name. Reading getgrouplist(3) turns out the following: The getgrouplist() function reads through the group file and calculates the group access list for the user specified in name. [...] The getgrouplist() function uses the routines based on getgrent(3). Reading getgrent(3) turns out the following: The getgrent() function sequentially reads the group database and is intended for programs that wish to step through the complete list of groups. [...] The getgrent() and getgrent_r() functions make no attempt to suppress duplicate information if multiple sources are specified in nsswitch.conf(5). So after following the way through all man pages, it turns out that the behavior is fully correct as a lookup is done to find out all groups to which the specified slapd user belongs to. This includes lookups using nss_ldap when ldap is configured as source for groups in nsswitch.conf. As a side note, a short look into the bind and cron source turns out that these, and probably others too, also use the initgroups(3) function. yes. But still there is something missing. The Admin should have controll over this behavior. The reasonable default action for groups should be success=continue to go though all group sources. But the admin should still have the posibility to stop the process on success which is not possible right now. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpPoqYTY6DQl.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. I think its still a bug. You are right that all groups should be found so the default for groups should be success=continue to have this done. But when I explicily specify that on success the process should abort, it should be done exacly this way. You've now had responses from me and Joerg Pulz, and given us essentially the same reply. I'm not sure success means what you think it means: group information is a complete list, not ``first item found'' like a user account. You have told the system to check for group information in files and ldap. You have, therefore, not succeeded in listing all groups until you have both searched the files *and* received a response from nss_ldap, either group information or NSS_STATUS_NOTFOUND. It looks as though you can instruct nss_ldap to unconditionally return NSS_STATUS_NOTFOUND for a user, by adding nss_initgroups_ignoreusers user in nss_ldap.conf. I'd be interested to hear whether it works, having not tested it myself, but at the moment you're banging your head against the wall and shouting about how much it hurts. It will hurt less if you stop. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote: On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: It's a well-known problem rather than a bug, and it arises when looking up group information for a user. The system needs a list of all the groups the user is a member of. Since it's a list, not a single answer, you can't short-circuit the process with ``success'' after finding a single result: initgroups(3) must work through all possible sources of group information to build the list. I think its still a bug. You are right that all groups should be found so the default for groups should be success=continue to have this done. But when I explicily specify that on success the process should abort, it should be done exacly this way. You've now had responses from me and Joerg Pulz, and given us essentially the same reply. I'm not sure success means what you think it means: group information is a complete list, not ``first item found'' like a user account. You have told the system to check for group information in files and ldap. You have, therefore, not succeeded in listing all groups until you have both searched the files *and* received a response from nss_ldap, either group information or NSS_STATUS_NOTFOUND. It looks as though you can instruct nss_ldap to unconditionally return NSS_STATUS_NOTFOUND for a user, by adding nss_initgroups_ignoreusers user in nss_ldap.conf. I'd be interested to hear whether it works, having not tested it myself, but at the moment you're banging your head against the wall and shouting about how much it hurts. It will hurt less if you stop. It's not. added nss_initgroups_ignoreusers ldap but it still blockes for 2 Min. I have found a solution that work for me. The problem is not that nsswitch asks nss_ldap but that nss_ldap take so long to realise the ldap isn't running. I have changed the bind_policy setting of nss_ldap from hard to soft and nss_ldap fails without delay. So it's working for me for now. But still there is a problem with that. Right now there is no way we could prevent any source from adding users to any group (e.g wheel). I think thats a security problem in envoriments where you don't have control over all sources used for authentication und usermanagement. If there was a way you could tell the nss to stop wenn a group definition is found in a module we had a way to stop this. That shouldn't be the default way but it schould be possible. Bye Estartu -- Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgp9i8MG1LO1C.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On Tuesday 13 March 2007 14:21, Gerhard Schmidt wrote: On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote: On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote: [setting group: files ldap in nsswitch.conf] It looks as though you can instruct nss_ldap to unconditionally return NSS_STATUS_NOTFOUND for a user, by adding nss_initgroups_ignoreusers user in nss_ldap.conf. It's not. added nss_initgroups_ignoreusers ldap but it still blockes for 2 Min. I have found a solution that work for me. The problem is not that nsswitch asks nss_ldap but that nss_ldap take so long to realise the ldap isn't running. I have changed the bind_policy setting of nss_ldap from hard to soft and nss_ldap fails without delay. So it's working for me for now. But still there is a problem with that. Right now there is no way we could prevent any source from adding users to any group (e.g wheel). I think thats a security problem in envoriments where you don't have control over all sources used for authentication und usermanagement. If there was a way you could tell the nss to stop wenn a group definition is found in a module we had a way to stop this. That shouldn't be the default way but it schould be possible. Basically you're saying you want to take the first list of groups you find in the same way that you can take the first username you find: and with respect, you seem to be finding increasingly strident reasons why things should be the way you want them. You're still banging your head against the wall. It's easy to ``prevent any source from adding users to any group'': just don't give the whole world write access to your groups database - whether it's in the system files, NIS, LDAP, or on tablets of stone on a small hill in your server room. If you don't want to look up group information in LDAP, don't put ldap in the group line in nsswitch.conf. If you do, secure it properly and accept that it will always do an LDAP lookup, because group information is additive - unlike user information which has to be unique. Accept, too, that if you only have a single LDAP server, there will be a bootstrap problem reading the groups list for the ldap user to start up the LDAP server: but the only cost of this is an extra two minutes or so on each boot, which you seem to have solved in any case. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap and openldap on the same server.
Hi, I have a small problem. On my central server we run an openldap server that contains the userdata for some systems. An the server uses this ldap server for authentication and nss. The problem is that when the server is booting slapd takes a very long time to start up. I think it's trying to get an answer from ldap for the user ldap. But user ldap is in /etc/passwd and in /etc/groups My nsswitch.conf looks like this. group: files ldap hosts: files dns networks: files passwd: files ldap shells: files The system comes up but takes very long to do so (i think it's somekind of timeout) Mar 12 14:58:23 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. Bye Estartu Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| pgpmmM9wgc5jS.pgp Description: PGP signature
Re: nss_ldap and openldap on the same server.
On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, I have a small problem. On my central server we run an openldap server that contains the userdata for some systems. An the server uses this ldap server for authentication and nss. The problem is that when the server is booting slapd takes a very long time to start up. I think it's trying to get an answer from ldap for the user ldap. But user ldap is in /etc/passwd and in /etc/groups My nsswitch.conf looks like this. group: files ldap hosts: files dns networks: files passwd: files ldap shells: files The system comes up but takes very long to do so (i think it's somekind of timeout) Mar 12 14:58:23 phobos slapd[584]: nss_ldap: could not search LDAP server - Server is unavailable As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. I've run into this very same problem... but the way I got around it was putting OpenLDAP in a jail all by its lonesome and making sure that jail would start before anything on the host system would start that may need LDAP... (effectively meaning the LDAP server is a different machine) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and openldap on the same server.
On 3/12/07, Gerhard Schmidt [EMAIL PROTECTED] wrote: Hi, Hello, As I see it, nss asks all sources even if the frist one allready knows the answer. Is there a way to change this. man nsswitch.conf(5) Look for Status codes and Actions Bye Bye Estartu Gerhard Schmidt| Nick : estartu IRC : Estartu | Fischbachweg 3 || PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany|| -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Slow Startup with nss_ldap
Hi Anyways, after setting slapd to start before in rc.d, I was able to get my machine up. Slapd would still give me the following error: nss_ldap: could not search LDAP server - Server is unavailable However slapd is up and running by the time I get a login prompt so the important issue is out of the way. Now to figure out why that message comes up. Pramod Venugopal [EMAIL PROTECTED] On Aug 12, 2006, at 9:00 AM, Atom Powers wrote: Try starting ldap first, using rc.d magic. Try putting 'bind-policy soft (sp?) in your nss_ldap.conf, ldap.conf On 8/11/06, Pramod Venugopal [EMAIL PROTECTED] wrote: Hello everyone, I have a FreeBSD 6.1-RELEASE system configured as a Samba Server with an OpenLDAP backend. I have configured nss_ldap to allow local user authentication via LDAP. However if I reboot this machine for any reason, the bootup process gets stuck on named. If I Ctrl-C out of named, it gets stuck again on slapd. However, if i put the original nsswitch.conf back, the machine boots up fine and i have to copy the old nsswitch.conf back to get local user authentication. Here is the updated nsswitch.conf file: --8-- passwd: files ldap group: files ldap --8-- From looking at the logs, it looks like these processes are trying to access the ldap server which isnt up since it has not started yet. Is there any way I can get past this (other than using the original nsswitch.conf and changing back manually)? Thanks in advance, Pramod Venugopal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Slow Startup with nss_ldap
Try starting ldap first, using rc.d magic. Try putting 'bind-policy soft (sp?) in your nss_ldap.conf, ldap.conf On 8/11/06, Pramod Venugopal [EMAIL PROTECTED] wrote: Hello everyone, I have a FreeBSD 6.1-RELEASE system configured as a Samba Server with an OpenLDAP backend. I have configured nss_ldap to allow local user authentication via LDAP. However if I reboot this machine for any reason, the bootup process gets stuck on named. If I Ctrl-C out of named, it gets stuck again on slapd. However, if i put the original nsswitch.conf back, the machine boots up fine and i have to copy the old nsswitch.conf back to get local user authentication. Here is the updated nsswitch.conf file: --8-- passwd: files ldap group: files ldap --8-- From looking at the logs, it looks like these processes are trying to access the ldap server which isnt up since it has not started yet. Is there any way I can get past this (other than using the original nsswitch.conf and changing back manually)? Thanks in advance, Pramod Venugopal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Slow Startup with nss_ldap
Hello everyone, I have a FreeBSD 6.1-RELEASE system configured as a Samba Server with an OpenLDAP backend. I have configured nss_ldap to allow local user authentication via LDAP. However if I reboot this machine for any reason, the bootup process gets stuck on named. If I Ctrl-C out of named, it gets stuck again on slapd. However, if i put the original nsswitch.conf back, the machine boots up fine and i have to copy the old nsswitch.conf back to get local user authentication. Here is the updated nsswitch.conf file: --8-- passwd: files ldap group: files ldap --8-- From looking at the logs, it looks like these processes are trying to access the ldap server which isnt up since it has not started yet. Is there any way I can get past this (other than using the original nsswitch.conf and changing back manually)? Thanks in advance, Pramod Venugopal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap and OpenLDAP client version
Ansar Mohammed wrote: One of the more undocumented things here is to make sure that in your /usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. If not, you will have no end of problems if you ldap server goes down. Basically if you have in your nsswitch.conf: Passwd: files ldap Group: files ldap If your ldap server is down; nss_ldap keeps trying to reconnect and allot of apps just hang; (like top, ls -la etc) Luckily I haven't had the problem of OpenLDAP going down much so I haven't tweaked this option yet (all clients are currently on the same machine). The [fail=continue] switches (can't recall the exact terms) might alleviate that for NSS stuff? When I first read about the parameter my initial reaction was that 'soft' and 'hard' weren't all that intuitive, but maybe thats just me (fail_immediately/retry_on_fail or similar make more sense to me). One area I wasn't too sure of at first is the permissions on /usr/local/etc/ldap.conf (and nss_ldap.conf)... because of the issues I was having, I figured I needed to configure the 'binddn' and 'bindpw' settings to get a proxy user account to bind to LDAP (I was thinking of Solaris' proxy account and Directory Server). But those params require an unhashed password in the file, so I tried to set it only to be readable by root, which doesn't work - it needs to be world-readable. From what I've gleaned you can do away with these settings, if the directory is setup to allow anonymous binds and reading of the required information via an anonymous bind, or otherwise you need to setup an account with very limited read-only privileges on the required entries. One thing I'm still not clear on with the pam_ldap interaction (not so much the name service switch stuff) - a limited user to read username/group name/hostname information etc is fine for NSS, but what about authentication attempts? I'm guessing pam_ldap doesn't use the 'binddn' proxy to compare the hashed passwords, or otherwise you'd be stuck in a situation where you have to have a world readable account/password, and that account can read all password information. I'll up the debugging on slapd and try it for myself, but I think when I last checked it wasn't using the 'rootbinddn' account I'd supplied for authentication attempts (might've been trying to bind anonymously and then as the user's DN directly with the supplied credentials, can't recall, though the latter would make sense to me). Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: nss_ldap and OpenLDAP client version
One of the more undocumented things here is to make sure that in your /usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. If not, you will have no end of problems if you ldap server goes down. Basically if you have in your nsswitch.conf: Passwd: files ldap Group: files ldap If your ldap server is down; nss_ldap keeps trying to reconnect and allot of apps just hang; (like top, ls -la etc) -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Joe Shevland Sent: May 25, 2006 3:33 AM To: freebsd-questions@freebsd.org Subject: nss_ldap and OpenLDAP client version Hi, I'm about to setup my jails so they authenticate against the 'host' server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this before but wanted to repeat the process because last time it ended up being so much fiddling that when I finished I just left it alone - this time I'm documenting it :) I packaged up versions of the port for OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any case) and then went to package up the nss_ldap port but its after OpenLDAP 2.2 stuff... I guess my question is whether this is intentional (i.e. security related), or just a port maintenance issue? I would've thought between 2.2-2.3 there's been a few security advisories... I only did a lazy lightning google and came across a few (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one. Anyway, just thought I'd check. As punishment, if this is a stupid question or has been answered before, happy to write up a tutorial as I go as penance. Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap and OpenLDAP client version
Hi, I'm about to setup my jails so they authenticate against the 'host' server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this before but wanted to repeat the process because last time it ended up being so much fiddling that when I finished I just left it alone - this time I'm documenting it :) I packaged up versions of the port for OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any case) and then went to package up the nss_ldap port but its after OpenLDAP 2.2 stuff... I guess my question is whether this is intentional (i.e. security related), or just a port maintenance issue? I would've thought between 2.2-2.3 there's been a few security advisories... I only did a lazy lightning google and came across a few (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one. Anyway, just thought I'd check. As punishment, if this is a stupid question or has been answered before, happy to write up a tutorial as I go as penance. Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap/pam_ldap: problems binding
Hi, I've been trying to get my ldap authentication working, something I have done before with little issue, but this time around it is causing real pain. Pretty much the same problems Jan HREHO was having back in Febuary - http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112066.html I tried the suggested solution to that - moving the slapd startup script into /etc/rc.d, but that didn't help, same problem just further up in the boot process. Another possibility I came across was putting the line 'bind_policy soft' in /etc/ldap.conf (symlinked to /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf). This seemed to do the job, until I then tried to ssh onto localhost using an ldap user account. It failed with Apr 19 22:48:10 svr1 sshd[660]: nss_ldap: could not search LDAP server - Server is unavailable Apr 19 22:48:10 svr1 sshd[660]: fatal: login_get_lastlog: Cannot find account for uid 2000 Removing the bind_policy from the file then retrying, it worked fine. The second solution I tried was to change the slapd.sh file to just launch the deamon i.e. '/usr/local/libexec/slapd'. This seems to work, but it is very unelegent, and it may have knock on effects I am unaware of at this time. I'm more interested in getting the process right to set it up at this stage, rather than hacking away to get a working system (I'm working on a series of documents). I'm doing this on a virgin 6.0 installation, cvsuped with the latest ports, fresh install of openldap22, pam_ldap and nss_ldap. So the question is, is this a common problem, if not then what I am doing wrong to create it, if so then is there a more elequent solutions than hacking away at the startup script? The thread that suggests the bind_policy also mentions 'nss_reconnect_* parameters', which certainly sounds like it could be the answer, but I havn't been able to google anything about them. Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap nss_ldap
pam_ldap, nss_ldap not found. -- GANBARE! NIPPON! Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE PARTNER http://pr.mail.yahoo.co.jp/ganbare-nippon/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Weird KDE error - nss_ldap
Running 6.1-STABLE, KDE 3.5.1, xorg 6.9.0. cvsupped and portupgraded this morning just to be sure. When in konqueror using the root file system view, if I click on /home, nothing happens. All other directories are displayed ok. In the terminal that started X I note the following cryptic message: Assertion failed: (cfg-ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1245. kioslave: ### CRASH ## protocol = file pid = 93413 signal = 6 The file ldap-nss.c is part of the nss_ldap port. This is my workstation at home, and it uses LDAP through PAM for authentication. If I take out the references to ldap in nsswitch.conf, the problem goes away. It may be just me who misconfigured the system but it did start after a major system/ports upgrade round about a week ago. Could someone shed some light please? Per olof -- nsswitch.conf: passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap shells: files [NOTFOUND=continue] ldap hosts: files dns ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap on FreeBSD 5.3
I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass That should be it. Assuming your librairies are up to date, you have a valid db/tree in ldap you can connect and search... then you should be able to login right away. -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
On Mon, 2005-11-21 at 10:49 -0500, Nathan Vidican wrote: Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass Thanks, that was easy, I was just missing the part about nss_ldap.conf, I didn't realize there was a separate file for nss. I have the logins working with gnome well, but I noticed once I login as an LDAP user, I cannot su to root in terminal session... [EMAIL PROTECTED] su Password: su: Sorry [EMAIL PROTECTED] Can someone point out why this happens? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
Two things to check, first off, user must be in group 'wheel' (gid 0), in order to su, and also check settings in /etc/pam.d/su, (su has seperate settings). -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ Robert Fitzpatrick wrote: On Mon, 2005-11-21 at 10:49 -0500, Nathan Vidican wrote: Robert Fitzpatrick wrote: I find several docs on setting this up, but none pertaining to linux compat. Can anyone point me to some instructions for setting this up properly? Um... actually VERY easy... Step 1: install nss_ldap pam_ldap 2:edit /usr/local/etc/nss_ldap.conf edit /usr/local/etc/ldap.conf edit /usr/local/etc/ldap.secret 3: edit /etc/nssswitch.conf, change from 'files' to 'files ldap' for 'group', and 'passwd' (optionally) 'hosts' too. 4: do a quick 'ldapsearch -x' to make sure you are connecting/searching the correct ldap tree... 5: edit /etc/pam.d/service file(s) for which types of accounts you want to authenticate. ie: system, login, ftp, ssh, other, etc... should have to add a line like: authsufficient /usr/local/lib/pam_ldap.so try_first_pass Thanks, that was easy, I was just missing the part about nss_ldap.conf, I didn't realize there was a separate file for nss. I have the logins working with gnome well, but I noticed once I login as an LDAP user, I cannot su to root in terminal session... [EMAIL PROTECTED] su Password: su: Sorry [EMAIL PROTECTED] Can someone point out why this happens? -- Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap on FreeBSD 5.3
On Mon, 2005-11-21 at 13:05 -0500, Nathan Vidican wrote: Two things to check, first off, user must be in group 'wheel' (gid 0), in order to su, and also check settings in /etc/pam.d/su, (su has seperate settings). wheel, duh! sorry for asking such stupid questions. I hope this one is not so stupid - how can I get the users to show up on the user list in the gdm when using a template that shows a list of all users? I have /etc/pam.d/gdm all setup and can login no problem with LDAP users. Actually, this list does not even populate with the system users. BTW, after several years working with FreeBSD as a server, this is the first time using FreeBSD as a workstation with GUI, very nice. I think better than my Linux workstation as far as the number of bugs (haven't found any yet). But I'll have to admit, the setup for things like LDAP much easier in SuSE Linux, all integrated into GUI. But I choose stability over ease of use. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ldap + nss_ldap
hello, i had a nice-working ldap server (2.2) and i decided to upgraded to 2.3 (i couldn't make it work with sasl). openldap-server-23 is working great, but i want to install nss_ldap and it's complaining about this new ldap version. nss_ldap wants openldap-client-2.2.29 but now i have openldap-sasl-client-2.3.9. How do i trick nss_ldap to play with this version ? TIA cristi -- Human knowledge belongs to the world ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ldap + nss_ldap
cristi tauber [EMAIL PROTECTED] writes: hello, i had a nice-working ldap server (2.2) and i decided to upgraded to 2.3 (i couldn't make it work with sasl). openldap-server-23 is working great, but i want to install nss_ldap and it's complaining about this new ldap version. nss_ldap wants openldap-client-2.2.29 but now i have openldap-sasl-client-2.3.9. How do i trick nss_ldap to play with this version ? Install nss_ldap from ports instead of whatever package you're trying to use. [Or provide more details about *exactly* what you did.] -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ldap + nss_ldap
On 03 Nov 2005 07:20:13 -0500, Lowell Gilbert [EMAIL PROTECTED] wrote: cristi tauber [EMAIL PROTECTED] writes: hello, i had a nice-working ldap server (2.2) and i decided to upgraded to 2.3(i couldn't make it work with sasl). openldap-server-23 is working great, but i want to install nss_ldap and it's complaining about this new ldap version. nss_ldap wants openldap-client-2.2.29 but now i have openldap-sasl-client-2.3.9. How do i trick nss_ldap to play with this version ? Install nss_ldap from ports instead of whatever package you're trying to use. [Or provide more details about *exactly* what you did.] -- well, i made a back-up of ldap-22. i deinstall it and then i issued a make install (chose sasl) in /usr/ports/net/openldap23-server and then the installation went well. next i went to /usr/ports/net/nss_ldap and make install and the error is : goliath# make install === nss_ldap-1.239 depends on executable: gmake - found === nss_ldap-1.239 depends on shared library: ldap-2.2.7 - not found === Verifying install for ldap-2.2.7 in /usr/ports/net/openldap22-client === Installing for openldap-client-2.2.29 === openldap-client-2.2.29 conflicts with installed package(s): openldap-sasl-client-2.3.9 They install files into the same place. Please remove them first with pkg_delete(1). *** Error code 1 Stop in /usr/ports/net/openldap22-client. *** Error code 1 Stop in /usr/ports/net/nss_ldap. that's it. cristi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap-243 FreeBSD/amd64 ... anyone? (build/errors/info attached)
Wasn't sure which list to post to entirely, so sorry if seems off-topic. I can't seem to get nss_ldap-243 to compile at all under FreeBSD-6.0RC1/amd64, nor under 5.3-RELEASE, nor 5.4-RELEASE... all produce similar errors, however my development machine happens to be FreeBSD 6.0RC1/amd64 at the moment (dual AMD Opteron 246 box, 2gb ECC Registered, 1.25TB RAID 5). Here's a brief transcript of what I've done/where I am at, a longer version including the output from make/configure/etc. My comments start with a # to help differentiate from output: # configure (with options as specified, openldap-2.3.11 compiled with --prefix=/usr/openldap, # installed, configured, and running with DB). configure exits clean and generates a makefile: wmptwo# ./configure CPPFLAGS=-I/usr/openldap/include -I/usr/include LDFLAGS=-L/usr/openldap/lib -L/usr/lib --with-ldap=openldap --prefix=/usr --with-ldap-dir=/usr/openldap wmptwo# # now we run make, and get our first errors in ldap-nss.c, a quick inspection shows ldap-nss.c calling CONSTs defined in sys/param.h wmptwo# make begin patch (diff ldap-nss.c.old ldap-nss.c) 25a26,29 #ifndef MAXHOSTNAMELEN #include sys/param.h #endif /patch # now I run make again, aside from a whole bunch of compiler warnings about null arguments being passed/required, (see output attached) # ldap-nss.c compiles, now we get a whole new set of compiler errors in ldap-pwd.c, first error complains of UID_NOBODY not being # defined but still being called/used... closer look reveals UID_NOBODY defined in ldap-nss.h, but not being defined: wmptwo# make # so I try patching ldap-nss.h, and update #define UID_NOBODY to reflect the default UID for the user 'nobody' on a 'standard' FreeBSD installation: patch diff ldap-nss.h.old ldap-nss.h 446d445 #ifndef HAVE_NSSWITCH_H 448,449c447 #define UID_NOBODY (-2) #endif --- #define UID_NOBODY (65534) /patch # again, I run make, this time clean first, this time we're moving further into ldap-pwd.c, but still producing fatal compiler errors # complaining about `structure has no member named `pw_comment'`, this is the point where I step back and wonder where to go next... # should I systematically continue to retry make after I try to find/fix every compiler error; will this introduce new errors, will the # code even work? wmptwo# Again, output of all the above is attached in a txt file, please fee free to take a look through. Has anyone out there been able to get nss_ldap to compile on FreeBSD; other than the patched/older dist included with the ports collection? Problem with the ports version (in my case) being the old(er) release of openldap/ldap librairies it depends on. Working out some issues with samba and nss here alltogether, needed to update openldap to get past some other un-related bugs. System still has openldap-2.2.9 installed from the ports collection for the nss_ldap, and pam_ldap that is currently running. Samba source code has been modified, compiled, and been in use for a while now running the new(er) openldap librairies installed into /usr/openldap. Just not sure where to go with nss_ldap here; havn't even begun trying to compile pam_ldap to use the new(er) openldap librairies either - but suspect I may run into similar issues. Any suggestions/guidance would be greatly appreciated at this point... kinda running out of things to try and can't really audit the entire source code for something I know little about the internals of. Thanx all -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate Tool Ltd. http://www.wmptl.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
Primarily, my aim is to keep it simple, do the basics, thats the itch that needs scratching for me at the moment. It could be the base of a more encompassing management system, but that would be a different project. Count me in on helping you with this. A nice command line utility for ldap is definitely needed. Something like ldapctl :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
On Wed, Jul 27, 2005 at 10:39:14AM +0100, [EMAIL PROTECTED] wrote: I've had a look at the adduser script and it should be straight forward enough to tailer to this purpose, and I can't see any difficulties in writing them - check /etc/ldap.conf for the location of the users groups, pops the details into an ldif and runs it through the ldap I'm not sure that such utilities exist, because each environment is very different. On my systems, I'm planning to write own scripts for creating, deleting users, etc. I will be much easier than adaption someone's scripts for own purpose. Each to their own, but most of the stuff is fairly generic. I've written the scripts to read the ldap settings from the relevent files (the admin user, and the user group context). client. The one thing I am not sure about is getting the next available uid number, but I'm sure the answer will become apparent. From my point of view the easiest solution is some directory with files, a name of each file is equal to UID of user. A script should find non- existent file with name from UID_min to UID_max and create it. As an optimization it possible to keep list of unused numbers (in file). Yuch! And what happens if the information gets out of sync. I've come up with a solution, which was much easier than I had thought - user_base=`awk '/nss_base_passwd/ {print $2}' /etc/ldap.conf | cut -f1 -d?` get_next_uid() { lastuid=`ldapsearch -LLL -b $user_base objectclass=posixAccount |\ awk '/uidNumber/ {print $2}' | sort | tail -n1` if [ -z $lastuid ]; then uid=$startuid else uid=`expr $lastuid + 1` fi } it pulls out all the uids already assigned, sorts them, takes the last one, and adds one on (or sets it to startuid if none found). It might fall over if huge numbers of users are in there, but should work for most. So before I get into the meat of this, I wanted to check if anyone has any suggestions or comments. How do you export user home directories? Thats another task - I'm just interested in easily adding and removing users easily. If you are interested, I can send you the full scripts - they are pretty sparse and general, so should be easy to adapt. Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2 Aug 2005, [EMAIL PROTECTED] wrote: On Wed, Jul 27, 2005 at 10:39:14AM +0100, [EMAIL PROTECTED] wrote: I've had a look at the adduser script and it should be straight forward enough to tailer to this purpose, and I can't see any difficulties in writing them - check /etc/ldap.conf for the location of the users groups, pops the details into an ldif and runs it through the ldap I'm not sure that such utilities exist, because each environment is very different. On my systems, I'm planning to write own scripts for creating, deleting users, etc. I will be much easier than adaption someone's scripts for own purpose. Each to their own, but most of the stuff is fairly generic. I've written the scripts to read the ldap settings from the relevent files (the admin user, and the user group context). client. The one thing I am not sure about is getting the next available uid number, but I'm sure the answer will become apparent. From my point of view the easiest solution is some directory with files, a name of each file is equal to UID of user. A script should find non- existent file with name from UID_min to UID_max and create it. As an optimization it possible to keep list of unused numbers (in file). Yuch! And what happens if the information gets out of sync. I've come up with a solution, which was much easier than I had thought - user_base=`awk '/nss_base_passwd/ {print $2}' /etc/ldap.conf | cut -f1 -d?` get_next_uid() { lastuid=`ldapsearch -LLL -b $user_base objectclass=posixAccount |\ awk '/uidNumber/ {print $2}' | sort | tail -n1` if [ -z $lastuid ]; then uid=$startuid else uid=`expr $lastuid + 1` fi } it pulls out all the uids already assigned, sorts them, takes the last one, and adds one on (or sets it to startuid if none found). It might fall over if huge numbers of users are in there, but should work for most. So before I get into the meat of this, I wanted to check if anyone has any suggestions or comments. How do you export user home directories? Thats another task - I'm just interested in easily adding and removing users easily. If you are interested, I can send you the full scripts - they are pretty sparse and general, so should be easy to adapt. Hi so, why all this scripting?? you could simply use the following line to get the next free uid (as long as the system is configured to use LDAP accounts) pw usernext | cut -f1 -d: the 'cut' is necessary as 'pw usernext' reports the next free uid:gid in combination (is this a bug??) pw groupnext reports only the next free gid regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC72X8SPOsGF+KA+MRAquVAKCv3jjm4V8INAEuHbAEY2kGk0heYgCfSYaX yhF36rOl+da279CW6IsGAco= =czue -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
On Tue, Aug 02, 2005 at 02:24:26PM +0200, Joerg Pulz wrote: user_base=`awk '/nss_base_passwd/ {print $2}' /etc/ldap.conf | cut -f1 -d?` get_next_uid() { lastuid=`ldapsearch -LLL -b $user_base objectclass=posixAccount |\ awk '/uidNumber/ {print $2}' | sort | tail -n1` if [ -z $lastuid ]; then uid=$startuid else uid=`expr $lastuid + 1` fi } #!/bin/sh uid_min=1000 uid_max=2000 get_uid() { uid=${uid_min} sort -g list-uid | while read uid_used; do if [ ${uid} -eq ${uid_used} ]; then uid=`expr ${uid} + 1` if [ ${uid} -eq ${uid_max} ]; then echo Out of UID numbers; exit 1 fi else echo ${uid} break; fi done } uid=`get_uid` if [ $? -ne 0 ]; then echo ${uid} exit 1 fi echo Lowest unused UID: ${uid} so, why all this scripting?? you could simply use the following line to get the next free uid (as long as the system is configured to use LDAP accounts) Because everyone has own environment and not enough details about his/her environment give many solutions, sometimes not optimal for another environment. Yours idea is good (if LDAP accounts work on the system), especially that pw uses bitmap to find first unused UID (if reuseuids is 'yes'). the 'cut' is necessary as 'pw usernext' reports the next free uid:gid in combination (is this a bug??) This is documented in pw(8) manual page. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
LDAP/nss_ldap adduser script
Hi all, I've been using an ldap directory for quite a while now for my network logins, and love it. Problem is, it can be quite cumbersome to work with, any ldap clients I have looked at are either very sketchy or overly cumbersome for simple tasks (adding/removing users etc.), and ldif file format is a major pain to work with. My first question is - is anyone aware of a good light and stable ldap client that is easy to setup and use. My own research suggests no, which leads onto my proposal - I'm planning on writing a few basic scripts for working with the system - a 'ldap_adduser', 'ldap_rmuser' etc. Nothing major, not a full suite of utilities, just the basics to make life a little easier. I've had a look at the adduser script and it should be straight forward enough to tailer to this purpose, and I can't see any difficulties in writing them - check /etc/ldap.conf for the location of the users groups, pops the details into an ldif and runs it through the ldap client. The one thing I am not sure about is getting the next available uid number, but I'm sure the answer will become apparent. So before I get into the meat of this, I wanted to check if anyone has any suggestions or comments. Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
On Wed, Jul 27, 2005 at 10:39:14AM +0100, [EMAIL PROTECTED] typed: Hi all, I've been using an ldap directory for quite a while now for my network logins, and love it. Problem is, it can be quite cumbersome to work with, any ldap clients I have looked at are either very sketchy or overly cumbersome for simple tasks (adding/removing users etc.), and ldif file format is a major pain to work with. My first question is - is anyone aware of a good light and stable ldap client that is easy to setup and use. My own research suggests no, which leads onto my proposal - I'm planning on writing a few basic scripts for working with the system - a 'ldap_adduser', 'ldap_rmuser' etc. Nothing major, not a full suite of utilities, just the basics to make life a little easier. I've had a look at the adduser script and it should be straight forward enough to tailer to this purpose, and I can't see any difficulties in writing them - check /etc/ldap.conf for the location of the users groups, pops the details into an ldif and runs it through the ldap client. The one thing I am not sure about is getting the next available uid number, but I'm sure the answer will become apparent. So before I get into the meat of this, I wanted to check if anyone has any suggestions or comments. Well, how would you go about determining the default user's set of objectclasses and attributes? e.g. we have in our ldap users with different combinations of sambaSamAccount, posixAccount and courierMailAccount. If you want your script to be flexible enough to provide all possible options, you'll end up writing a very complex script. But good luck anyway ;-) Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP/nss_ldap adduser script
On Wed, Jul 27, 2005 at 10:39:14AM +0100, [EMAIL PROTECTED] typed: Hi all, I've been using an ldap directory for quite a while now for my network logins, and love it. Problem is, it can be quite cumbersome to work with, any ldap clients I have looked at are either very sketchy or overly cumbersome for simple tasks (adding/removing users etc.), and ldif file format is a major pain to work with. My first question is - is anyone aware of a good light and stable ldap client that is easy to setup and use. My own research suggests no, which leads onto my proposal - I'm planning on writing a few basic scripts for working with the system - a 'ldap_adduser', 'ldap_rmuser' etc. Nothing major, not a full suite of utilities, just the basics to make life a little easier. I've had a look at the adduser script and it should be straight forward enough to tailer to this purpose, and I can't see any difficulties in writing them - check /etc/ldap.conf for the location of the users groups, pops the details into an ldif and runs it through the ldap client. The one thing I am not sure about is getting the next available uid number, but I'm sure the answer will become apparent. So before I get into the meat of this, I wanted to check if anyone has any suggestions or comments. Well, how would you go about determining the default user's set of objectclasses and attributes? e.g. we have in our ldap users with different combinations of sambaSamAccount, posixAccount and courierMailAccount. If you want your script to be flexible enough to provide all possible options, you'll end up writing a very complex script. But good luck anyway ;-) Ruben Primarily, my aim is to keep it simple, do the basics, thats the itch that needs scratching for me at the moment. It could be the base of a more encompassing management system, but that would be a different project. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap, pam_krb5 and passwd.
Hi, I have user accounts in LDAP and authentication is done via pam_krb5. nss_ldap is installed and configured in terms of /etc/nssswitch.conf. However, when I run passwd I receive the following message: passwd: Sorry, `passwd' can only change passwords for local or NIS users. Judging by pam_krb5(8) this module supports the changing of passwords and it is just passwd that is refusing to change a non-local (i.e. not in /etc/passwd) password. /etc/nssswitch.conf passwd: files ldap So, here's the question: can I work around this? Is there any way to make passwd change passwords for user accounts stored in LDAP? Maybe this will require some hacking of passwd.c? Thanks very much, -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap errors
Hi, i'm trying to use pam_ldap and nss_ldap on a freebsd 5.3 box. This is my first try to use ldap for sshd logins. When the user exists in the files i can connect without problem. I created the same user in ldap with a different password and i can login with both passwords (files and ldap). If the user exists only in ldap, it doesn't work I receive the following error in debug.log Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, setgrent, not found Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, getgrent_r, not found Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, endgrent, not found Jan 25 22:19:30 vmldap sshd[609]: NSSWITCH(nss_method_lookup): ldap, passwd, endpwent, not found Can somebody have a look what i'm doing wrong? If you need extra info don't hesitate to contact me. Any help will be appreciated. Thanks in advance, Serge uname -a: vmldap.ecss.be 5.3-RELEASE-p2 FreeBSD 5.3-RELEASE-p2 #0: Tue Dec 21 21:45:18 CET 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ECXKERNEL i386 ##nsswitch.conf vmldap# cat /etc/nsswitch.conf passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap hosts: files dns networks: files shells: files ##nss_ldap.conf and ldap.conf vmldap# cat /usr/local/etc/nss_ldap.conf host 127.0.0.1 base dc=ecss,dc=be scope sub port 389 pam_password md5 ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid nss_base_passwd ou=people,dc=ecss,dc=be?one nss_base_group ou=groups,dc=ecss,dc=be?one nss_base_shadow ou=people,dc=ecss,dc=be?one #debug testing logdir /var/log debug 9 vmldap# cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # authsufficient /usr/local/lib/pam_ldap.so debug try_first_pass # auth auth requiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient pam_ldap.so debug account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordsufficient pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap errors
In the last episode (Jan 25), Serge Kestens said: i'm trying to use pam_ldap and nss_ldap on a freebsd 5.3 box. This is my first try to use ldap for sshd logins. When the user exists in the files i can connect without problem. I created the same user in ldap with a different password and i can login with both passwords (files and ldap). If the user exists only in ldap, it doesn't work I receive the following error in debug.log Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, setgrent, not found Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, getgrent_r, not found Jan 25 22:19:30 vmldap sshd[608]: NSSWITCH(nss_method_lookup): ldap, group, endgrent, not found Jan 25 22:19:30 vmldap sshd[609]: NSSWITCH(nss_method_lookup): ldap, passwd, endpwent, not found Try rebooting your system or bouncing sshd. I remember seeing that on my systems, but can't quite remember what caused it. Either the ldconfig path wasn't set up right and ssh couldn't find nss_ldap.so at all, or I had just upgraded openldap and something was still looking for old ldap libraries. If a reboot doesn't work, try rebuilding openldap and nss_ldap. Running ktrace/truss on sshd might help you determing what's failling. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with nss_ldap in FreeBSD 5.3-RELEASE/AMD64
Hey All, Not entirely sure which list this should be sent to, so I figured sending to the general list would be a good start. If there's a more appropriate list, could someone kindly reply and direct me as to who else may be better able to help solve or at least point me in the right direction to solve this problem myself. - Thanks. That said, here goes; I am apparently encountering an overflow of sorts with nss_ldap on FreeBSD: - Currently running OpenLDAP server, to store all local usernames/passwords/groups/shells/homedirs info. The accounts are shared between the system on the FreeBSD side using posixAccount attributes, and on the Windows side using sambaSamAccount attributes. We are using the FreeBSD port of LAM to create/modify/manage users and groups internally through a web-based interface running on Apache/php. Further details, including version specifics, etc will follow, just prefer to give you an idea of the problem we're having before wasting your time reading all the really specific stuff. Here's the problem, only a few selected usernames (4 out of about 190 or so), root cannot do a 'cd ~username'. This seems to cause issues with samba, and the list just goes on from there. What happens when one logged in as root types in the command 'cd ~username', is apparently an overflow of some sort which leaves one connected to the LDAP session, a simple [CRTL]+D releases one back to console. This same condition occurs when ANY user (not just root) attempts to cd to one of these 4 user directories; what troubles me most, is this happens regardless of permission issues to the filesystem, as it is apparently during the username lookup that it happens, to what extent the open session can allow someone access as an intruder of sorts I do not know - but nonetheless fear as an administrator, that this could be a security risk as well. I have attached a UNICODE txt file of a session which shows what one gets on the console when one attempts to 'cd ~USERNAME', where 'USERNAME' was edited removing the original username. Here's what I've tried to resolve the issue: First tried re-creating the user objects in the LDAP tree, failing that, I removed them, and re-created them with different UID numbers; essentially making them different objects with different distinctive names (DN's) in the database - nothing, same problem. Removed and re-created the physical directory entries on the disk as well, including proper ownership and permissions each time I changed the associated entry in the LDAP tree as well - even tried changing where/which disk the homedir was physically stored on. Lastly, I tried removing the entire LDAP database, and restoring FIRST the troublesome users only - same problem still. Added in the rest of the users via an LDIF export (backup of db before I toasted it) - still same problem. I figure spelling can't really be an issue; all usernames here follow the same convention (first letter of first name, followed by first 7 characters of last name, no numeric nor punctual characters of any sort). All four usernames are phonetically distinct and do not share any alphabetic pattern whatsoever either (I'd prefer not to send them out to the general list, as this machine is currently in production, and given the nature of what these accounts are causing I'd prefer not opening up a whole new security risk here). More Detailed Information Follows: -- FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 03:50:01 UTC 2004 amd64 OpenLDAP nss_ldap pam_ldap installed from ports-tree, using versions as follows (pkg_info -a reports: openldap-client-2.2.15, openldap-server-2.2.15, pam_ldap-1.7.1_1, nss_ldap-1.204_5) Samba Version Samba-3.0.8, compiled with LDAP SAM support, acting as PDC for Win2K/WinXP Clients Still running GENERIC kernel (intent upon eventually getting around to making a new one, removing a lot of debugging and what-not once all is up and running well for a boost in performance). The machine is an AMD Opteron 146-based system, with 2GB ECC registered memory, (dual capable board, eventually going to go with dual 246 Opterons when we can take them from a workstation and upgrade the workstation to faster cpus). Using WDC RAID Edition S-ATA 250GB Drives, the on-board Broadcom GigE controllers (2), and on-board ATI video controller. The drives are configured in a RAID 5 array, attached each to an independent channel on a 3Ware Escalade 9500 series S-ATA controller, for a total of 705GB and change storage across 4 partitions (2GB /, 10GB /usr, 40GB /var, rest as /server). Attached is a copy of an (edited for username) session which details what happens when this error occurs. There are no errors reported in the OpenLDAP nor the system/auth logs to give you, but if anything else is needed please don't hesitate to ask
Problem with nss_ldap in FreeBSD 5.3-RELEASE/AMD64 (2nd edition)
Hey All, - Sorry, forgot the attachement, same msg as earlier follows: Not entirely sure which list this should be sent to, so I figured sending to the general list would be a good start. If there's a more appropriate list, could someone kindly reply and direct me as to who else may be better able to help solve or at least point me in the right direction to solve this problem myself. - Thanks. That said, here goes; I am apparently encountering an overflow of sorts with nss_ldap on FreeBSD: - Currently running OpenLDAP server, to store all local usernames/passwords/groups/shells/homedirs info. The accounts are shared between the system on the FreeBSD side using posixAccount attributes, and on the Windows side using sambaSamAccount attributes. We are using the FreeBSD port of LAM to create/modify/manage users and groups internally through a web-based interface running on Apache/php. Further details, including version specifics, etc will follow, just prefer to give you an idea of the problem we're having before wasting your time reading all the really specific stuff. Here's the problem, only a few selected usernames (4 out of about 190 or so), root cannot do a 'cd ~username'. This seems to cause issues with samba, and the list just goes on from there. What happens when one logged in as root types in the command 'cd ~username', is apparently an overflow of some sort which leaves one connected to the LDAP session, a simple [CRTL]+D releases one back to console. This same condition occurs when ANY user (not just root) attempts to cd to one of these 4 user directories; what troubles me most, is this happens regardless of permission issues to the filesystem, as it is apparently during the username lookup that it happens, to what extent the open session can allow someone access as an intruder of sorts I do not know - but nonetheless fear as an administrator, that this could be a security risk as well. I have attached a UNICODE txt file of a session which shows what one gets on the console when one attempts to 'cd ~USERNAME', where 'USERNAME' was edited removing the original username. Here's what I've tried to resolve the issue: First tried re-creating the user objects in the LDAP tree, failing that, I removed them, and re-created them with different UID numbers; essentially making them different objects with different distinctive names (DN's) in the database - nothing, same problem. Removed and re-created the physical directory entries on the disk as well, including proper ownership and permissions each time I changed the associated entry in the LDAP tree as well - even tried changing where/which disk the homedir was physically stored on. Lastly, I tried removing the entire LDAP database, and restoring FIRST the troublesome users only - same problem still. Added in the rest of the users via an LDIF export (backup of db before I toasted it) - still same problem. I figure spelling can't really be an issue; all usernames here follow the same convention (first letter of first name, followed by first 7 characters of last name, no numeric nor punctual characters of any sort). All four usernames are phonetically distinct and do not share any alphabetic pattern whatsoever either (I'd prefer not to send them out to the general list, as this machine is currently in production, and given the nature of what these accounts are causing I'd prefer not opening up a whole new security risk here). More Detailed Information Follows: -- FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 03:50:01 UTC 2004 amd64 OpenLDAP nss_ldap pam_ldap installed from ports-tree, using versions as follows (pkg_info -a reports: openldap-client-2.2.15, openldap-server-2.2.15, pam_ldap-1.7.1_1, nss_ldap-1.204_5) Samba Version Samba-3.0.8, compiled with LDAP SAM support, acting as PDC for Win2K/WinXP Clients Still running GENERIC kernel (intent upon eventually getting around to making a new one, removing a lot of debugging and what-not once all is up and running well for a boost in performance). The machine is an AMD Opteron 146-based system, with 2GB ECC registered memory, (dual capable board, eventually going to go with dual 246 Opterons when we can take them from a workstation and upgrade the workstation to faster cpus). Using WDC RAID Edition S-ATA 250GB Drives, the on-board Broadcom GigE controllers (2), and on-board ATI video controller. The drives are configured in a RAID 5 array, attached each to an independent channel on a 3Ware Escalade 9500 series S-ATA controller, for a total of 705GB and change storage across 4 partitions (2GB /, 10GB /usr, 40GB /var, rest as /server). Attached is a copy of an (edited for username) session which details what happens when this error occurs. There are no errors reported in the OpenLDAP nor the system/auth logs to give you
account management pam_ldap+nss_ldap
Hello all, I would greatly appreciate if someone could help me or point me to the right place to find a solution to the following problem. I have a system (5.3-release) configured to do user authentication through pam and ldap using map_ldap.so and nss_ldap.so. Everything is fine with that configuration, I am able to login, ssh and ftp to the system using users configured only in ldap with no problem. What I'm looking for is a way to manage these accounts, I mean to temporarily disable (locking) an account or a group of accounts, like pw lock username, set accounts expiration date and so on. I spent the last 2 days searching but found nothing, or maybe I was looking in wrong places? Please if someone did things like described above, help me. Actually, I'm most interested in disabling/enabling an ldap account/group without deleting it. I was trying to find a solution myself and have thought of following. To create an ldap schema file which will have an objectclass with the accountEnabled attribute (and maybe some others too). To include this objectclass for DNs containing users and somehow to create a filter in nss_ldap config file wich will do the filtering taking into account the accountEnabled flag. What do you think of this approach? I would appreciate any suggestions. Thanks, Cezar Fistik ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap build problems
Hello All, I am stumped. I am trying to build nss_ldap and I get an error that says cannot locate file ldap.h when I know it exists and I know the exact directory it is located in and specify it. Here is the command line I am using: ./configure -includedir=/usr/local/include. There must be some environment parameters that need to be set for the compiler or config script? I don't know. Any help would be appreciated. Thanks, Matt ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap build problems
In the last episode (Oct 27), Matt Schwartz said: I am stumped. I am trying to build nss_ldap and I get an error that says cannot locate file ldap.h when I know it exists and I know the exact directory it is located in and specify it. Here is the command line I am using: ./configure -includedir=/usr/local/include. There must be some environment parameters that need to be set for the compiler or config script? I don't know. Any help would be appreciated. This works for me: cd /usr/ports/net/nss_ldap make install -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Setting up pam_ldap nss_ldap
On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. Thanks! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting up pam_ldap nss_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2 Sep 2004, Curtis Vaughan wrote: On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP accounts via nss_ldap and pam_ldap. it works perfectly. /etc/nsswitch.conf - --- passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap shells: files hosts: files dns - --- /etc/pam.d/sshd - --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.sono_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.sono_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth required pam_unix.sono_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.sono_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so use_authok password required pam_unix.sono_warn try_first_pass - --- /usr/local/etc/nss_ldap.conf (without TLS stuff) - --- host ldap1.example.com ldap2.example.com base dc=example,dc=com ldap_version 3 port 389 scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one # debug testing #logdir /var/log #debug 9 - --- i use the same configuration for pam_ldap and nss_ldap, so create a symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or make an exact copy. all other entries in nss_ldap are commented out for me. Don't forget to change dc=example,dc=com and ldap1.example.com ldap2.example.com to your values. there is no need for a .secret file for pam_ldap or nss_ldap. to be clear, if you set a rootbinddn or binddn which has the right to read the userPassword attribute, a getpwent(3) call would return all password hashes which is surely not what you want. the better way is to let nss_ldap only return the account information without the password and let pam_ldap try to bind as the users dn with the submitted password. another point is, that the whole pam_ldap stuff can be skipped if you use a binddn or rootbinddn with nss_ldap and this dn is allowed to read the userPassword attribute as the password is available to pam_unix and makes authentication possible. but remember the risk that someone is able to use getpwent(3) to get all password hashes that are stored in LDAP. if it's still not working for you, uncomment the logdir and debug line in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a new login you will find a file ldap.PID in the directory specified as logdir. the whole LDAP lookup and LDAP bind phase is written to this file so one can analyze whats working or not. feel free to ask again if you still have problems. regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq EA/iC/hSxEjtrBwnaBoIXAU= =GlqU -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Confusion / minor problem using nss_ldap
Hi list, I've installed FreeBSD 5.1-RELEASE connecting to an OpenLDAP Server running on a Linux box. nss_ldap as well as pam_ldap is working fine. I am able to connect to my FreeBSD box via ssh without any problmes. `id` shows my correct user information, which is: %id uid=503(daniel.ruthardt) gid=503(serverAdmins) groups=503(serverAdmins), 501(sambaUsers), 502(sambaAdmins) Now the problem / confusing thing: (1) Although my primary group id should be 503 , everything created by my user shows up with group wheel. (2) Although everyhting seems to work without any problems, `ls`never shows my username, only my user id (and that although I can see a successful query for my user id in the log file of the LDAP server). %mkdir daniel %ls -l total 4 drwxr-xr-x 2 503 wheel 512 Jul 12 11:56 daniel drwxr-xr-x 2 503 wheel 512 Jul 12 11:37 test % Can anybody point me in the right direction what might go wrong here? Greets and thanks in advance, Daniel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Confusion / minor problem using nss_ldap
On Mon, 12 Jul 2004, Daniel Ruthardt wrote: I've installed FreeBSD 5.1-RELEASE connecting to an OpenLDAP Server running on a Linux box. nss_ldap as well as pam_ldap is working fine. I am able to connect to my FreeBSD box via ssh without any problmes. `id` shows my correct user information, which is: %id uid=503(daniel.ruthardt) gid=503(serverAdmins) groups=503(serverAdmins), 501(sambaUsers), 502(sambaAdmins) Now the problem / confusing thing: (1) Although my primary group id should be 503 , everything created by my user shows up with group wheel. (2) Although everyhting seems to work without any problems, `ls`never shows my username, only my user id (and that although I can see a successful query for my user id in the log file of the LDAP server). %mkdir daniel %ls -l total 4 drwxr-xr-x 2 503 wheel 512 Jul 12 11:56 daniel drwxr-xr-x 2 503 wheel 512 Jul 12 11:37 test % Can anybody point me in the right direction what might go wrong here? From 5.2-R on, ls is linked dynamically and uses the whole nss mechanism. In 5.1 with ls being statically linked (like all binaries in /bin and /sbin) it cannot do. Regards Konrad Heuer ([EMAIL PROTECTED]) ___ ___ GWDG / __/__ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__//___// Germany ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Confusion / minor problem using nss_ldap
On Mon, Jul 12, 2004 at 12:01:04PM +0200, Daniel Ruthardt wrote: Date: Mon, 12 Jul 2004 12:01:04 +0200 From: Daniel Ruthardt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Confusion / minor problem using nss_ldap Hi list, I've installed FreeBSD 5.1-RELEASE connecting to an OpenLDAP Server running on a Linux box. nss_ldap as well as pam_ldap is working fine. I am able to connect to my FreeBSD box via ssh without any problmes. `id` shows my correct user information, which is: %id uid=503(daniel.ruthardt) gid=503(serverAdmins) groups=503(serverAdmins), 501(sambaUsers), 502(sambaAdmins) Now the problem / confusing thing: (1) Although my primary group id should be 503 , everything created by my user shows up with group wheel. It's normal behavior if the directory group is wheel. (2) Although everyhting seems to work without any problems, `ls`never shows my username, only my user id (and that although I can see a successful query for my user id in the log file of the LDAP server). 5.1 uses statically linked binaries in /bin and /sbin, that's why ls(1) doesn't print names for users that not exist in the local password file. It's not a big problem, but if you prefer ls(1) and the others programs from /bin and /sbin to work with user names instead of UIDs you must upgrade to 5.2 or better ;-) %mkdir daniel %ls -l total 4 drwxr-xr-x 2 503 wheel 512 Jul 12 11:56 daniel drwxr-xr-x 2 503 wheel 512 Jul 12 11:37 test % Can anybody point me in the right direction what might go wrong here? Greets and thanks in advance, Daniel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Dancho Penev GnuPG public key: http://www.mnet.bg/~dpenev/gnupg.asc Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277 pgpz9HHmRqsfH.pgp Description: PGP signature
Re: Confusion / minor problem using nss_ldap
In the last episode (Jul 12), Daniel Ruthardt said: I've installed FreeBSD 5.1-RELEASE connecting to an OpenLDAP Server running on a Linux box. nss_ldap as well as pam_ldap is working fine. I am able to connect to my FreeBSD box via ssh without any problmes. `id` shows my correct user information, which is: %id uid=503(daniel.ruthardt) gid=503(serverAdmins) groups=503(serverAdmins), 501(sambaUsers), 502(sambaAdmins) Now the problem / confusing thing: (1) Although my primary group id should be 503 , everything created by my user shows up with group wheel. Newly-created files/dirs inherit the group owner of their parent directory. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: problems with LDAP TLS and nss_ldap on 5.2.1
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 08, 2004 6:27 AM ... running /etc/rc.d/slapd start doesn't even start the server but doesn't complain either. So I have no clue what's going wrong and right now I have to run the server without TLS. I had the same problem with slapd not reporting any errors on start. So I added the line: local4.*/var/log/ldap.log To my /etc/syslog.conf to have it log out everything going on. This helped. --- | /\ \/ @ [EMAIL PROTECTED] DataSphere - Databases, back end web programming and networking 317.536.1858 ICQ: 21106703 The only thing necessary for evil to triumph is for good men to do nothing. - Edmund Burke ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
problems with LDAP TLS and nss_ldap on 5.2.1
I have upgraded our LDAP server to 5.2.1Release running openldap-2.1.30 server/client + pam_ldap-1.6.9 + nss_ldap-1.204_5. The previous configuration (openldap20-2.0.25_4 + nss_ldap-1.204_1 + pam_ldap-1.6.1) was runing OK on FreeBSD 5.1R After the upgrade I have 2 major problems. 1) I'm not able to make the ldap server to work with TLS. The previous installation worked fine but I haven't properly backed up TLS certificates and I had to generate them again using the approach described at http://www.openldap.org/faq/data/cache/185.html As soon as I add these TLS options to the slapd.conf: # TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/servercrt.pem ... running /etc/rc.d/slapd start doesn't even start the server but doesn't complain either. So I have no clue what's going wrong and right now I have to run the server without TLS. 2) The second problem is with nss_ldap. I have installed the server first, loaded data to the directory, tried some searches etc. Everything worked OK (except for the TLS). Nomaly, the startup of the server takes about 1 second. As soon as I install nss_ldap (in the very moment I run make install on that port) the startup time of the ldap server slows down to 30+ seconds and I also experienced cases when it didn't start at all. If I deinstall the nss_ldap the server startup is quick again. Any ideas of what can be wrong in either case would be really welcome. Thanks Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap
On Tue, 3 Feb 2004, Andrea Venturoli wrote: Hello. I've installed the above on FreeBSD 5.1 and it's more or less working; however when i do ls -l I don't see user names, but uid numbers. Any fix? You need to run 5.2-RELEASE. In 5.1 the binaries in /bin and /sbin are still statically linked and thus don't make use of LDAP user information. Regards Konrad Konrad Heuer ([EMAIL PROTECTED]) ___ ___ GWDG / __/__ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__//___// Germany ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap
Hello. I've installed the above on FreeBSD 5.1 and it's more or less working; however when i do ls -l I don't see user names, but uid numbers. Any fix? bye Thanks av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap
On Tue, 2004-02-03 at 17:10 -0500, Andrea Venturoli wrote: I've installed the above on FreeBSD 5.1 and it's more or less working; however when i do ls -l I don't see user names, but uid numbers. Any fix? 5.1 does not have dynamically linked libraries for ls and other sysutils in order to do this. Upgrade to 5.2 and this feature is supported. -- You keep using that word. I do not think it means what you think it means. FreeBSD 5.2-CURRENT i386 9:36am up 10:46, 2 users, load averages: 4.34, 4.62, 4.88 signature.asc Description: This is a digitally signed message part
nss_ldap, sendmail and ls
Hello. I've built a mailserver with FreeBSD 5.1, which uses nss_ldap for the user database, and sendmail-ldap from the port collection. Everything works fine except forward files. I've arranged sendmail to keep them all in one directory by user name; however this only works for users which are in /etc/passwd, not for those that are stored in LDAP. Something which might be related: if I do ls -l I can see the usernames, again, only for users which are in /etc/passwd, for those that are in LDAP I see the uid number instead. Is this normal? Any hint is appreciated. bye Thanks av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap, sendmail and ls
On Sun, Jan 25, 2004 at 02:09:29PM -0500, Andrea Venturoli wrote: Hello. I've built a mailserver with FreeBSD 5.1, which uses nss_ldap for the user database, and sendmail-ldap from the port collection. Everything works fine except forward files. I've arranged sendmail to keep them all in one directory by user name; however this only works for users which are in /etc/passwd, not for those that are stored in LDAP. Something which might be related: if I do ls -l I can see the usernames, again, only for users which are in /etc/passwd, for those that are in LDAP I see the uid number instead. Is this normal? Any hint is appreciated. bye Thanks av. This amounts to only a hint, but my copy of the port says Currently this is an experimental port, with support only for the `passwd' and `group' databases. which sounds very much like the problem you describe. You may need to use a more complete ldap system such as openldap which is also in the ports. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap in -CURRENT
On Thu, 7 Aug 2003 00:43:12 +0200 [EMAIL PROTECTED] (Thomas Deniau) wrote: Hi ! Hi, I'm trying to use nss_ldap, to implement ldap authentication, in 5.1-current. The LDAP server works perfectly. I've installed the nss_ldap and pam_ldap ports, edited /usr/local/etc/ldap.conf. put passwd: files ldap and group:files ldap in /etc/nsswitch.conf. pam_ldap works perfectly : the auth stage succeeds, but then the login fails : I guess that nss_ldap doesn't find my UID. In fact, when I use getpwent() I don't get LDAP users So it seems that something in nsswitch is not working, but there is no error logged... When I try to use id, for example, I get no such user for LDAP users. So, how can I know if nss_ldap is loaded and what is causing the error ? Has anyone succeeded in using nss_ldap ? Thank you in advance, It works perfectly here :) un simple truss shows you that you need to copy /usr/local/etc/ldap.conf to /etc/ldap.conf. After that it should work. (that works for me) regards, clem ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap in -CURRENT
So, is it safe to comment out the errx and recompile passwd ? OK, if anyone has the same problems : I've commented out the errx, cc -lpam -o passwd /usr/src/usr.bin/passwd/passwd.c Now the passwd works for LDAP too ;) -- Thomas Deniau Unix is user friendly. It's just selective when choosing friends. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: Re: nss_ldap in -CURRENT
On Thu, 7 Aug 2003 01:17:47 +0200 Clement Laforet [EMAIL PROTECTED] wrote: If someone wants to add/correct something. Begin forwarded message: Date: Thu, 7 Aug 2003 01:14:50 +0200 From: Clement Laforet [EMAIL PROTECTED] To: Kerberus [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: nss_ldap in -CURRENT 9. configure /etc/nsswitch ^^ = /etc/nsswitch.conf -bash-2.05b# cat /etc/nsswitch.conf passwd: files ldap groups: files ldap ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: nss_ldap in -CURRENT
But when I try to change a pass for a LDAP user I get : passwd: Sorry, `passwd' can only change passwords for local or NIS users. That's actually strange. From /usr/src/usr.bin/passwd/passwd.c : /* check where the user's from */ switch (pwd-pw_fields _PWF_SOURCE) { case _PWF_FILES: fprintf(stderr, Changing local password for %s\n, pwd-pw_name); break; case _PWF_NIS: fprintf(stderr, Changing NIS password for %s\n, pwd-pw_name); break; default: /* XXX: Green men ought to be supported via PAM. */ errx(1, Sorry, `passwd' can only change passwords for local or NIS users.); } So it doesn't want to change passwords for non-local users. However, if you take a look at this source file, after these lines come a bunch of PAM calls... So, is it safe to comment out the errx and recompile passwd ? -- Thomas Deniau Unix is user friendly. It's just selective when choosing friends. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fw: Re: nss_ldap in -CURRENT
If someone wants to add/correct something. Begin forwarded message: Date: Thu, 7 Aug 2003 01:14:50 +0200 From: Clement Laforet [EMAIL PROTECTED] To: Kerberus [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: nss_ldap in -CURRENT On 06 Aug 2003 18:03:30 -0500 Kerberus [EMAIL PROTECTED] wrote: is there a quick howto some where on doing this setup, cause its killing me 1. Get a working -CURRENT system 2. install /usr/ports/net/openldap21 3. install /usr/ports/net/nss_ldap 4. install /usr/ports/security/pam_ldap 5. set up your openldap server, don't forget to include schema/nis.schema 6. fill users using ldiff (or get a web frontend) 7. configure you /usr/local/etc/ldap.conf 8. ln -s /usr/local/etc/ldap.conf /etc/ldap.conf 9. configure /etc/nsswitch 10. id user to test troubleshouting : - if you get an error like this one : Entry (uid=test,ou=users,dc=cultdeadsheep,dc=org), attribute 'field' not allowed in your /var/log/debug log, you have to add it in the schema (see core.schema) should be ok now :) regards, clem ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Quick and dirty FreeBSD 5.x and nss_ldap mini-HOWTO
Hi, Here's a really mini HOWTO to get nss_ldap works on FreeBSD 5.x, this is a follow up of a previous discussion on [EMAIL PROTECTED] http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html Any feedback, ideas, suggestions, patches, insults are welcome. regards clem ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]