Re: [nssldap] RV: Unix id command and Openldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] RV: Unix id command and Openldap
- From: Patrick Wolfe <pwolfe [at] employease.com>
- To: "<okossuth [at] antel.com.uy>" <okossuth [at] antel.com.uy>
- Cc: <nssldap [at] padl.com>
- Subject: Re: [nssldap] RV: Unix id command and Openldap
- Date: Fri, 26 Dec 2008 09:14:06 -0500
Apparently the list manager doesn't like attachments. let me try again:
> sure, why not. Note: I've removed the passwords from slapd.conf,
plus we have a couple of other programs integrated (sudo, freeradius
sendmail) so
> you might not need the exact same list of schemas. Also, to
protect user passwords otherwise sent in cleartext, we use LDAPS (SSL)
to encrypt the
> ldap sessions. We have our own internal SSL CA where we issue
certificates to our ldap servers. Our clients only trust openldap
servers which have
> certificates that were issued by our own CA as an added protection.
$ cat slapd.conf
# slapd configuration file
# This file should NOT be world readable.
######################################################################
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/freeradius.schema
include /usr/local/etc/openldap/schema/sudo.schema
include /usr/local/etc/openldap/schema/sendmail.schema
schemacheck on
pidfile /var/run/openldap/slapd.pid
replica-pidfile /var/run/openldap/slurpd.pid
#argsfile /var/run/openldap/slapd.args
#loglevel 0
# don't limit searches to 500 entries
sizelimit unlimited
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
password-hash {SSHA}
backend bdb
checkpoint 512 30
#######################################################################
database bdb
suffix "dc=eease,dc=com"
directory /var/db/openldap-data
# lastmod on
rootdn "cn=Admin,dc=eease,dc=com"
#rootpw {SSHA}encryptedstring
# replication logfile - written by slapd, read by slurpd
replogfile /var/db/openldap-data/slapd.replog
# replicate to corpauth2
replica uri=ldap://corpauth2.tek.eease.com
suffix="dc=eease,dc=com"
binddn="cn=Admin,dc=eease,dc=com"
credentials=secretpassword
bindmethod=simple
tls=yes
index uid,mail eq
index uidNumber,gidNumber,memberUid eq
index uniqueMember pres
index objectClass pres,eq
index cn,sn,givenName,ou pres,eq,sub
# only admin and account owners can read or write passwords
access to attrs=userPassword
by self write
by anonymous auth
∂ by * none
# allow account owners to change their shell
access to attrs=loginShell,shadowLastChange
by self write
by * read
# allow certain people to change email aliases
access to dn.subtree="ou=Aliases,dc=eease,dc=com"
by dn="uid=pwolfe,ou=People,dc=eease,dc=com" write
by * read
# default access is read
access to *
by * read
TLSCipherSuite 3DES:RC4:EXPORT40
# certificate authority's certificate file
TLSCACertificateFile /usr/local/etc/openldap/EmployeaseCA-cert.pem
# this server's certificate file
TLSCertificateFile /usr/local/etc/openldap/corpauth1-cert.pem
# this server's private key file
TLSCertificateKeyFile /usr/local/etc/openldap/keys/corpauth1-key.pem
sasl-secprops none
$ cat ldap.conf
#
# openldap client config file for libpam_ldap and libnss_ldap and sudo
on linux server
#
base dc=eease,dc=com
uri ldaps://corpauth1.tek.eease.com/ ldaps://corpauth2.tek.eease.com/
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password exop
nss_base_passwd ou=People,dc=eease,dc=com?one
nss_base_shadow ou=People,dc=eease,dc=com?one
nss_base_group ou=Group,dc=eease,dc=com?one
tls_checkpeer yes
tls_cacertfile /etc/openldap/EmployeaseCA-cert.pem
timeout 10
bind_timelimit 5
bind_policy soft
sudoers_base ou=SUDOers,dc=eease,dc=com
sudoers_debug 0
On Dec 26, 2008, at 7:30 AM, <okossuth@antel.com.uy> <okossuth@antel.com.uy
> wrote:
Hi
Could you send me your client's ldap.conf and your server's
slapd.conf to see
if I have something wrong?
thanks!
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
-----Mensaje original-----
De: Patrick Wolfe [pwolfe [at] employease.com]
Enviado el: Monday, December 22, 2008 5:57 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@employease.com; nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap
I have one SLES 10 SP2 VM configured with ldap authentication, and the
"id" command works just fine. My /etc/nsswitch.conf "passwd" and
"group" lines are set to "compat", not "files ldap".
--
Patrick Wolfe
ADP Employease
770-325-7724
On Dec 22, 2008, at 3:47 PM, <okossuth@antel.com.uy> wrote:
I'm using suse linux enterprise server 10 SP1
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
-----Mensaje original-----
De: Patrick Wolfe [pwolfe [at] employease.com]
Enviado el: Monday, December 22, 2008 5:23 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@employease.com; nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap
perhaps your installed "id" command doesn't support the nsswitch.conf
file and it's associated library. You might need to recompile it.
What distro and version of UNIX are you using?
--
Patrick Wolfe
ADP Employease
770-325-7724
On Dec 22, 2008, at 3:14 PM, <okossuth@antel.com.uy> wrote:
of course I have done that..
any other ideas?
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
-----Mensaje original-----
De: owner-nssldap@padl.com [owner-nssldap [at] padl.com] En nombre
de Patrick Wolfe
Enviado el: Monday, December 22, 2008 5:04 PM
Para: Kossuth Espinosa, Oskar
CC: nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap
the "id" command works fine on our FreeBSD 6 and CentOS 4.x/5.x
servers. Make sure your /etc/nsswitch.conf says "passwd: files
ldap"
and "group: files ldap", or else id won't be searching ldap for ids
and groups.
--
Patrick Wolfe
ADP Employease
770-325-7724
On Dec 22, 2008, at 2:15 PM, <okossuth@antel.com.uy> wrote:
Hi
Does the id command works with a system using OPENLDAP
authentication ?
I have implemented a server with openldap 2.3 and several clients
use this system to authenticate
users, and works fine except that when I do a "id user" on a client
it only gives me the information of the primary
group which the user belongs to and not of the suplementary groups
that he is also a member of in the LDAP server...
any ideas??
im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the
client.
thanks for your help
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
-----Mensaje original-----
De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org
[openldap-technical-bounces+okossuth=antel.com.uy [at] OpenLDAP.org
] En nombre de Andrew Findlay
Enviado el: Wednesday, December 17, 2008 2:00 PM
Para: Kossuth Espinosa, Oskar
CC: openldap-technical@openldap.org; claus.kick@siemens.com
Asunto: Re: Unix id command and Openldap
On Wed, Dec 17, 2008 at 02:20:40PM -0200, okossuth@antel.com.uy
wrote:
My problem is that I only see the primary group without the
supplementary ones, whenever the groups are stored in the LDAP if
the
user is in the ldap server.
This sounds more like an NSS problem than a purely OpenLDAP one,
so you may get more help by posting to nssldap@padl.com.
Please post the 'passwd' and 'group' lines from /etc/nsswitch.conf
and also the /etc/ldap.conf file (with passwords obscured).
It would also be worth running slapd at debug level 768 and posting
what gets logged when you run the 'id' command.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st
Ltd |
| Consultant in large-scale systems, networks, and directory
services |
| http://www.skills-1st.co.uk/ +44 1628
782565 |
-----------------------------------------------------------------------
El presente correo y cualquier posible archivo
adjunto está
dirigido únicamente al destinatario del mensaje y contiene
información
que puede ser confidencial. Si Ud. no es el destinatario
correcto por
favor notifique al remitente respondiendo anexando este mensaje y
elimine
inmediatamente el e-mail y los posibles archivos adjuntos al
mismo
de su
sistema. Está prohibida cualquier utilización, difusión o
copia
de este
e-mail por cualquier persona o entidad que no sean las
específicas
destinatarias del mensaje. ANTEL no acepta ninguna
responsabilidad con
respecto a cualquier comunicación que haya sido emitida
incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is intended
solely for
the addressee(s). If you are not intended recipient please
inform the
sender immediately, answering this e-mail and delete it as well
as the
attached files. Any use, circulation or copy of this e-mail by any
person
or entity that is not the specific addressee(s) is prohibited.
ANTEL is
not responsible for any communication emitted without
respecting our
Information Security Policy.
<ldap.conf><nsswitch.conf>
- RE: [nssldap] RV: Unix id command and Openldap, (continued)
Re: [nssldap] RV: Unix id command and Openldap,
Andrew Morgan