[389-users] CentOS5 Desktops authenticating to 389 Directory Server
John A. Sullivan III
jsullivan at opensourcedevel.com
Fri May 22 01:38:51 UTC 2009
On Fri, 2009-05-22 at 12:00 +1200, Clint Dilks wrote:
> Hi Everyone.
>
> I am doing some LDAP testing. I have setup a 389 Directory Server on
> CentOS 5 and using the default schema I have populated it with a couple
> of users. I then did the configuration on the client that I thought was
> needed to make it authenticate.
>
> To test this I expected to be able to use id <uidNumber> of a user I had
> defined.
> But I get id: 1001: No such user id: 5001: No such user
>
> I then thought perhaps it was an LDAP permissions problem so I tried
> binding to the LDAP server using a user I know has full rights using
> these entries in /etc/openldap/ldap.conf there was no change.
>
> BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
> BINDPW LDAPt3st
>
> I can query these users from a desktop that I want to use the LDAP
> server as an authentication source.
>
> Using
>
> * ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b
> dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
> # filter: uid=LDilks
> # requesting: ALL
> #
>
> # LDilks, People, scms.waikato.ac.nz
> dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz
> givenName: LDAP-Clint
> sn: Dilks
> telephoneNumber: 4546
> loginShell: /bin/bash
> gidNumber: 1001
> uidNumber: 1001
> mail: clintd at scms.waikato.ac.nz
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: LDilks
> gecos: A Test LDAP account
> cn: LDAP-Clint Dilks
> homeDirectory: /home/LDAP-clint
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> *[root at distilled2 ~]# ldapsearch -x -H
> ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz
> uid=BBuilder*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
> # filter: uid=BBuilder
> # requesting: ALL
> #
>
> # BBuilder, scms.waikato.ac.nz
> dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz
> givenName: Bob
> sn: Builder
> loginShell: /bin/bash
> uidNumber: 5001
> gidNumber: 5001
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: BBuilder
> gecos: Got to love Cartoons
> cn: Bob Builder
> homeDirectory: /home/bob
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> The three files config files I am aware of are
>
> cat /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example, dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> URI ldap://distilled.scms.waikato.ac.nz
> BASE dc=scms.dc=waikato,dc=ac,dc=nz
> #BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
> #BINDPW LDAPt3st
> TLS_CACERTDIR /etc/openldap/cacerts
>
> cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$'
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: files ldap
> publickey: nisplus
> automount: files ldap
> aliases: files nisplus
>
> cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> Can anyone give me any pointers as to where I am going wrong ?? And can
> anyone confirm or deny that by default I should be able to bind
> anonymously and get the required authentication information ?
>
> Thank you for any help you can offer.
<snip>
Interesting! I know my setup is working yet, if I do id <uidnumber>, it
comes back with no such user. If I do id <uid>, it returns the
appropriate information from LDAP. I have not taken the time to figure
out why there is a difference. What happens if you do id <uid>? - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list