I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
Here's my auth.log:
Dec 1 21:08:17 webdev120 sshd[14765]: pam_unix(sshd:auth): check pass; user
unknown
Here's my syslog:
sshd[14648]: Libgcrypt warning: missing initialization - please fix the
application
Here's my /etc/pam.d/commoun-auth:
auth [success=4 default=ignore] pam_unix.so nullok_secure
auth [success=3 default=ignore] pam_ldap.so use_first_pass auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update # here's the fallback if no module succeeds #auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around #auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ccreds.so minimum_uid=1000 action=store # end of pam-auth-update config
Here's my /etc/pam.d/common-account:
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
On Dec 01, 2010, at 16.37, Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
my recommendation would be to move away from libnss-ldap and libpam-ldap, and to use nss-pam-ldapd, available in ubuntu via the libnss-ldapd, libpam-ldapd and nslcd packages. it may not explicitly solve your problem, but it will likely make troubleshooting things easier. also, until you have a functioning, proper setup, remove things like nss-updatedb, libnss-db and nscd. once things are working, if you feel some degree of caching is needed, address that as an independent item.
-ben
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon nscd [
OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com bind_policy soft pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.com wrote:
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon nscd [
OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache! Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache! Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE] cat /etc/nscd.conf | grep -v ^# | grep -v ^$ debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu anton.chu@telecommand.com wrote:
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com bind_policy soft
pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.comwrote:
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon nscd
[ OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne <bgmilne@staff.telkomsa.net
wrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
Here's the latest as to why I cannot ID my ldap user. I set up hostObject attribute in my ldap server to enable host based authentication. I then added the following in /etc/ldap.conf
On the client side, simply modify /etc/pam_ldap.conf to include these lines:
pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*)
I've added the host attribute to all my ldap users to login certain hosts. That's when I cannot id my ldap users.
Somehow pam is not allowing caching when this host based authentication is turned on.
On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu anton.chu@telecommand.com wrote:
NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache! Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache! Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE] cat /etc/nscd.conf | grep -v ^# | grep -v ^$ debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu anton.chu@telecommand.comwrote:
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.comwrote:
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon nscd
[ OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne < bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new user after the schema upgrade and all is well.
On Fri, Dec 3, 2010 at 12:58 PM, Anton Chu anton.chu@telecommand.comwrote:
Here's the latest as to why I cannot ID my ldap user. I set up hostObject attribute in my ldap server to enable host based authentication. I then added the following in /etc/ldap.conf
On the client side, simply modify /etc/pam_ldap.conf to include these lines:
pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*)
I've added the host attribute to all my ldap users to login certain hosts. That's when I cannot id my ldap users.
Somehow pam is not allowing caching when this host based authentication is turned on.
On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu anton.chu@telecommand.comwrote:
NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache! Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache! Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE] cat /etc/nscd.conf | grep -v ^# | grep -v ^$ debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu anton.chu@telecommand.comwrote:
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.comwrote:
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon
nscd [ OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne < bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
> group: files ldap [NOTFOUND=return] db > > shadow: files ldap > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
openldap-technical@openldap.org
-
Anton Chu -
ben thielsen -
Buchan Milne