id: cannot find name for user ID 500
Tay, Gary
Gary_Tay at platts.com
Sat Sep 18 03:21:42 UTC 2004
GT: I did not notice that u hv a "port 636" statement in ldap.conf, that is the key to yr issue.
What does that have to do with TLS???
GT: Don't u want SSL protection?
And there is a additional question in slapd.conf: why do users don't have to
read the userinfo but anonymous users do?
> by users auth
> by anonymous read
GT: The "users" here means "Authenticated Users", notice this is not "all auth" so if he/she gets authenticated he/she will have full read/write access to self info including userPassword. "anonymous read" will be able to read user info except userPassword due to the 1st ACL statement.
GT: My ORIGINAL setting was "anonymous none" which is more restrictive but it DOES NOT WORK on Solaris8 LDAP Client, it works on Solaris9 and Linux, I had to change "anonymous none" to "anonymous read" to accommodate Solaris8 LDAP Clients.
GT: Because of this change to accommodate Solaris8 LDAP client, if there is no binddn and bindpw in ldap.conf, it defaults to anonymous and therefore "proxyagent" which is a non-anonymous user becomes OPTIONAL. i.e. even if it is not there it works.
GT: Whatever it is, DO NOT put rootdn/pw in binddn/pw in ldap.conf at the client, that is no security if ldap.conf is world readable.
--> (5.)
Another question in ldap.conf: Why does
-------------------
# The port.
# Optional: default is 389.
port 636
-------------------
not work?
# netstat -antup
and
# nmap 192.168.0.1
tells me that port 636 (ldapssl) and 389 (ldap) are both open
GT: START_TLS uses port 389 not 636. port 636 is ldaps://, START_TLS is ldap://, get it?
GT: I believe the /etc/init.d/openldap.server script u used started slapd to listen on port 636, therefore both 389 and 636 are in "netstat -an", nothing wrong. We need port 636 so that the openssl show cert command can be used to verify server cert content.
> 2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
> change this:
> account sufficient /lib/security/$ISA/pam_unix.so
This really did something (see above) but why?
GT: RedHat Bugzilla has a bug report on "no such user", similar to yr "cannot find name for user" issue, there were some suggested workarounds, I tried some of them but they did not work, and finally I found this is the "workaround".
GT: I suspect the the PAM argument "required" can be very "stupid" that it could exit the program loop in premature. I don't mean to blame Linux-PAM developers here they have given us one great open source module.
dn: uid=testuser,ou=group,dc=amazone,dc=or,dc=at
GT: u seemed to mix up ou=People and ou=group, it shld be:
dn: uid=testuser,ou=People,dc=amazone,dc=or,dc=at
OR ELSE u must map ou=group as uid lookup in /etc/ldap.conf
-----Original Message-----
From: Markus Nicolussi [mailto:mcwimpy at gmx.at]
Sent: Fri 9/17/2004 7:42 PM
To: pam-list at redhat.com
Cc: nssldap at padl.com; pamldap at padl.com
Subject: RE: id: cannot find name for user ID 500
Hello!
Thank you very much for your great help!! With your help i could bring
TLS/SSL to work. I had to do the "sufficient" thing in /etc/system-auth for
pam_unix.so. see --> (7.) After that it worked. but without TLS/SSL it
worked right from the start. What does that have to do with TLS???
I noticed a lot of stuff like this that make me think that this whole
OpenLDAP think behaves very funny and unlogical. I feel like working under
Windows again... :-)
About THE PROXYAGENT PROBLEM:
--> (1.)
> Typo:
> binddn cn=proxyagent,ou=profile,dc=example,dc=com, change to yr specific.
I didn't find a typo. And the log file of slapd tells me that the BIND dn is
"proxyagent..." So the login into the LDAP server with the binddn works. But
i have the same "id: cannnot find name for user ID..." Problem. Without this
proxyagent stuff (ldif, ACLs in slapd.conf, binddn&bindpw in ldap.conf) it
works. I expirimented a bit with the acls but from the man page i don't get
the point.
--> (2.)
> U r missing binddn and bindpw in /etc/ldap.conf at the ldap client
That's because i deleted everything that had to do with proxyagent out of
the config files. Because i couldn't get it to work
--> (3.)
>1) Add a proxyagent person, i.e. import the followings into LDAP tree data
...
>2) Add ACL in slapd.conf to allow proxyagent to read user info. (change
>the specfic pls), and restart ldap service
...
>3) edit /etc/ldap.conf at ldap client, add these lines on top of what u
>already have, protect this file as mode 400
...
I did it. I mean i used the slapd.conf, ldap.conf and ldif from your HOWTO,
inserted it and checked if everything is there and without typo. But as
before with your HOTWO in the inet. It gives me everything in 1.)
--> (4.)
And there is a additional question in slapd.conf: why do users don't have to
read the userinfo but anonymous users do?
> by users auth
> by anonymous read
--> (5.)
Another question in ldap.conf: Why does
-------------------
# The port.
# Optional: default is 389.
port 636
-------------------
not work?
# netstat -antup
and
# nmap 192.168.0.1
tells me that port 636 (ldapssl) and 389 (ldap) are both open
--> (6.)
> 1) Hv u checked dir perms for /etc and /etc/openldap?
[root at server root]# ls -ld /etc; ls -ld /etc/openldap
drwxr-xr-x 78 root root 12288 17. Sep 12:25 /etc
drwxr-xr-x 2 root root 4096 17. Sep 11:35 /etc/openldap
--> (7.)
> 2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
> change this:
> account sufficient /lib/security/$ISA/pam_unix.so
This really did something (see above) but why?
--> (8.)
> 3) if 1) and 2) do not help
> Can u post these files on ldap client (full content pls) to us (or to
> just me as too much info):
> /etc/ldap.conf,
> /etc/openldap/ldap.conf
> /etc/pam.d/system-auth
> /etc/nsswitch.conf
> /etc/resolv.conf
> /etc/hosts
> and these files on ldap server:
> slapd.conf
see aattatchment
--> (9.)
> output of:
> partial ldapsearch output showing the testuser user details
I did
# ldapsearch -x -v -b "uid=testuser,ou=group,dc=amazone,dc=or,dc=at" -s base
-h ldaps.amazone.or.at -LLL -ZZ
(with the proxyagent stuff disabled), what gave me
---------------------------------------------------------------------------
ldap_init( ldaps.amazone.or.at, 0 )
filter: (objectclass=*)
requesting: ALL
dn: uid=testuser,ou=group,dc=amazone,dc=or,dc=at
givenName: Maeky
sn: Messer
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Maeki Messer
homeDirectory: /home/testuser
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
---------------------------------------------------------------------------
--> (10.)
> rpm -qa | grep openldap
---------------------------------------------------------------------------
openldap-clients-2.1.29-1
openldap-2.1.29-1
---------------------------------------------------------------------------
--> (11.)
> rpm -qa | grep nss_ldap
---------------------------------------------------------------------------
nss_ldap-217-1
---------------------------------------------------------------------------
--> (12.)
> rpm -qa | grep pam
---------------------------------------------------------------------------
pam_krb5-2.0.10-1
pam-0.77-40
pam_smb-1.1.7-3.1
pam-devel-0.77-40
---------------------------------------------------------------------------
--> (13.)
> strace id testuser (u must hv strace rpm installed)
Did
[I have no name!@acerAspire nico] $ strace id martina > strace-nico.txt 2>&1
as user nico: see strace-nico.txt.gz
# strace id martina > strace-root.txt 2>&1
and for root of the client: see strace-root.txt.gz
--> (14.)
> ldd `which id`
---------------------------------------------------------------------------
libselinux.so.1 => /lib/libselinux.so.1 (0x00d64000)
libc.so.6 => /lib/tls/libc.so.6 (0x0044c000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00433000)
---------------------------------------------------------------------------
--
NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
More information about the Pam-list
mailing list