Re: [nssldap] RV: Unix id command and Openldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Patrick Wolfe <pwolfe [at] employease.com>
To: "<okossuth [at] antel.com.uy>" <okossuth [at] antel.com.uy>
Cc: <nssldap [at] padl.com>
Subject: Re: [nssldap] RV: Unix id command and Openldap
Date: Fri, 26 Dec 2008 09:14:06 -0500

Apparently the list manager doesn't like attachments.  let me try again:

> sure, why not. Note: I've removed the passwords from slapd.conf,plus we have a couple of other programs integrated (sudo, freeradiussendmail) so> you might not need the exact same list of schemas. Also, toprotect user passwords otherwise sent in cleartext, we use LDAPS (SSL)to encrypt the> ldap sessions. We have our own internal SSL CA where we issuecertificates to our ldap servers. Our clients only trust openldapservers which have

> certificates that were issued by our own CA as an added protection.

$ cat slapd.conf
# slapd configuration file
# This file should NOT be world readable.
######################################################################

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/freeradius.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/sendmail.schema
schemacheck     on

pidfile         /var/run/openldap/slapd.pid
replica-pidfile /var/run/openldap/slurpd.pid
#argsfile       /var/run/openldap/slapd.args
#loglevel       0

# don't limit searches to 500 entries
sizelimit       unlimited

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

password-hash   {SSHA}

backend         bdb
checkpoint      512 30

#######################################################################
database        bdb
suffix          "dc=eease,dc=com"
directory       /var/db/openldap-data
# lastmod       on

rootdn          "cn=Admin,dc=eease,dc=com"
#rootpw         {SSHA}encryptedstring

# replication logfile - written by slapd, read by slurpd
replogfile      /var/db/openldap-data/slapd.replog

# replicate to corpauth2
replica         uri=ldap://corpauth2.tek.eease.com
                suffix="dc=eease,dc=com"
                binddn="cn=Admin,dc=eease,dc=com"
                credentials=secretpassword
                bindmethod=simple
                tls=yes

index   uid,mail                        eq
index   uidNumber,gidNumber,memberUid   eq
index   uniqueMember                    pres
index   objectClass                     pres,eq
index   cn,sn,givenName,ou              pres,eq,sub

# only admin and account owners can read or write passwords
access to attrs=userPassword
        by self write
        by anonymous auth
∂       by * none

# allow account owners to change their shell
access to attrs=loginShell,shadowLastChange
        by self write
        by * read

# allow certain people to change email aliases
access to dn.subtree="ou=Aliases,dc=eease,dc=com"
        by dn="uid=pwolfe,ou=People,dc=eease,dc=com" write
        by * read

# default access is read
access to *
        by * read

TLSCipherSuite 3DES:RC4:EXPORT40
# certificate authority's certificate file
TLSCACertificateFile /usr/local/etc/openldap/EmployeaseCA-cert.pem
# this server's certificate file
TLSCertificateFile /usr/local/etc/openldap/corpauth1-cert.pem
# this server's private key file
TLSCertificateKeyFile /usr/local/etc/openldap/keys/corpauth1-key.pem

sasl-secprops none

$ cat ldap.conf
#

# openldap client config file for libpam_ldap and libnss_ldap and sudoon linux server

#
base dc=eease,dc=com
uri ldaps://corpauth1.tek.eease.com/ ldaps://corpauth2.tek.eease.com/
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password exop
nss_base_passwd ou=People,dc=eease,dc=com?one
nss_base_shadow ou=People,dc=eease,dc=com?one
nss_base_group ou=Group,dc=eease,dc=com?one
tls_checkpeer yes
tls_cacertfile /etc/openldap/EmployeaseCA-cert.pem
timeout 10
bind_timelimit 5
bind_policy soft
sudoers_base ou=SUDOers,dc=eease,dc=com
sudoers_debug 0

On Dec 26, 2008, at 7:30 AM, <okossuth@antel.com.uy> <okossuth@antel.com.uy> wrote:

Hi

Could you send me your client's ldap.conf and your server'sslapd.conf to see

if I have something wrong?

thanks!

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones

-----Mensaje original-----
De: Patrick Wolfe [pwolfe [at] employease.com]
Enviado el: Monday, December 22, 2008 5:57 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@employease.com; nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap

I have one SLES 10 SP2 VM configured with ldap authentication, and the
"id" command works just fine.  My /etc/nsswitch.conf "passwd" and
"group" lines are set to "compat", not "files ldap".


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:47 PM, <okossuth@antel.com.uy> wrote:

I'm using suse linux enterprise server 10 SP1


Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: Patrick Wolfe [pwolfe [at] employease.com]
Enviado el: Monday, December 22, 2008 5:23 PM
Para: Kossuth Espinosa, Oskar
CC: pwolfe@employease.com; nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap

perhaps your installed "id" command doesn't support the nsswitch.conf
file and it's associated library.  You might need to recompile it.
What distro and version of UNIX are you using?


--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 3:14 PM, <okossuth@antel.com.uy> wrote:

of course I have done that..
any other ideas?

Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----
De: owner-nssldap@padl.com [owner-nssldap [at] padl.com] En nombre
de Patrick Wolfe
Enviado el: Monday, December 22, 2008 5:04 PM
Para: Kossuth Espinosa, Oskar
CC: nssldap@padl.com
Asunto: Re: [nssldap] RV: Unix id command and Openldap

the "id" command works fine on our FreeBSD 6 and CentOS 4.x/5.x

servers. Make sure your /etc/nsswitch.conf says "passwd: filesldap"

and "group: files ldap", or else id won't be searching ldap for ids
and groups.

--

Patrick Wolfe
ADP Employease
770-325-7724



On Dec 22, 2008, at 2:15 PM, <okossuth@antel.com.uy> wrote:

Hi



Does the id command works with a system using OPENLDAP
authentication ?

I have implemented a server with openldap 2.3 and several clients
use this system to authenticate

users, and works fine except that when I do a "id user" on a client
it only gives me the information of the primary

group which the user belongs to and not of the suplementary groups
that he is also a member of in the LDAP server...

any ideas??

im sending you the /etc/ldap.conf and /etc/nsswitch.conf of the
client.

thanks for your help



Saludos,

Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones


-----Mensaje original-----

De: openldap-technical-bounces+okossuth=antel.com.uy@OpenLDAP.org[openldap-technical-bounces+okossuth=antel.com.uy [at] OpenLDAP.org

] En nombre de Andrew Findlay
Enviado el: Wednesday, December 17, 2008 2:00 PM
Para: Kossuth Espinosa, Oskar
CC: openldap-technical@openldap.org; claus.kick@siemens.com
Asunto: Re: Unix id command and Openldap

On Wed, Dec 17, 2008 at 02:20:40PM -0200, okossuth@antel.com.uy
wrote:

My problem is that I only see the primary group without the
supplementary ones, whenever the groups are stored in the LDAP if
the
user is in the ldap server.


This sounds more like an NSS problem than a purely OpenLDAP one,
so you may get more help by posting to nssldap@padl.com.

Please post the 'passwd' and 'group' lines from /etc/nsswitch.conf
and also the /etc/ldap.conf file (with passwords obscured).

It would also be worth running slapd at debug level 768 and posting
what gets logged when you run the 'id' command.

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st
Ltd                 |
| Consultant in large-scale systems, networks, and directory
services |
|     http://www.skills-1st.co.uk/                +44 1628
782565     |
-----------------------------------------------------------------------

El   presente  correo   y   cualquier    posible   archivo
adjunto  está
dirigido  únicamente  al destinatario  del  mensaje y contiene
información
que  puede ser  confidencial.  Si  Ud. no es el destinatario
correcto por
favor notifique al remitente respondiendo  anexando este mensaje y
elimine

inmediatamente el e-mail y los posibles archivos adjuntos almismo

de su

sistema. Está prohibida cualquier utilización, difusión ocopia

de este
e-mail por   cualquier  persona  o  entidad  que  no  sean las
específicas
destinatarias del  mensaje.  ANTEL  no acepta  ninguna
responsabilidad con
respecto  a cualquier  comunicación  que  haya sido  emitida
incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is  intended
solely for
the addressee(s).  If you are not  intended  recipient  please
inform the
sender immediately,  answering  this  e-mail and  delete it as well
as the
attached files. Any use, circulation or copy of this e-mail by  any
person
or entity that is not the specific  addressee(s)  is prohibited.
ANTEL is
not  responsible  for  any  communication  emitted  without
respecting our
Information Security Policy.
<ldap.conf><nsswitch.conf>

RE: [nssldap] RV: Unix id command and Openldap, (continued)

Prev by Date: Re: [nssldap] RV: Unix id command and Openldap
Next by Date: Re: [nssldap] RV: Unix id command and Openldap
Previous by thread: Re: [nssldap] RV: Unix id command and Openldap
Next by thread: Re: [nssldap] RV: Unix id command and Openldap