Re: [nssldap] RV: Unix id command and Openldap

[Patrick Wolfe <pwolfe [at] employease.com>]

sure, why not.  Note:  I've removed the passwords from slapd.conf,  
plus we have a couple of other programs integrated (sudo, freeradius  
sendmail) so you might not need the exact same list of schemas.  Also,  
to protect user passwords otherwise sent in cleartext, we use LDAPS  
(SSL) to encrypt the ldap sessions.  We have our own internal SSL CA  
where we issue certificates to our ldap servers.  Our clients only  
trust openldap servers which have certificates that were issued by our  
own CA as an added protection.

Attachment: slapd.conf
Description: Binary data

Attachment: ldap.conf
Description: Binary data

On Dec 26, 2008, at 7:30 AM, <okossuth@antel.com.uy> <okossuth@antel.com.uy 
> wrote:

> Hi
>
> Could you send me your client's ldap.conf and your  server's  
> slapd.conf to see
> if I have something wrong?
>
> thanks!
>
> Saludos,
>
>
> Oskar Kossuth
> Administrador UNIX
> ANTEL Telecomunicaciones
>
> -----Mensaje original-----
> De: Patrick Wolfe [pwolfe [at] employease.com]
> Enviado el: Monday, December 22, 2008 5:57 PM
> Para: Kossuth Espinosa, Oskar
> CC: pwolfe@employease.com; nssldap@padl.com
> Asunto: Re: [nssldap] RV: Unix id command and Openldap
>
> I have one SLES 10 SP2 VM configured with ldap authentication, and the
> "id" command works just fine.  My /etc/nsswitch.conf "passwd" and
> "group" lines are set to "compat", not "files ldap".
>
>
> --
>
> Patrick Wolfe
> ADP Employease
> 770-325-7724
>
>
>
> On Dec 22, 2008, at 3:47 PM, <okossuth@antel.com.uy> wrote:
>
> > I'm using suse linux enterprise server 10 SP1
> >
> >
> > Saludos,
> >
> > Oskar Kossuth
> > Administrador UNIX
> > ANTEL Telecomunicaciones
> >
> >
> > -----Mensaje original-----
> > De: Patrick Wolfe [pwolfe [at] employease.com]
> > Enviado el: Monday, December 22, 2008 5:23 PM
> > Para: Kossuth Espinosa, Oskar
> > CC: pwolfe@employease.com; nssldap@padl.com
> > Asunto: Re: [nssldap] RV: Unix id command and Openldap
> >
> > perhaps your installed "id" command doesn't support the nsswitch.conf
> > file and it's associated library.  You might need to recompile it.
> > What distro and version of UNIX are you using?
> >
> >
> > --
> >
> > Patrick Wolfe
> > ADP Employease
> > 770-325-7724
> >
> >
> >
> > On Dec 22, 2008, at 3:14 PM, <okossuth@antel.com.uy> wrote:
> >
> > > of course I have done that..
> > > any other ideas?
> > >
> > > Saludos,
> > >
> > > Oskar Kossuth
> > > Administrador UNIX
> > > ANTEL Telecomunicaciones
> > >
> > >
> > > -----Mensaje original-----
> > > De: owner-nssldap@padl.com [owner-nssldap [at] padl.com] En nombre
> > > de Patrick Wolfe
> > > Enviado el: Monday, December 22, 2008 5:04 PM
> > > Para: Kossuth Espinosa, Oskar
> > > CC: nssldap@padl.com
> > > Asunto: Re: [nssldap] RV: Unix id command and Openldap
> > >
> > > the "id" command works fine on our FreeBSD 6 and CentOS 4.x/5.x
> > > servers.  Make sure your /etc/nsswitch.conf says "passwd: files  
> > > ldap"
> > > and "group: files ldap", or else id won't be searching ldap for ids
> > > and groups.
> > >
> > > --
> > >
> > > Patrick Wolfe
> > > ADP Employease
> > > 770-325-7724
> > >
> > >
> > >
> > > On Dec 22, 2008, at 2:15 PM, <okossuth@antel.com.uy> wrote:
> > >
> > > > Hi
> > > >
> > > >
> > > >
> > > > Does the id command works with a system using OPENLDAP
> > > > authentication ?
> > > >
> > > > I have implemented a server with openldap 2.3 and several clients
> > > > use this system to authenticate
> > > >
> > > > users, and works fine except that when I do a "id user" on a client
> > > > it only gives me the information of the primary
> > > >
> > > > group which the user belongs to and not of the suplementary groups
> > > > that he is also a member of in the LDAP server...
> > > >
> > > > any ideas??
> > > >
> > > > im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the
> > > > client.
> > > >
> > > > thanks for your help
> > > >
> > > >
> > > >
> > > > Saludos,
> > > >
> > > > Oskar Kossuth
> > > > Administrador UNIX
> > > > ANTEL Telecomunicaciones
> > > >
> > > >
> > > > -----Mensaje original-----
> > > > De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org  
> > > > [openldap-technical-bounces+okossuth=antel.com.uy [at] OpenLDAP.org
> > > > ] En nombre de Andrew Findlay
> > > > Enviado el: Wednesday, December 17, 2008 2:00 PM
> > > > Para: Kossuth Espinosa, Oskar
> > > > CC: openldap-technical@openldap.org; claus.kick@siemens.com
> > > > Asunto: Re: Unix id command and Openldap
> > > >
> > > > On Wed, Dec 17, 2008 at 02:20:40PM -0200, okossuth@antel.com.uy
> > > > wrote:
> > > >
> > > > > My problem is that I only see the primary group without the
> > > > > supplementary ones, whenever the groups are stored in the LDAP if
> > > > > the
> > > > > user is in the ldap server.
> > > >
> > > > This sounds more like an NSS problem than a purely OpenLDAP one,
> > > > so you may get more help by posting to nssldap@padl.com.
> > > >
> > > > Please post the 'passwd' and 'group' lines from /etc/nsswitch.conf
> > > > and also the /etc/ldap.conf file (with passwords obscured).
> > > >
> > > > It would also be worth running slapd at debug level 768 and posting
> > > > what gets logged when you run the 'id' command.
> > > >
> > > > Andrew
> > > > --
> > > > -----------------------------------------------------------------------
> > > > |                 From Andrew Findlay, Skills 1st
> > > > Ltd                 |
> > > > | Consultant in large-scale systems, networks, and directory
> > > > services |
> > > > |     http://www.skills-1st.co.uk/                +44 1628
> > > > 782565     |
> > > > -----------------------------------------------------------------------
> > > >
> > > > El   presente  correo   y   cualquier    posible   archivo
> > > > adjunto  está
> > > > dirigido  únicamente  al destinatario  del  mensaje y contiene
> > > > información
> > > > que  puede ser  confidencial.  Si  Ud. no es el destinatario
> > > > correcto por
> > > > favor notifique al remitente respondiendo  anexando este mensaje y
> > > > elimine
> > > > inmediatamente   el e-mail y los posibles archivos adjuntos al  
> > > > mismo
> > > > de su
> > > > sistema. Está  prohibida  cualquier utilización,  difusión o copia
> > > > de este
> > > > e-mail por   cualquier  persona  o  entidad  que  no  sean las
> > > > específicas
> > > > destinatarias del  mensaje.  ANTEL  no acepta  ninguna
> > > > responsabilidad con
> > > > respecto  a cualquier  comunicación  que  haya sido  emitida
> > > > incumpliendo
> > > > nuestra Política de Seguridad de la Información.
> > > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> > > > This e-mail and any attachment is confidential and is  intended
> > > > solely for
> > > > the addressee(s).  If you are not  intended  recipient  please
> > > > inform the
> > > > sender immediately,  answering  this  e-mail and  delete it as well
> > > > as the
> > > > attached files. Any use, circulation or copy of this e-mail by  any
> > > > person
> > > > or entity that is not the specific  addressee(s)  is prohibited.
> > > > ANTEL is
> > > > not  responsible  for  any  communication  emitted  without
> > > > respecting our
> > > > Information Security Policy.
> > > > <ldap.conf><nsswitch.conf>