id: cannot find name for user ID 500

Tay, Gary Gary_Tay at platts.com
Thu Sep 16 17:17:13 UTC 2004


I read the thread, u hv actually posted most of the info.
 
U r missing binddn and bindpw in /etc/ldap.conf at the ldap client
 
1) Add a proxyagent person, i.e. import the followings into LDAP tree data
 
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
 
2) Add ACL in slapd.conf to allow proxyagent to read user info. (change the specfic pls), and restart ldap service
 

access to attr=userPassword

            by self write

            by * auth

access to dn="ou=People,dc=example,dc=com"

            by self write

            by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read

            by users auth

            by anonymous read

access to * by self write

            by * read

 
# service ldap restart
 
3) edit /etc/ldap.conf at ldap client, add these lines on top of what u already have, protect this file as mode 400
 
binddn cn=proxyagent,ou=profile,dc=platts,dc=mhm,dc=mhc
bindpw password
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group          ou=group,dc=example,dc=com?one
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid


Good luck to u.

-----Original Message----- 
From: Tay, Gary on behalf of Tay, Gary 
Sent: Fri 9/17/2004 12:22 AM 
To: Pluggable Authentication Modules 
Cc: 
Subject: RE: id: cannot find name for user ID 500



	1) Hv u checked dir perms for /etc and /etc/openldap?
	ls -ld /etc; ls -ld /etc/openldap
	 
	2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
	change this:

	account     required      /lib/security/$ISA/pam_unix.so

	to that:

	

	account     sufficient      /lib/security/$ISA/pam_unix.so
	 
	3) if 1) and 2) do not help
	 
	Can u post these files on ldap client (full content pls) to us (or to just me as too much info):
	/etc/ldap.conf,
	/etc/openldap/ldap.conf
	/etc/pam.d/system-auth
	/etc/nsswitch.conf
	/etc/resolv.conf
	/etc/hosts
	 
	and these files on ldap server:
	slapd.conf
	 
	output of:
	partial ldapsearch output showing the testuser user details
	rpm -qa | grep openldap
	rpm -qa | grep nss_ldap
	rpm -qa | grep pam
	strace id testuser (u must hv strace rpm installed)
	ldd `which id`
	 
	Rgds
	Gary
	 
	-----Original Message----- 
	From: pam-list-bounces at redhat.com on behalf of Markus Nicolussi 
	Sent: Thu 9/16/2004 11:31 PM 
	To: pam-list at redhat.com 
	Cc: 
	Subject: Re: id: cannot find name for user ID 500
	
	

		Hello!
		
		
		Thank u very much 4 all the response. I spent a whole day in testing all the
		stuff that came as help over the maillist and to my personal EMail Account.
		
		
		* The 2 cacerts on client and server are the same.
		
		
		*openssl s_client -connect ldaps.amazone.or.at:636 -showcerts
		
		gives me
		
		---------------------------------------------------------------------------
		CONNECTED(00000003)
		depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		verify error:num=20:unable to get local issuer certificate
		verify return:1
		depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		verify error:num=21:unable to verify the first certificate
		verify return:1
		---
		Certificate chain
		 0 s:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		   i:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		-----BEGIN CERTIFICATE-----
		...
		-----END CERTIFICATE-----
		---
		Server certificate
		subject=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		issuer=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
		Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy at gmx.at
		---
		No client certificate CA names sent
		---
		SSL handshake has read 1167 bytes and written 340 bytes
		---
		New, TLSv1/SSLv3, Cipher is AES256-SHA
		Server public key is 1024 bit
		SSL-Session:
		    Protocol  : TLSv1
		    Cipher    : AES256-SHA
		    Session-ID:
		0F9232AC5D606B153E3E4A371B1AFDE8D466B2FE04A398CFBCC7F2DC6BD6228D
		    Session-ID-ctx:
		  
		Master-Key:
		5C6EB4AED5CBC153F715AD6417492C3C1373DB138ECCD470046D296721B1C9E6777BAA8F8CB0F65DC8A2CE58FEA9F746
		    Key-Arg   : None
		    Krb5 Principal: None
		    Start Time: 1095235867
		    Timeout   : 300 (sec)
		    Verify return code: 21 (unable to verify the first certificate)
		---
		
		************ now i have to press [Ctrl] + [D] **************
		
		DONE
		---------------------------------------------------------------------------
		
		
		* ldapsearch -x -LLL -ZZZ -h ldaps.amazone.or.at
		
		prints out all Information in my LDAP directory. also does
		
		# ldapsearch -v -Z -x -H ldaps://ldaps.amazone.or.at/
		
		
		
		* Doug Wilson wrote:
		> try a 'getent passwd' as root and then as testuser. You'll probably find
		> that root can see all of the UIDs, but the testuser can't.
		
		getent passwd as root and as testuser both display exactly the /etc/passwd
		file on the client machine
		
		* as root on the client i can see that /etc/openldap/cacert.pem is world
		readable
		---------------------------------------------------------------------------
		[root at acerAspire root]# ls -l /etc/openldap/
		total 16
		-rw-r--r--  1 root root 1359 Sep 10 10:56 cacert.pem
		-rw-r--r--  1 root root  488 Sep 15 11:28 ldap.conf
		---------------------------------------------------------------------------
		
		but logged in as a user...
		---------------------------------------------------------------------------
		[I have no name!@acerAspire testuser]$ ls -l /etc/openldap/
		insgesamt 0
		?---------  ? ? ? ?            ? cacert.pem
		?---------  ? ? ? ?            ? ldap.conf
		---------------------------------------------------------------------------
		
		and if i type
		#finger testuser
		with the debuging in /etc/ldap.conf switched on, i get
		---------------------------------------------------------------------------
		ldap_create
		ldap_simple_bind
		ldap_sasl_bind
		ldap_send_initial_request
		ldap_new_connection
		ldap_int_open_connection
		ldap_connect_to_host: TCP ldaps.amazone.or.at:636
		ldap_new_socket: 3
		ldap_prepare_socket: 3
		ldap_connect_to_host: Trying 192.168.0.1:636
		ldap_connect_timeout: fd: 3 tm: 30 async: 0
		ldap_ndelay_on: 3
		ldap_is_sock_ready: 3
		ldap_ndelay_off: 3
		ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
		TLS: could not load verify locations
		(file:`/etc/openldap/cacert.pem',dir:`').
		TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
		TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
		TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
		lib by_file.c:279
		ldap_unbind
		ldap_create
		ldap_simple_bind
		ldap_sasl_bind
		ldap_send_initial_request
		ldap_new_connection
		ldap_int_open_connection
		ldap_connect_to_host: TCP ldaps.amazone.or.at:636
		ldap_new_socket: 4
		ldap_prepare_socket: 4
		ldap_connect_to_host: Trying 192.168.0.1:636
		ldap_connect_timeout: fd: 4 tm: 30 async: 0
		ldap_ndelay_on: 4
		ldap_is_sock_ready: 4
		ldap_ndelay_off: 4
		ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
		TLS: could not load verify locations
		(file:`/etc/openldap/cacert.pem',dir:`').
		TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
		TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
		TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
		lib by_file.c:279
		ldap_unbind
		finger: testuser: no such user.
		---------------------------------------------------------------------------
		this looks as if i have a problem with the permission of
		/etc/openldap/cacert.pem, but what can i do?
		
		*Tommy Henriksen worte:
		> if possible, you can also enable some extra debug information on your
		> OpenLDAP server, - if you can restart the slapd try and play with -d
		> <level>, - you can see different debug levels in following link at
		> openldap.
		I did this with different levels from -1 to 2048 but could never see
		anything apropriate to the TLS connection... which level should i use and
		what exprssion sould i look 4.
		
		> To enable debug on your nss_ldap client you can recompile setting the
		> DEBUG option, either make a #define DEBUG in config.h or add a -DDEBUG as
		> compile option, - this should let you see if nss connect to your ldap
		> server.
		Compiling is at the moment to freaky for me. Everytime i compile a software
		and it doesn't run straight trough i can never solve the issue... So i use
		the binarys supported by Fedora Core 2. But i tried a hind form Vsevolod. Is
		this maybe what you mean? (see next point)
		
		* Vsevolod (Simon) Ilyushchenko wrote:
		> If you want to debug this, insert "debug 9" into /etc/ldap.conf, type
		> "id user" and watch what happens.
		
		doing this and then issuing
		# id testuser
		
		gives me
		
		---------------------------------------------------------------------------
		ldap_create
		ldap_extended_operation_s
		ldap_extended_operation
		ldap_send_initial_request
		ldap_new_connection
		ldap_int_open_connection
		ldap_connect_to_host: TCP ldaps.amazone.or.at:636
		ldap_new_socket: 3
		ldap_prepare_socket: 3
		ldap_connect_to_host: Trying 192.168.0.1:636
		ldap_connect_timeout: fd: 3 tm: 30 async: 0
		ldap_ndelay_on: 3
		ldap_is_sock_ready: 3
		ldap_ndelay_off: 3
		ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
		ldap_open_defconn: successful
		ldap_send_server_request
		ber_flush: 31 bytes to sd 3
		ldap_result msgid 1
		ldap_chkResponseList for msgid=1, all=1
		ldap_chkResponseList returns NULL
		wait4msg (infinite timeout), msgid 1
		wait4msg continue, msgid 1, all 1
		** Connections:
		* host: ldaps.amazone.or.at  port: 636  (default)
		  refcnt: 2  status: Connected
		  last used: Wed Sep 15 11:31:27 2004
		
		** Outstanding Requests:
		 * msgid 1,  origid 1, status InProgress
		   outstanding referrals 0, parent count 0
		** Response Queue:
		   Empty
		ldap_chkResponseList for msgid=1, all=1
		ldap_chkResponseList returns NULL
		ldap_int_select
		read1msg: msgid 1, all 1
		ber_get_next
		ber_get_next failed.
		ldap_unbind
		ldap_free_request (origid 1, msgid 1)
		ldap_free_connection
		ldap_send_unbind
		ber_flush: 7 bytes to sd 3
		ldap_free_connection: actually freed
		id: testuser: No such user
		---------------------------------------------------------------------------
		
		I can't read much out from this... Is there anyone who has a clou what this
		means?
		
		thank u all very much 4 the help so far. and for helping me further.
		
		ciao, nico.
		
		--
		NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
		+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
		
		--
		NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
		+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
		
		
		_______________________________________________
		Pam-list mailing list
		Pam-list at redhat.com
		https://www.redhat.com/mailman/listinfo/pam-list
		

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 16694 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040917/624ba7c4/attachment.bin>


More information about the Pam-list mailing list