Dear list members,
I hope amateur questions could be tolerated. I would make it professional if I could. I'm a newbie to OpenLDAP and probably even Linux, but I have to take care of an office network (Linux servers with Linux and PC workstations) that features email server, domain control, file/printer sharing, user account management, web servers and so forth, on my own without anyone's help.
Yesterday morning the power went down and so did our servers. After I turned the servers back on, the account information system was no longer working. Users weren't able to login with their credentials anymore, even the root. What I did was I logged in the server (the Samba PDC, LDAP server, Kerberos server, domain controller, email server) with single mode, reseted the root password, and added accounts for other individual users on the server. I know it was a bad idea. Although I got some things working (emails, file/printer sharing), but there are still other problems (PHP ldap_bind() from web servers fails, domain user accounts and profiles fail to load correctly).
I know there is a centralized mechanism that handles user accounts with the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other things), but I don't have a clue of how they work together. I've been trying to learn from docs and books for a long time before this power issue, but not very successful.
My greatest problem is that I don't know how these things are working together on my system. I believe I also lack some fundamental system knowledge. I've been reading the docs available, but they're so abstract to me and none of them seems to match our system configuration.
I'm hoping that I can get some help from here. Maybe some one can give me some suggestions on how to troubleshoot in such a scenario as a newbie, or an entry point that I can follow in order to explore the system. I believe you can tell that I'm totally confused here without being able to give much useful information about the problem and the system. I'm sorry for my ignorance, but I really tried to deal with it myself. If this thread turns out to be annoying or ridiculous, please ignore, and I do apologize.
However, while I'm still struggling on the problem, if anyone could help, I would really appreciate it. Thank you so much.
N.M.
Dear Nan,
I'll give it a go, my explanation will be simplified, as all software of course is able to do a lot, I'll try to explain it's typical role.
OpenLDAP is a database management system. It communicates with database clients in a standard (LDAP) way, and uses a (configurable) database backend to store it's data. One of the more popular database backends is Berkeley DB (BDB). It usually stores it's data in files in /var/lib/ldap.
Kerberos is an authentication mechanism. It is ticket based. That means that as soon as a client authenticates with Kerberos, it receives an 'authentication ticket'. It is then able to send this ticket to one or more (thereby using single signon) services, such as Samba.
Samba is used for file sharing, printer sharing and Windows authentication. It currently emulates a Windows NT4 domain controller. It can use a LDAP server for it's user/groups backend.
PAM is the Linux 'Pluggable Authentication Mechanism'. This is authentication system of Linux, that can use plugins for retrieving user and group info. The 'standard' plugin is pam_unix, this uses the familiar /etc/passwd,/etc/group and /etc/shadow files. Another plugin is pam_ldap, which uses the LDAP configuration in /etc/ldap.conf for authentication.
Another thing that probably will be configured is nsswitch. This is the 'name service switch', that resolves user id's (0 for root,1000 and up for other users) to user names. This is configured in /etc/nsswitch.conf. (passwd,shadow,group will most likely be configured as 'files ldap').
The standard base for LDAP client configuration is /etc/ldap.conf.
The most likely thing to be down, if I read your story, is the LDAP DB, and more deeper, your Berkeley DB. Troubleshooting this has been a long time ago for me. The only thing that comes into mind is trying to start slapd by hand (without the init.d script) using a '-vvv' parameter for maximum verbosity. It will then hopefully crash and tell you what is wrong in the end.
Regards, Gerben
-----Oorspronkelijk bericht----- Van: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Namens Nan Meng Verzonden: dinsdag 1 maart 2011 23:32 Aan: openldap-technical@openldap.org Onderwerp: OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?
Dear list members,
I hope amateur questions could be tolerated. I would make it professional if I could. I'm a newbie to OpenLDAP and probably even Linux, but I have to take care of an office network (Linux servers with Linux and PC workstations) that features email server, domain control, file/printer sharing, user account management, web servers and so forth, on my own without anyone's help.
Yesterday morning the power went down and so did our servers. After I turned the servers back on, the account information system was no longer working. Users weren't able to login with their credentials anymore, even the root. What I did was I logged in the server (the Samba PDC, LDAP server, Kerberos server, domain controller, email server) with single mode, reseted the root password, and added accounts for other individual users on the server. I know it was a bad idea. Although I got some things working (emails, file/printer sharing), but there are still other problems (PHP ldap_bind() from web servers fails, domain user accounts and profiles fail to load correctly).
I know there is a centralized mechanism that handles user accounts with the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other things), but I don't have a clue of how they work together. I've been trying to learn from docs and books for a long time before this power issue, but not very successful.
My greatest problem is that I don't know how these things are working together on my system. I believe I also lack some fundamental system knowledge. I've been reading the docs available, but they're so abstract to me and none of them seems to match our system configuration.
I'm hoping that I can get some help from here. Maybe some one can give me some suggestions on how to troubleshoot in such a scenario as a newbie, or an entry point that I can follow in order to explore the system. I believe you can tell that I'm totally confused here without being able to give much useful information about the problem and the system. I'm sorry for my ignorance, but I really tried to deal with it myself. If this thread turns out to be annoying or ridiculous, please ignore, and I do apologize.
However, while I'm still struggling on the problem, if anyone could help, I would really appreciate it. Thank you so much.
N.M.
--
--
Germ, nicely explained.
Perhaps a db_recover is needed to recover the corrupt dbd-backend. You need to download the correct version of the db-utils (example: db4.4_recover, db4.6_recover). The version must match the version of bdb wich is used by LDAP. Example: su -c "/usr/bin/db4.6_recover -e -h /var/lib/ldap/" openldap
Op 2-3-2011 11:01, Germ van Ek schreef:
Dear Nan,
I'll give it a go, my explanation will be simplified, as all software of course is able to do a lot, I'll try to explain it's typical role.
OpenLDAP is a database management system. It communicates with database clients in a standard (LDAP) way, and uses a (configurable) database backend to store it's data. One of the more popular database backends is Berkeley DB (BDB). It usually stores it's data in files in /var/lib/ldap.
Kerberos is an authentication mechanism. It is ticket based. That means that as soon as a client authenticates with Kerberos, it receives an 'authentication ticket'. It is then able to send this ticket to one or more (thereby using single signon) services, such as Samba.
Samba is used for file sharing, printer sharing and Windows authentication. It currently emulates a Windows NT4 domain controller. It can use a LDAP server for it's user/groups backend.
PAM is the Linux 'Pluggable Authentication Mechanism'. This is authentication system of Linux, that can use plugins for retrieving user and group info. The 'standard' plugin is pam_unix, this uses the familiar /etc/passwd,/etc/group and /etc/shadow files. Another plugin is pam_ldap, which uses the LDAP configuration in /etc/ldap.conf for authentication.
Another thing that probably will be configured is nsswitch. This is the 'name service switch', that resolves user id's (0 for root,1000 and up for other users) to user names. This is configured in /etc/nsswitch.conf. (passwd,shadow,group will most likely be configured as 'files ldap').
The standard base for LDAP client configuration is /etc/ldap.conf.
The most likely thing to be down, if I read your story, is the LDAP DB, and more deeper, your Berkeley DB. Troubleshooting this has been a long time ago for me. The only thing that comes into mind is trying to start slapd by hand (without the init.d script) using a '-vvv' parameter for maximum verbosity. It will then hopefully crash and tell you what is wrong in the end.
Regards, Gerben
-----Oorspronkelijk bericht----- Van: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Namens Nan Meng Verzonden: dinsdag 1 maart 2011 23:32 Aan: openldap-technical@openldap.org Onderwerp: OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?
Dear list members,
I hope amateur questions could be tolerated. I would make it professional if I could. I'm a newbie to OpenLDAP and probably even Linux, but I have to take care of an office network (Linux servers with Linux and PC workstations) that features email server, domain control, file/printer sharing, user account management, web servers and so forth, on my own without anyone's help.
Yesterday morning the power went down and so did our servers. After I turned the servers back on, the account information system was no longer working. Users weren't able to login with their credentials anymore, even the root. What I did was I logged in the server (the Samba PDC, LDAP server, Kerberos server, domain controller, email server) with single mode, reseted the root password, and added accounts for other individual users on the server. I know it was a bad idea. Although I got some things working (emails, file/printer sharing), but there are still other problems (PHP ldap_bind() from web servers fails, domain user accounts and profiles fail to load correctly).
I know there is a centralized mechanism that handles user accounts with the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other things), but I don't have a clue of how they work together. I've been trying to learn from docs and books for a long time before this power issue, but not very successful.
My greatest problem is that I don't know how these things are working together on my system. I believe I also lack some fundamental system knowledge. I've been reading the docs available, but they're so abstract to me and none of them seems to match our system configuration.
I'm hoping that I can get some help from here. Maybe some one can give me some suggestions on how to troubleshoot in such a scenario as a newbie, or an entry point that I can follow in order to explore the system. I believe you can tell that I'm totally confused here without being able to give much useful information about the problem and the system. I'm sorry for my ignorance, but I really tried to deal with it myself. If this thread turns out to be annoying or ridiculous, please ignore, and I do apologize.
However, while I'm still struggling on the problem, if anyone could help, I would really appreciate it. Thank you so much.
N.M.
--
--
openldap-technical@openldap.org