lists.arthurdejong.org
RSS feed

Re: Server issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Server issue



14.09.2011 16:03, Moisés Barba Pérez пишет:
Hi,

   I have compiled the nss-pam-ldapd for el4.5 and instaled it. Now I have a server degrade and finally the server block login atemps.

   The messages log shows this:

Sep 14 04:26:22 server1 nslcd[3806]: [960f87] ldap_result() failed: Can't contact LDAP server
Sep 14 04:26:22 server1 nslcd[3806]: [960f87] ldap_abandon() failed to abandon search: Internal (implementation specific) error

And I don't find information about whats happening.

can somebody help me?

Regards,
Moses.


nslcd can't connect to slapd. Problem with your config's..
For normal work you need to have 2 working config's - /etc/openldap/slapd.conf and /etc/nslcd.conf. Use my own, edit it for themselves.

/etc/openldap/slapd.conf
###############################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/cyrus-sasl.schema

TLSCipherSuite          HIGH:+SSLv3:+TLSv1:+SHA1:+AES:!DH:!3DES:!ECDSA:!ECDH
TLSCACertificateFile    /etc/ssl/keys/cacert.pem
TLSCertificateFile      /etc/ssl/private/cert.pem
TLSCertificateKeyFile   /etc/ssl/private/key.pem
TLSVerifyClient         never
TLSCRLCheck             all
TLSCRLFile              /etc/ssl/keys/crl.pem

sasl-host       serv.sintell.by
sasl-realm      serv.sintell.by

authz-regexp    uid=([^,]*),cn=sintell.by,cn=DIGEST-MD5,cn=auth
                uid=$1,ou=users,dc=sintell,dc=by

disallow        bind_anon

loglevel 256

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap/openldap
moduleload      back_hdb.so

password-hash   {SSHA}

database        hdb
directory       /var/lib/openldap-data

suffix          "dc=sintell,dc=by"
checkpoint      32      30
rootdn          "cn=ldapadmin,dc=sintell,dc=by"
rootpw          {SSHA}p9o0zvKb7bXbEO37DIuWVl2o+xY7RTLq

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

access to attrs=userPassword
    by self write
    by anonymous auth

access to *
    by dn.regex="uid=[^,]+,ou=users,dc=sintell,dc=by" read
    by anonymous auth
#############################################################

/etc/nslcd.conf
#############################################################
threads                 2
uid                     439
gid                     439

uri                     ldaps://127.0.0.1:636/
ldap_version            3

base                    dc=sintell,dc=by
binddn                  uid=ldapmanager,ou=users,dc=sintell,dc=by
bindpw                  CleArTexT-PassW0rd-1
rootpwmoddn             cn=ldapadmin,dc=sintell,dc=by
rootpwmodpw            CleArTexT-PassW0rd-2

scope                   one
base                    group   ou=groups,dc=sintell,dc=by
base                    passwd  ou=users,dc=sintell,dc=by
base                    shadow  ou=users,dc=sintell,dc=by
scope                   group   one
scope                   passwd  one
scope                   shadow  one
scope                   hosts   sub

reconnect_sleeptime     5
reconnect_retrytime     5

nss_min_uid             1000

ssl on
tls_reqcert never
tls_ciphers HIGH:+SSLv3:+TLSv1:+SHA1:+AES:!DH:!3DES:!ECDSA:!ECDH
tls_cacertfile /etc/ssl/keys/cacert.pem
################################################################

/etc/pam.d/system-auth
########################################
auth            required        pam_env.so
auth            sufficient      pam_ssh.so
auth            sufficient      pam_unix.so use_first_pass likeauth
auth            sufficient      pam_ldap.so use_first_pass minimum_uid=1000
auth            required        pam_deny.so

account         sufficient      pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_deny.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so use_authtok sha512 shadow
password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_deny.so

session         required        pam_env.so
session         sufficient      pam_ssh.so
session         sufficient      pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_deny.so
##########################################################

slapd starts with "-f /etc/openldap/slapd.conf -h 'ldaps://127.0.0.1:636' " options.

In /etc/nsswitch.conf should something like this
###################################################
shadow:         files ldap
passwd:         files ldap
group:          files ldap
hosts:          files dns ldap
services:       files ldap
networks:       files ldap
protocols:      files ldap
rpc:            files ldap
ethers:         files ldap
netmasks:       files
bootparams:     files
publickey:      files
automount:      files
aliases:        files
sendmailvars:   files
netgroup:       files ldap
####################################################

I use nss-pam-ldapd-0.8.4 version. Everything works :)

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/