id: cannot find name for user ID 500
Tay, Gary
Gary_Tay at platts.com
Thu Sep 16 17:20:04 UTC 2004
Typo:
binddn cn=proxyagent,ou=profile,dc=example,dc=com, change to yr specific.
-----Original Message-----
From: Tay, Gary on behalf of Tay, Gary
Sent: Fri 9/17/2004 1:17 AM
To: Pluggable Authentication Modules
Cc:
Subject: RE: id: cannot find name for user ID 500
I read the thread, u hv actually posted most of the info.
U r missing binddn and bindpw in /etc/ldap.conf at the ldap client
1) Add a proxyagent person, i.e. import the followings into LDAP tree data
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
2) Add ACL in slapd.conf to allow proxyagent to read user info. (change the specfic pls), and restart ldap service
access to attr=userPassword
by self write
by * auth
access to dn="ou=People,dc=example,dc=com"
by self write
by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users auth
by anonymous read
access to * by self write
by * read
# service ldap restart
3) edit /etc/ldap.conf at ldap client, add these lines on top of what u already have, protect this file as mode 400
binddn cn=proxyagent,ou=profile,dc=platts,dc=mhm,dc=mhc
bindpw password
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
Good luck to u.
-----Original Message-----
From: Tay, Gary on behalf of Tay, Gary
Sent: Fri 9/17/2004 12:22 AM
To: Pluggable Authentication Modules
Cc:
Subject: RE: id: cannot find name for user ID 500
1) Hv u checked dir perms for /etc and /etc/openldap?
ls -ld /etc; ls -ld /etc/openldap
2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
change this:
account required /lib/security/$ISA/pam_unix.so
to that:
account sufficient /lib/security/$ISA/pam_unix.so
3) if 1) and 2) do not help
Can u post these files on ldap client (full content pls) to us (or to just me as too much info):
/etc/ldap.conf,
/etc/openldap/ldap.conf
/etc/pam.d/system-auth
/etc/nsswitch.conf
/etc/resolv.conf
/etc/hosts
and these files on ldap server:
slapd.conf
output of:
partial ldapsearch output showing the testuser user details
rpm -qa | grep openldap
rpm -qa | grep nss_ldap
rpm -qa | grep pam
strace id testuser (u must hv strace rpm installed)
ldd `which id`
Rgds
Gary
-----Original Message-----
From: pam-list-bounces at redhat.com on behalf of Markus Nicolussi
Sent: Thu 9/16/2004 11:31 PM
To: pam-list at redhat.com
Cc:
Subject: Re: id: cannot find name for user ID 500
Hello!
Thank u very much 4 all the response. I spent a whole day in testing all the
stuff that came as help over the maillist and to my personal EMail Account.
* The 2 cacerts on client and server are the same.
*openssl s_client -connect ldaps.amazone.or.at:636 -showcerts
gives me
---------------------------------------------------------------------------
CONNECTED(00000003)
depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
i:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
issuer=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
---
No client certificate CA names sent
---
SSL handshake has read 1167 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
0F9232AC5D606B153E3E4A371B1AFDE8D466B2FE04A398CFBCC7F2DC6BD6228D
Session-ID-ctx:
Master-Key:
5C6EB4AED5CBC153F715AD6417492C3C1373DB138ECCD470046D296721B1C9E6777BAA8F8CB0F65DC8A2CE58FEA9F746
Key-Arg : None
Krb5 Principal: None
Start Time: 1095235867
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
************ now i have to press [Ctrl] + [D] **************
DONE
---------------------------------------------------------------------------
* ldapsearch -x -LLL -ZZZ -h ldaps.amazone.or.at
prints out all Information in my LDAP directory. also does
# ldapsearch -v -Z -x -H ldaps://ldaps.amazone.or.at/
* Doug Wilson wrote:
> try a 'getent passwd' as root and then as testuser. You'll probably find
> that root can see all of the UIDs, but the testuser can't.
getent passwd as root and as testuser both display exactly the /etc/passwd
file on the client machine
* as root on the client i can see that /etc/openldap/cacert.pem is world
readable
---------------------------------------------------------------------------
[root at acerAspire root]# ls -l /etc/openldap/
total 16
-rw-r--r-- 1 root root 1359 Sep 10 10:56 cacert.pem
-rw-r--r-- 1 root root 488 Sep 15 11:28 ldap.conf
---------------------------------------------------------------------------
but logged in as a user...
---------------------------------------------------------------------------
[I have no name!@acerAspire testuser]$ ls -l /etc/openldap/
insgesamt 0
?--------- ? ? ? ? ? cacert.pem
?--------- ? ? ? ? ? ldap.conf
---------------------------------------------------------------------------
and if i type
#finger testuser
with the debuging in /etc/ldap.conf switched on, i get
---------------------------------------------------------------------------
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaps.amazone.or.at:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.1:636
ldap_connect_timeout: fd: 3 tm: 30 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
TLS: could not load verify locations
(file:`/etc/openldap/cacert.pem',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib by_file.c:279
ldap_unbind
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaps.amazone.or.at:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.0.1:636
ldap_connect_timeout: fd: 4 tm: 30 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
TLS: could not load verify locations
(file:`/etc/openldap/cacert.pem',dir:`').
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib by_file.c:279
ldap_unbind
finger: testuser: no such user.
---------------------------------------------------------------------------
this looks as if i have a problem with the permission of
/etc/openldap/cacert.pem, but what can i do?
*Tommy Henriksen worte:
> if possible, you can also enable some extra debug information on your
> OpenLDAP server, - if you can restart the slapd try and play with -d
> <level>, - you can see different debug levels in following link at
> openldap.
I did this with different levels from -1 to 2048 but could never see
anything apropriate to the TLS connection... which level should i use and
what exprssion sould i look 4.
> To enable debug on your nss_ldap client you can recompile setting the
> DEBUG option, either make a #define DEBUG in config.h or add a -DDEBUG as
> compile option, - this should let you see if nss connect to your ldap
> server.
Compiling is at the moment to freaky for me. Everytime i compile a software
and it doesn't run straight trough i can never solve the issue... So i use
the binarys supported by Fedora Core 2. But i tried a hind form Vsevolod. Is
this maybe what you mean? (see next point)
* Vsevolod (Simon) Ilyushchenko wrote:
> If you want to debug this, insert "debug 9" into /etc/ldap.conf, type
> "id user" and watch what happens.
doing this and then issuing
# id testuser
gives me
---------------------------------------------------------------------------
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaps.amazone.or.at:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.1:636
ldap_connect_timeout: fd: 3 tm: 30 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldaps.amazone.or.at port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Sep 15 11:31:27 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next failed.
ldap_unbind
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed
id: testuser: No such user
---------------------------------------------------------------------------
I can't read much out from this... Is there anyone who has a clou what this
means?
thank u all very much 4 the help so far. and for helping me further.
ciao, nico.
--
NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
--
NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 17098 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040917/e7a1517a/attachment.bin>
More information about the Pam-list
mailing list