[Freeipa-users] slapi-nis installation help

garyv garyv at gmoneylove.com
Tue Oct 6 19:58:32 UTC 2009 

Again, I appreciate your help.


seemingly my lidf perhaps was not loaded correctly.
I see no userPassword attribute.

ldapsearch -x -b dc=nes,dc=edited,dc=com

# ttest, users, accounts, nes.edited.com
dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com
displayName: Tim  Test
cn: Tim  Test
title: test User
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: inetUser
objectClass: posixAccount
objectClass: krbPrincipalAux
objectClass: radiusprofile
loginShell: /bin/bash
gidNumber: 1002
gecos: Tim  Test
sn: Test
homeDirectory: /home/ttest
uid: ttest
mail: tim.test at nes.edited.com
krbPrincipalName: ttest at EDITED
initials: TT
uidNumber: 1102
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com
krbLastPwdChange: 20091006002554Z
krbPasswordExpiration: 20091006002554Z
givenName: Tim

This is the .ldif file I added, but I do not see a  "userPassword" attibute in it.
Am i using a correct .ldif file?


dn: cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: nsSlapdPlugin
add: objectclass: extensibleObject
add: cn: NIS Server
add: nsslapd-pluginpath: /usr/lib/dirsrv/plugins/nisserver-plugin.so
add: nsslapd-plugininitfunc: nis_plugin_init
add: nsslapd-plugintype: object
add: nsslapd-pluginenabled: on
add: nsslapd-pluginid: nis-server
add: nsslapd-pluginversion: 0.15
add: nsslapd-pluginvendor: redhat.com
add: nsslapd-plugindescription: NIS Server Plugin
add: nis-tcp-wrappers-name: nis-server

dn: nis-domain=rwceng+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: passwd.byname
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: passwd.byuid
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.byname
add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.bygid
add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com
add: nis-secure: no

dn: nis-domain=rwceng+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: group.upg
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-filter: (objectclass=posixAccount)
add: nis-key-format: %{uid}
add: nis-value-format: %{uid}:*:%{gidNumber}:%{uid}
add: nis-secure: no
add: nis-disallowed-chars: :,

dn: nis-domain=rwceng+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: extensibleObject
add: nis-domain: rwceng
add: nis-map: netid.byname
add: nis-base: cn=Users, dc=nes, dc=edited, dc=com
add: nis-secure: no



Nalin Dahyabhai wrote:
> On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote:
>> Thanks for the response.
>> I have the NIS config on the client setup correctly I believe.
>> This client was moved from my current NIS domain and works fine.
>>
>> It's not that the client does not bind to the new FreeIPA NIS domain, 
>> but rather there is no passwd hash  in the output of ypcat -k passwd so 
>> it has no way to auth.
>>
>> garyv at fell:/var/log$ ypcat -k passwd
>> ttest ttest:*:1102:1002:Tim  Test:/home/ttest:/bin/bash
> 
> The plugin's default configuration has it search for a "crypt" style
> value in the userPassword attribute for that entry, which is what a
> client would understand.  (Specifically, it looks for an entry that
> begins with the magic value "{CRYPT}", strips that off of the front, and
> puts the rest into that field.  Failing that, it uses "*".)
> 
> If you use ldapsearch to search for ttest's entry as the directory
> administrator, do you see values of the form "{CRYPT}xxxxxxxxxxxxx" for
> the entry's "userPassword" attribute?
> 
> If they're base64-encoded (marked by two ':' characters instead of one
> between the attribute name and value in the LDIF output), you may need
> to pipe the value through "openssl base64 -d" or something similar.
> 
> Nalin
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list