lists.arthurdejong.org
RSS feed

Re: Server issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Server issue



Hi,

   The problem is that I don't use openldap, I use 389DS (based on Red Hat DS). The use of 0.7.13 is because is the latest stable version indicated in the web page of nss-pam-ldapd, I can't use a non stable version.

My nslcd.conf file is:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
 
# nslcd user
uid     nslcd
gid     nslcd
 
# LDAP server
uri     ldaps://ldapa.sacyl.es/

# referrals
referrals no
 
# base search
base    dc=domain,dc=es
#base    host    ou=Computers,o=org1,dc=domain,dc=es
base    group   ou=Groups,o=org1,dc=domain,dc=es
base    passwd  dc=domain,dc=es
base    shadow  dc=domain,dc=es
 
# Filters
#filter  host    (&(objectClass=posixAccount)(|(ou:dn:=People)(ou:dn:=Computers)))
filter  group   (objectClass=posixgroup)
filter  passwd  (&(objectClass=posixAccount)(|(ou:dn:=People)(ou:dn:=Computers)))
filter  shadow  (&(objectClass=posixAccount)(|(ou:dn:=People)(ou:dn:=Computers)))
 
# search type
scope   sub
#scope   host    one
scope   group   one
scope   passwd  sub
scope   shadow  sub
 
# LDAP version
ldap_version    3
 
# User to bind
binddn  cn=Application Manager,cn=config
bindpw  XXXXXXXXXXXXX
 
tls_reqcert     allow
   My nsswitch.conf is fine and my system-auth too. So I don't understand the problem. Thak you for your answer anyway.

Regards,
Moses.


2011/9/14 Sitov Alexey <sitov [at] sintell.by>
14.09.2011 16:03, Moisés Barba Pérez пишет:
Hi,

   I have compiled the nss-pam-ldapd for el4.5 and instaled it. Now I have a server degrade and finally the server block login atemps.

   The messages log shows this:

Sep 14 04:26:22 server1 nslcd[3806]: [960f87] ldap_result() failed: Can't contact LDAP server
Sep 14 04:26:22 server1 nslcd[3806]: [960f87] ldap_abandon() failed to abandon search: Internal (implementation specific) error

And I don't find information about whats happening.

can somebody help me?

Regards,
Moses.


nslcd can't connect to slapd. Problem with your config's..
For normal work you need to have 2 working config's - /etc/openldap/slapd.conf and /etc/nslcd.conf. Use my own, edit it for themselves.

/etc/openldap/slapd.conf
###############################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/cyrus-sasl.schema

TLSCipherSuite          HIGH:+SSLv3:+TLSv1:+SHA1:+AES:!DH:!3DES:!ECDSA:!ECDH
TLSCACertificateFile    /etc/ssl/keys/cacert.pem
TLSCertificateFile      /etc/ssl/private/cert.pem
TLSCertificateKeyFile   /etc/ssl/private/key.pem
TLSVerifyClient         never
TLSCRLCheck             all
TLSCRLFile              /etc/ssl/keys/crl.pem

sasl-host       serv.sintell.by
sasl-realm      serv.sintell.by

authz-regexp    uid=([^,]*),cn=sintell.by,cn=DIGEST-MD5,cn=auth
                uid=$1,ou=users,dc=sintell,dc=by

disallow        bind_anon

loglevel 256

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap/openldap
moduleload      back_hdb.so

password-hash   {SSHA}

database        hdb
directory       /var/lib/openldap-data

suffix          "dc=sintell,dc=by"
checkpoint      32      30
rootdn          "cn=ldapadmin,dc=sintell,dc=by"
rootpw          {SSHA}p9o0zvKb7bXbEO37DIuWVl2o+xY7RTLq

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

access to attrs=userPassword
    by self write
    by anonymous auth

access to *
    by dn.regex="uid=[^,]+,ou=users,dc=sintell,dc=by" read
    by anonymous auth
#############################################################

/etc/nslcd.conf
#############################################################
threads                 2
uid                     439
gid                     439

uri                     ldaps://127.0.0.1:636/
ldap_version            3

base                    dc=sintell,dc=by
binddn                  uid=ldapmanager,ou=users,dc=sintell,dc=by
bindpw                  CleArTexT-PassW0rd-1
rootpwmoddn             cn=ldapadmin,dc=sintell,dc=by
rootpwmodpw            CleArTexT-PassW0rd-2

scope                   one
base                    group   ou=groups,dc=sintell,dc=by
base                    passwd  ou=users,dc=sintell,dc=by
base                    shadow  ou=users,dc=sintell,dc=by
scope                   group   one
scope                   passwd  one
scope                   shadow  one
scope                   hosts   sub

reconnect_sleeptime     5
reconnect_retrytime     5

nss_min_uid             1000

ssl on
tls_reqcert never
tls_ciphers HIGH:+SSLv3:+TLSv1:+SHA1:+AES:!DH:!3DES:!ECDSA:!ECDH
tls_cacertfile /etc/ssl/keys/cacert.pem
################################################################

/etc/pam.d/system-auth
########################################
auth            required        pam_env.so
auth            sufficient      pam_ssh.so
auth            sufficient      pam_unix.so use_first_pass likeauth
auth            sufficient      pam_ldap.so use_first_pass minimum_uid=1000
auth            required        pam_deny.so

account         sufficient      pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_deny.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so use_authtok sha512 shadow
password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_deny.so

session         required        pam_env.so
session         sufficient      pam_ssh.so
session         sufficient      pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_deny.so
##########################################################

slapd starts with "-f /etc/openldap/slapd.conf -h 'ldaps://127.0.0.1:636' " options.

In /etc/nsswitch.conf should something like this
###################################################
shadow:         files ldap
passwd:         files ldap
group:          files ldap
hosts:          files dns ldap
services:       files ldap
networks:       files ldap
protocols:      files ldap
rpc:            files ldap
ethers:         files ldap
netmasks:       files
bootparams:     files
publickey:      files
automount:      files
aliases:        files
sendmailvars:   files
netgroup:       files ldap
####################################################

I use nss-pam-ldapd-0.8.4 version. Everything works :)


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/