Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn’t help. The server still queries the ldap server, but the users don’t actually show when I run getent passwd….. could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap authentication. There's a whole buch of steps to get that working, just google it. If you have a redhat variant authconfig or setup will step you through it. It would help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com wrote:
Hello,
When I issue “getent passwd” I can see it query the ldap
server for all the information and the server is returning the correct information. However, “getent passwd” doesn’t actually show the users that are in ldap. I am not sure where my problem might be. Can anyone offer any suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
I attempted to use "setup" to setup ldap auth. That did not work. When I run "getent passwd" it prints all the local users, then hangs for about 5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added copies of my configs with hopes someone can help me more :)
/etc/ldap.conf ---------------- base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf ---------------- ###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated... -----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com] Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com wrote:
Hello,
When I issue "getent passwd" I can see it query the ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York lynn.york@mavenwire.com wrote:
I attempted to use "setup" to setup ldap auth. That did not work. When I run "getent passwd" it prints all the local users, then hangs for about 5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added copies of my configs with hopes someone can help me more :)
/etc/ldap.conf
base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf
###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated... -----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com] Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com wrote:
Hello,
When I issue "getent passwd" I can see it query the ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
Below is part of the log from slapd….
Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr objectClass
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (objectClass)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uid)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (gidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr loginShell
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (loginShell)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3 exit.
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1 p=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0 matched="" text=""
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 tag=101 err=0
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=127 text=
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got connid=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking for input on id=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed errno=0 (Success)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input error=-2 id=3, closing.
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying conn=3 sd=14 for close
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1
Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy: fetching conn 3
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed (connection lost)
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
*From:* Benjamin Griese [mailto:der.darude@gmail.com] *Sent:* Thursday, March 25, 2010 11:56 AM *To:* Lynn York *Cc:* Tyler Gates; openldap-technical@openldap.org *Subject:* Re: Problem with getent passwd
Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York lynn.york@mavenwire.com wrote:
I attempted to use "setup" to setup ldap auth. That did not work. When I run "getent passwd" it prints all the local users, then hangs for about 5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added copies of my configs with hopes someone can help me more :)
/etc/ldap.conf ---------------- base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf ---------------- ###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated...
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com]
Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com wrote:
Hello,
When I issue "getent passwd" I can see it query the ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
Looks like you are only logging conn and acl. Try config and stats for more useful information about what exactly is being queried and returned.
On 03/25/2010 01:29 PM, Lynn York wrote:
Below is part of the log from slapd….
Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr objectClass
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (objectClass)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uid)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (uidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (gidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr loginShell
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from state (loginShell)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3 exit.
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1 p=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0 matched="" text=""
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 tag=101 err=0
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=127 text=
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got connid=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking for input on id=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed errno=0 (Success)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input error=-2 id=3, closing.
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying conn=3 sd=14 for close
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1
Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy: fetching conn 3
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed (connection lost)
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1 descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
*From:* Benjamin Griese [mailto:der.darude@gmail.com] *Sent:* Thursday, March 25, 2010 11:56 AM *To:* Lynn York *Cc:* Tyler Gates; openldap-technical@openldap.org *Subject:* Re: Problem with getent passwd
Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York lynn.york@mavenwire.com wrote:
I attempted to use "setup" to setup ldap auth. That did not work. When I run "getent passwd" it prints all the local users, then hangs for about 5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added copies of my configs with hopes someone can help me more :)
/etc/ldap.conf
base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf
###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated...
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com]
Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com wrote:
Hello,
When I issue "getent passwd" I can see it query the ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
I changed my logging to "-1", below is a log from running "id lynntest"
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:41 hltraindb01 slapd[16115]: Mar 26 11:10:41 hltraindb01 slapd[16115]: >>> slap_listener(ldap:///) Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: listen=8, new connection on 14 Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: added 14r (active) listener=(nil) Mar 26 11:10:41 hltraindb01 slapd[16115]: conn=2 fd=14 ACCEPT from IP=10.203.2.50:13493 (IP=0.0.0.0:389) Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:41 hltraindb01 slapd[16115]: 14r Mar 26 11:10:41 hltraindb01 slapd[16115]: Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: read active on 14 Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_get(14) Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_get(14): got connid=2
Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_read(14): checking for input on id=2 Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: do_bind Mar 26 11:10:41 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <cn=mwldap,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:41 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=mwldap,cn=users,dc=ldaptest,dc=com>, <cn=mwldap,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:41 hltraindb01 slapd[16115]: do_bind: version=3 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" method=128 Mar 26 11:10:41 hltraindb01 slapd[16115]: conn=2 op=0 BIND dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" method=128 Mar 26 11:10:41 hltraindb01 slapd[16115]: [rw] bindDN: "cn=mwldap,cn=users,dc=ldaptest,dc=com" -> "cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=0 BIND dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" mech=SIMPLE ssf=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: do_bind: v3 bind: "cn=mwldap,cn=users,dc=ldaptest,dc=com" to "cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: conn=2 op=0 p=3 Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: err=0 matched="" text="" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_response: msgid=1 tag=97 err=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=0 RESULT tag=97 err=0 text= Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:44 hltraindb01 slapd[16115]: 14r Mar 26 11:10:44 hltraindb01 slapd[16115]: Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: read active on 14 Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_get(14) Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_get(14): got connid=2
Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_read(14): checking for input on id=2 Mar 26 11:10:44 hltraindb01 slapd[16115]: do_search Mar 26 11:10:44 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=users,dc=ldaptest,dc=com>, <cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: SRCH "cn=users,dc=ldaptest,dc=com" 2 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: 1 120 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: AND Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: filter: (&(objectClass=posixAccount)(uid=lynntest)) Mar 26 11:10:44 hltraindb01 slapd[16115]: attrs: Mar 26 11:10:44 hltraindb01 slapd[16115]: uid Mar 26 11:10:44 hltraindb01 slapd[16115]: userPassword Mar 26 11:10:44 hltraindb01 slapd[16115]: uidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: gidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: cn Mar 26 11:10:44 hltraindb01 slapd[16115]: homeDirectory Mar 26 11:10:44 hltraindb01 slapd[16115]: loginShell Mar 26 11:10:44 hltraindb01 slapd[16115]: gecos Mar 26 11:10:44 hltraindb01 slapd[16115]: description Mar 26 11:10:44 hltraindb01 slapd[16115]: objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH base="cn=users,dc=ldaptest,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: ==> limits_get: conn=2 op=1 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchDN: "cn=users,dc=ldaptest,dc=com" -> "cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: str2filter "(&(objectClass=organizationalPerson)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: AND Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: => send_search_entry: conn 2 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr entry Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr objectClass
Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (objectClass) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr uidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (uidNumber) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr gidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (gidNumber) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "homeDirectory" requested
Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr homeDirectory Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (homeDirectory) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "homeDirectory" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr loginShell Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (loginShell) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested
Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 ENTRY dn="cn=lynn testing,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: <= send_search_entry: conn 2 exit. Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: conn=2 op=1 p=3 Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: err=0 matched="" text="" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_response: msgid=2 tag=101 err=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
One thing I noticed... is below, maybe this is my problem? The filters are different?
Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH base="cn=users,dc=ldaptest,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: ==> limits_get: conn=2 op=1 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchDN: "cn=users,dc=ldaptest,dc=com" -> "cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: str2filter "(&(objectClass=organizationalPerson)(uid=lynntest))"
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com] Sent: Thursday, March 25, 2010 5:52 PM To: Lynn York Cc: Benjamin Griese; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Looks like you are only logging conn and acl. Try config and stats for more useful information about what exactly is being queried and returned.
On 03/25/2010 01:29 PM, Lynn York wrote:
Below is part of the log from slapd..
Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr
objectClass
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(objectClass)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(uid)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(uidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(gidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr
loginShell
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(loginShell)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3
exit.
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1
p=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0
matched=""
text=""
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 tag=101 err=0
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT
tag=101
err=0 nentries=127 text=
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1
descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got
connid=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking
for
input on id=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed errno=0 (Success)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input error=-2 id=3, closing.
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying conn=3 sd=14 for close
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1
Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy:
fetching
conn 3
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed
(connection
lost)
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1
descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
*From:* Benjamin Griese [mailto:der.darude@gmail.com] *Sent:* Thursday, March 25, 2010 11:56 AM *To:* Lynn York *Cc:* Tyler Gates; openldap-technical@openldap.org *Subject:* Re: Problem with getent passwd
Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York lynn.york@mavenwire.com
wrote:
I attempted to use "setup" to setup ldap auth. That did not work.
When
I run "getent passwd" it prints all the local users, then hangs for
about
5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added
copies
of my configs with hopes someone can help me more :)
/etc/ldap.conf
base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf
###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated...
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com]
Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still
queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com
wrote:
Hello,
When I issue "getent passwd" I can see it query the
ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone
offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If
you
are
not the intended recipient (or authorized to receive this e-mail for
the
recipient), you may not review, copy or distribute this message.
Please
contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly
prohibited.
If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all
copies
of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
I'm thinking your rwm-map attributes is possibly messing this up. You have:
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
So for example you saMAccountname is really pointing at uid? Or vise versa? I'm really not that familiar with those mappings but I suspect it has something to do with your problems. I'm thinking maybe your syntax for it isn't right or you don't have all your attributes mapped that it is looking for:
posixAccount uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
Could you provide us an ldif on the offending query?
On 03/26/2010 11:25 AM, Lynn York wrote:
I changed my logging to "-1", below is a log from running "id lynntest"
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:41 hltraindb01 slapd[16115]: Mar 26 11:10:41 hltraindb01 slapd[16115]: >>> slap_listener(ldap:///) Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: listen=8, new connection on 14 Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: added 14r (active) listener=(nil) Mar 26 11:10:41 hltraindb01 slapd[16115]: conn=2 fd=14 ACCEPT from IP=10.203.2.50:13493 (IP=0.0.0.0:389) Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:41 hltraindb01 slapd[16115]: 14r Mar 26 11:10:41 hltraindb01 slapd[16115]: Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: read active on 14 Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_get(14) Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_get(14): got connid=2
Mar 26 11:10:41 hltraindb01 slapd[16115]: connection_read(14): checking for input on id=2 Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:41 hltraindb01 slapd[16115]: do_bind Mar 26 11:10:41 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <cn=mwldap,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:41 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=mwldap,cn=users,dc=ldaptest,dc=com>, <cn=mwldap,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:41 hltraindb01 slapd[16115]: do_bind: version=3 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" method=128 Mar 26 11:10:41 hltraindb01 slapd[16115]: conn=2 op=0 BIND dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" method=128 Mar 26 11:10:41 hltraindb01 slapd[16115]: [rw] bindDN: "cn=mwldap,cn=users,dc=ldaptest,dc=com" -> "cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:41 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=0 BIND dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" mech=SIMPLE ssf=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: do_bind: v3 bind: "cn=mwldap,cn=users,dc=ldaptest,dc=com" to "cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: conn=2 op=0 p=3 Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: err=0 matched="" text="" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_response: msgid=1 tag=97 err=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=0 RESULT tag=97 err=0 text= Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: activity on 1 descriptor
Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: activity on: Mar 26 11:10:44 hltraindb01 slapd[16115]: 14r Mar 26 11:10:44 hltraindb01 slapd[16115]: Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: read active on 14 Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_get(14) Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_get(14): got connid=2
Mar 26 11:10:44 hltraindb01 slapd[16115]: connection_read(14): checking for input on id=2 Mar 26 11:10:44 hltraindb01 slapd[16115]: do_search Mar 26 11:10:44 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=users,dc=ldaptest,dc=com>, <cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 26 11:10:44 hltraindb01 slapd[16115]: SRCH "cn=users,dc=ldaptest,dc=com" 2 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: 1 120 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: AND Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: filter: (&(objectClass=posixAccount)(uid=lynntest)) Mar 26 11:10:44 hltraindb01 slapd[16115]: attrs: Mar 26 11:10:44 hltraindb01 slapd[16115]: uid Mar 26 11:10:44 hltraindb01 slapd[16115]: userPassword Mar 26 11:10:44 hltraindb01 slapd[16115]: uidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: gidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: cn Mar 26 11:10:44 hltraindb01 slapd[16115]: homeDirectory Mar 26 11:10:44 hltraindb01 slapd[16115]: loginShell Mar 26 11:10:44 hltraindb01 slapd[16115]: gecos Mar 26 11:10:44 hltraindb01 slapd[16115]: description Mar 26 11:10:44 hltraindb01 slapd[16115]: objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH base="cn=users,dc=ldaptest,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: ==> limits_get: conn=2 op=1 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchDN: "cn=users,dc=ldaptest,dc=com" -> "cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: str2filter "(&(objectClass=organizationalPerson)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: AND Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: begin get_filter Mar 26 11:10:44 hltraindb01 slapd[16115]: EQUALITY Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter_list Mar 26 11:10:44 hltraindb01 slapd[16115]: end get_filter 0 Mar 26 11:10:44 hltraindb01 slapd[16115]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com> Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: => send_search_entry: conn 2 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr entry Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr objectClass
Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (objectClass) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr uidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (uidNumber) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr gidNumber Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (gidNumber) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "homeDirectory" requested
Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr homeDirectory Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (homeDirectory) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "homeDirectory" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested Mar 26 11:10:44 hltraindb01 slapd[16115]: => dn: [1] dc=ldaptest,dc=com Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] matched Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_get: [1] attr loginShell Mar 26 11:10:44 hltraindb01 slapd[16115]: access_allowed: no res from state (loginShell) Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell" requested
Mar 26 11:10:44 hltraindb01 slapd[16115]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= check a_dn_pat: users Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] applying read(=rscxd) (stop) Mar 26 11:10:44 hltraindb01 slapd[16115]: <= acl_mask: [1] mask: read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: => access_allowed: read access granted by read(=rscxd) Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 ENTRY dn="cn=lynn testing,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: <= send_search_entry: conn 2 exit. Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: conn=2 op=1 p=3 Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_result: err=0 matched="" text="" Mar 26 11:10:44 hltraindb01 slapd[16115]: send_ldap_response: msgid=2 tag=101 err=0 Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
One thing I noticed... is below, maybe this is my problem? The filters are different?
Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH base="cn=users,dc=ldaptest,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=lynntest))" Mar 26 11:10:44 hltraindb01 slapd[16115]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Mar 26 11:10:44 hltraindb01 slapd[16115]: ==> limits_get: conn=2 op=1 dn="cn=mwldap,cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: [rw] searchDN: "cn=users,dc=ldaptest,dc=com" -> "cn=users,dc=ldaptest,dc=com" Mar 26 11:10:44 hltraindb01 slapd[16115]: str2filter "(&(objectClass=organizationalPerson)(uid=lynntest))"
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com] Sent: Thursday, March 25, 2010 5:52 PM To: Lynn York Cc: Benjamin Griese; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Looks like you are only logging conn and acl. Try config and stats for more useful information about what exactly is being queried and returned.
On 03/25/2010 01:29 PM, Lynn York wrote:
Below is part of the log from slapd..
Mar 25 13:25:16 hltraindb01 slapd[28836]: >>> dnPrettyNormal: <CN=Lynn Testing,CN=Users,dc=ldaptest,DC=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: <<< dnPrettyNormal: <cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com>, <cn=lynn testing,cn=users,dc=ldaptest,dc=com>
Mar 25 13:25:16 hltraindb01 slapd[28836]: [rw] searchEntryDN: "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" -> "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => send_search_entry: conn 3 dn="cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com"
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr entry
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "entry" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to all values by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr
objectClass
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(objectClass)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "objectClass"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uid
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(uid)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uid" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "uidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr uidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(uidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "uidNumber"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "gidNumber" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr gidNumber
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(gidNumber)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "gidNumber"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access
to
"cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "loginShell" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => dn: [1] dc=ldaptest,dc=com
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] matched
Mar 25 13:25:16 hltraindb01 slapd[28836]: => test_filter
Mar 25 13:25:16 hltraindb01 slapd[28836]: PRESENT
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: search
access
to "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com" "objectClass" requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= test_filter 6
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_get: [1] attr
loginShell
Mar 25 13:25:16 hltraindb01 slapd[28836]: access_allowed: no res from
state
(loginShell)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: access to entry "cn=Lynn Testing,cn=Users,dc=ldaptest,dc=com", attr "loginShell"
requested
Mar 25 13:25:16 hltraindb01 slapd[28836]: => acl_mask: to value by "cn=mwldap,cn=users,dc=ldaptest,dc=com", (=0)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= check a_dn_pat: users
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] applying read(=rscxd) (stop)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= acl_mask: [1] mask: read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: => access_allowed: read access granted by read(=rscxd)
Mar 25 13:25:16 hltraindb01 slapd[28836]: <= send_search_entry: conn 3
exit.
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: conn=3 op=1
p=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_result: err=0
matched=""
text=""
Mar 25 13:25:16 hltraindb01 slapd[28836]: send_ldap_response: msgid=2 tag=101 err=0
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 op=1 SEARCH RESULT
tag=101
err=0 nentries=127 text=
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1
descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]: 14r
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: read active on 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_get(14): got
connid=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): checking
for
input on id=3
Mar 25 13:25:16 hltraindb01 slapd[28836]: ber_get_next on fd 14 failed errno=0 (Success)
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_read(14): input error=-2 id=3, closing.
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_closing: readying conn=3 sd=14 for close
Mar 25 13:25:16 hltraindb01 slapd[28836]: connection_close: conn=3 sd=-1
Mar 25 13:25:16 hltraindb01 slapd[28836]: =>ldap_back_conn_destroy:
fetching
conn 3
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: removing 14
Mar 25 13:25:16 hltraindb01 slapd[28836]: conn=3 fd=14 closed
(connection
lost)
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on 1
descriptor
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: activity on:
Mar 25 13:25:16 hltraindb01 slapd[28836]:
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Mar 25 13:25:16 hltraindb01 slapd[28836]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
*From:* Benjamin Griese [mailto:der.darude@gmail.com] *Sent:* Thursday, March 25, 2010 11:56 AM *To:* Lynn York *Cc:* Tyler Gates; openldap-technical@openldap.org *Subject:* Re: Problem with getent passwd
Hi, could you please also provide the appropriate log entries that show the query to the slapd from the client?
thanks
On Thu, Mar 25, 2010 at 13:52, Lynn York lynn.york@mavenwire.com
wrote:
I attempted to use "setup" to setup ldap auth. That did not work.
When
I run "getent passwd" it prints all the local users, then hangs for
about
5 seconds and doesn't print the ldap users. However, it does query the ldap server, I can see the queries in the ldap logs. I have added
copies
of my configs with hopes someone can help me more :)
/etc/ldap.conf
base cn=users,dc=ldaptest,dc=com uri ldap://ldaphost/ binddn cn=mwldap,cn=users,dc=ldaptest,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl no pam_password ad # nss_ldap configurations nss_base_passwd cn=users,dc=ldaptest,dc=com?sub nss_base_shadow cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=users)(uidnumber=*) nss_base_group cn=users,dc=ldaptest,dc=com?sub?&(objectCategory=group)(gidnumber=*) nss_map_attribute user SAMACCOUNTNAME sasl_secprops maxssf=0 #tls_cacertdir /etc/openldap/cacerts
Slapd.conf
###################################################### # database definitions ###################################################### database ldap suffix "cn=users,dc=ldaptest,dc=com" uri "ldap://ads.ldaptest.com" overlay rwm rebind-as-user chase-referrals no
acl-bind bindmethod=simple binddn="cn=mwldap,cn=users,dc=ldaptest,dc=com" credentials=password
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database #index objectClass eq #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub
rwm-map objectclass posixAccount organizationalPerson rwm-map attribute uid sAMAccountname rwm-map attribute uidNumber uidNumber rwm-map attribute gidNumber gidNumber rwm-map attribute givenName cn rwm-map attribute unixHomeDirectory homeDirectory rwm-map attribute unixUserPassword UserPassword
Any help is greatly appreciated...
-----Original Message----- From: Tyler Gates [mailto:tgates81@gmail.com]
Sent: Wednesday, March 24, 2010 9:31 PM To: Lynn York; openldap-technical@openldap.org Subject: Re: Problem with getent passwd
Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
Here is my /etc/pam.d/system-auth file
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Also, when I ran authconfig, that didn't help. The server still
queries
the
ldap server, but the users don't actually show when I run getent
passwd...
could it be something with the rwm mappings?
*From:* Tyler Gates [mailto:tgates81@gmail.com] *Sent:* Tuesday, March 23, 2010 8:26 PM *To:* Lynn York *Subject:* Re: Problem with getent passwd
Sounds like it's a problem with your client side pam_ldap
authentication.
There's a whole buch of steps to get that working, just google it. If
you
have a redhat variant authconfig or setup will step you through it. It
would
help if you could post your system_auth file.
On Mar 23, 2010, at 11:40 AM, Lynn York lynn.york@mavenwire.com
wrote:
Hello,
When I issue "getent passwd" I can see it query the
ldap
server for all the information and the server is returning the correct information. However, "getent passwd" doesn't actually show the users
that
are in ldap. I am not sure where my problem might be. Can anyone
offer
any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If
you
are
not the intended recipient (or authorized to receive this e-mail for
the
recipient), you may not review, copy or distribute this message.
Please
contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly
prohibited.
If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all
copies
of this message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any
review,
use, distribution or disclosure by others is strictly prohibited. If you
are
not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this
message.
MavenWire - We DELIVER http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
openldap-technical@openldap.org