Below is part of the log from slapd….
Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr objectClass
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (objectClass)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uid)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (gidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr loginShell
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (loginShell)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3 exit.
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1 p=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0 matched="" text=""
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 tag=101 err=0
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=127 text=
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got connid=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking for input on id=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed errno=0 (Success)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input error=-2 id=3, closing.
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying conn=3 sd=14 for close
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1
Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy: fetching conn 3
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed (connection lost)
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
From: Benjamin Griese
[mailto:der.darude@gmail.com]
Sent: Thursday, March 25, 2010 11:56 AM
To: Lynn York
Cc: Tyler Gates; openldap-technical@openldap.org
Subject: Re: Problem with getent passwd
Hi,
could you please also provide the appropriate log entries that show the query
to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York <lynn.york@mavenwire.com> wrote:
I attempted to use "setup" to setup ldap auth.
That did not work. When
I run "getent passwd" it prints all the local users, then hangs for
about
5 seconds and doesn't print the ldap users. However, it does query the
ldap server, I can see the queries in the ldap logs. I have added copies
of my configs with hopes someone can help me more :)
/etc/ldap.conf
----------------
base cn=users,dc=ldaptest,dc=com
uri ldap://ldaphost/
binddn cn=mwldap,cn=users,dc=ldaptest,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl no
pam_password ad
# nss_ldap configurations
nss_base_passwd cn=users,dc=ldaptest,dc=com?sub
nss_base_shadow
cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*)
nss_base_group
cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_attribute user SAMACCOUNTNAME
sasl_secprops maxssf=0
#tls_cacertdir /etc/openldap/cacerts
Slapd.conf
----------------
######################################################
# database definitions
######################################################
database ldap
suffix "cn=users,dc=ldaptest,dc=com"
uri "ldap://ads.ldaptest.com"
overlay rwm
rebind-as-user
chase-referrals no
acl-bind
bindmethod=simple
binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com"
credentials=password
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
#index objectClass
eq
#index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
#index uid,memberUid
eq,pres,sub
#index nisMapName,nisMapEntry
eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson
rwm-map attribute uid sAMAccountname
rwm-map attribute uidNumber uidNumber
rwm-map attribute gidNumber gidNumber
rwm-map attribute givenName cn
rwm-map attribute unixHomeDirectory homeDirectory
rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated...
-----Original Message-----
From: Tyler Gates [mailto:tgates81@gmail.com]
Sent: Wednesday, March 24, 2010
9:31 PM
To: Lynn York; openldap-technical@openldap.org
Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the
terminal and select authentication. From there you should see "User
Information" and "Authentication" columns. Just check LDAP in
"User
Information" and you should see getent populate the passwords.
That normally does the trick.. pretty simple but if that doesn't work
I'd check your /etc/ldap.conf is setup correctly (I mostly have to just
add the host information and base dn). Other wise your LDAP server
doesn't have the attributes its' expecting from its queries to generate
user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
> Here is my /etc/pam.d/system-auth file
>
>
>
> cat /etc/pam.d/system-auth
>
> #%PAM-1.0
>
> # This file is auto-generated.
>
> # User changes will be destroyed the next time authconfig is run.
>
> auth required pam_env.so
>
> auth sufficient pam_unix.so nullok
try_first_pass
>
> auth requisite pam_succeed_if.so
uid >= 500 quiet
>
> auth sufficient pam_ldap.so
use_first_pass
>
> auth required pam_deny.so
>
>
>
> account required pam_unix.so
broken_shadow
>
> account sufficient pam_succeed_if.so uid <
500 quiet
>
> account [default=bad success=ok user_unknown=ignore]
pam_ldap.so
>
> account required pam_permit.so
>
>
>
> password requisite pam_cracklib.so
try_first_pass retry=3
>
> password sufficient pam_unix.so md5 shadow
nullok try_first_pass
> use_authtok
>
> password sufficient pam_ldap.so use_authtok
>
> password required pam_deny.so
>
>
>
> session optional pam_keyinit.so revoke
>
> session required pam_limits.so
>
> session [success=1 default=ignore] pam_succeed_if.so service
in
crond
> quiet use_uid
>
> session required pam_unix.so
>
> session optional pam_ldap.so
>
>
>
>
>
> Also, when I ran authconfig, that didn't help. The server still
queries
the
> ldap server, but the users don't actually show when I run getent
passwd...
> could it be something with the rwm mappings?
>
>
>
> *From:* Tyler Gates [mailto:tgates81@gmail.com]
> *Sent:* Tuesday, March 23, 2010 8:26 PM
> *To:* Lynn York
> *Subject:* Re: Problem with getent passwd
>
>
>
> Sounds like it's a problem with your client side pam_ldap
authentication.
> There's a whole buch of steps to get that working, just google it. If
you
> have a redhat variant authconfig or setup will step you through it. It
would
> help if you could post your system_auth file.
>
> On Mar 23, 2010, at 11:40 AM, Lynn York <lynn.york@mavenwire.com> wrote:
>
> Hello,
>
>
>
> When I issue
"getent passwd" I can see it query the ldap
> server for all the information and the server is returning the correct
> information. However, "getent passwd" doesn't actually
show the users
that
> are in ldap. I am not sure where my problem might be. Can
anyone offer
any
> suggestions on where to look?
>
>
>
> Lynn York II
>
> MavenWire Hosting Admin
>
> www.mavenwire.com
>
> (866) 343-4870 x717
>
>
>
> MavenWire - We DELIVER
>
> http://www.mavenwire.com
>
>
>
> This e-mail and any attached files may contain confidential and/or
> privileged material for the sole use of the intended recipient. Any
review,
> use, distribution or disclosure by others is strictly prohibited. If you
are
> not the intended recipient (or authorized to receive this e-mail for the
> recipient), you may not review, copy or distribute this message.
Please
> contact the sender by reply e-mail and delete all copies of this
message.
>
>
>
> MavenWire - We DELIVER
>
> http://www.mavenwire.com
>
>
>
> This e-mail and any attached files may contain confidential and/or
> privileged material for the sole use of the intended recipient. Any
> review, use, distribution or disclosure by others is strictly
> prohibited. If you are not the intended recipient (or authorized to
> receive this e-mail for the recipient), you may not review, copy or
> distribute this message. Please contact the sender by reply e-mail
> and delete all copies of this message.
>
> MavenWire - We DELIVER
> http://www.mavenwire.com
>
> This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any
review, use, distribution or disclosure by others is strictly prohibited.
If you are not the intended recipient (or authorized to receive this
e-mail for the recipient), you may not review, copy or distribute this
message. Please contact the sender by reply e-mail and delete all copies
of this message.
>
>
MavenWire - We DELIVER
http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged
material for the sole use of the intended recipient. Any review, use,
distribution or disclosure by others is strictly prohibited. If you are not the
intended recipient (or authorized to receive this e-mail for the recipient),
you may not review, copy or distribute this message. Please contact the
sender by reply e-mail and delete all copies of this message.
--
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to
do -- Sartre | Do be do be do -- Sinatra