[389-users] CentOS5 Desktops authenticating to 389 Directory Server

John A. Sullivan III jsullivan at opensourcedevel.com
Fri May 22 01:38:51 UTC 2009 

On Fri, 2009-05-22 at 12:00 +1200, Clint Dilks wrote:
> Hi Everyone.
> 
> I am doing some LDAP testing.  I have setup a 389 Directory Server on
> CentOS 5 and using the default schema I have populated it with a couple
> of users. I then did the configuration on the  client that I thought was
> needed to make it authenticate.
> 
> To test this I expected to be able to use id <uidNumber> of a user I had
> defined.
> But I get id: 1001: No such user id: 5001: No such user
> 
> I then thought perhaps it was an LDAP permissions problem so I tried
> binding to the LDAP server using a user I know has full rights using
> these entries in /etc/openldap/ldap.conf  there was no change.
> 
> BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
> BINDPW LDAPt3st
> 
> I can query these users from a desktop that I want to use the LDAP
> server as an authentication source.
> 
> Using
> 
> * ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b
> dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
> # filter: uid=LDilks
> # requesting: ALL
> #
> 
> # LDilks, People, scms.waikato.ac.nz
> dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz
> givenName: LDAP-Clint
> sn: Dilks
> telephoneNumber: 4546
> loginShell: /bin/bash
> gidNumber: 1001
> uidNumber: 1001
> mail: clintd at scms.waikato.ac.nz
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: LDilks
> gecos: A Test LDAP account
> cn: LDAP-Clint Dilks
> homeDirectory: /home/LDAP-clint
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> *[root at distilled2 ~]# ldapsearch -x -H
> ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz
> uid=BBuilder*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
> # filter: uid=BBuilder
> # requesting: ALL
> #
> 
> # BBuilder, scms.waikato.ac.nz
> dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz
> givenName: Bob
> sn: Builder
> loginShell: /bin/bash
> uidNumber: 5001
> gidNumber: 5001
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: BBuilder
> gecos: Got to love Cartoons
> cn: Bob Builder
> homeDirectory: /home/bob
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> The three files config files I am aware of are
> 
> cat /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> #BASE   dc=example, dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> URI ldap://distilled.scms.waikato.ac.nz
> BASE dc=scms.dc=waikato,dc=ac,dc=nz
> #BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
> #BINDPW LDAPt3st
> TLS_CACERTDIR /etc/openldap/cacerts
> 
> cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$'
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files ldap
> publickey:  nisplus
> automount:  files ldap
> aliases:    files nisplus
> 
> cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> 
> Can anyone give me any pointers as to where I am going wrong ??  And can
> anyone confirm or deny that by default I should be able to bind
> anonymously and get the required authentication information ?
> 
> Thank you for any help you can offer.
<snip>
Interesting! I know my setup is working yet, if I do id <uidnumber>, it
comes back with no such user.  If I do id <uid>, it returns the
appropriate information from LDAP.  I have not taken the time to figure
out why there is a difference.  What happens if you do id <uid>? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Fedora-directory-users mailing list