Re: [FC3] LDAP Authentication

From: Craig White (craigwhite_at_azapple.com)
Date: 12/11/04

  • Next message: Timothy Ha: "Is there a MONO package for FC3 ?"
    To: chris@chrisstark.com, For users of Fedora Core releases <fedora-list@redhat.com>
    Date: Sat, 11 Dec 2004 02:13:58 -0700
    
    

    On Fri, 2004-12-10 at 20:54 -1000, Chris Stark wrote:
    > Hi everyone,
    >
    > I've got an issue that I've been wrestling with for a couple of days,
    > and I have still had no luck. I searched google, the archives, and all
    > of my books. Nothing. I suppose it could be a bug, but I'd like some
    > feedback before I submit a report.
    >
    > I have just installed FC3 on a machine that previously had FC1. I am
    > trying to use OpenLDAP server to manage the user accounts, as I had done
    > previously with FC1. It worked perfectly before the upgrade.
    >
    > To make a long story a bit shorter, I transferred the LDAP directory's
    > contents using an LDIF dump file, as to avoid any database version issues.
    >
    > This seems to have worked because one of my PHP web applications can
    > authenticate against the server using TLS without a glitch. Also desktop
    > apps like thunderbird's addressbook return all of the entries using
    > LDAPS. Both TLS and SSL work without issue, and I can even execute
    > successful ldapsearch queries from the server's command-line.
    >
    > However, the server itself does not recognize the LDAP server as a
    > source for accounts; getent passwd or group only returns /etc/passwd and
    > /etc/group values. All of the previous home directories have numeric
    > values for their user and group owner permissions.
    >
    > Sorry if this is long. Here's the appropriate snippets from my config
    > files. Please let me know if you see anything obviously wrong. Also, any
    > troubleshooting tips would be much appreciated.
    >
    > Aloha,
    > Chris Stark
    >
    > (example.com is for illustrative purposes)
    >
    > -----------------------
    > # /etc/openldap/ldap.conf
    >
    > URI ldap://example.com
    > BASE dc=example,dc=com
    > TLS_CACERT /etc/ssl/certs/cacert/cacert.pem
    > TLS_REQCERT allow
    >
    > ------------------------
    > # /etc/openldap/slapd.conf
    >
    > include /etc/openldap/schema/core.schema
    > include /etc/openldap/schema/cosine.schema
    > include /etc/openldap/schema/inetorgperson.schema
    > include /etc/openldap/schema/nis.schema
    > include /etc/openldap/schema/samba.schema
    >
    > disallow bind_anon
    > security ssf=1 update_ssf=112 simple_bind=112
    >
    > password-hash {MD5}
    > pidfile /var/run/slapd.pid
    >
    > TLSCACertificateFile /etc/ssl/certs/cacert/cacert.pem
    > TLSCertificateFile /etc/ssl/certs/ldap/ldap-cert.pem
    > TLSCertificateKeyFile /etc/ssl/certs/ldap/ldap-key.pem
    >
    > access to attr=userPassword
    > by self write
    > by anonymous auth
    > by dn="cn=Manager,dc=example,dc=com" write
    > by * none
    >
    > access to attrs=sambaLmPassword,sambaNtPassword
    > by dn="cn=Manager,dc=example,dc=com" write
    > by * none
    >
    > access to dn=cn=Manager,dc=example,dc=com attr=entry
    > by self write
    > by dn="cn=Manager,dc=example,dc=com" write
    > by * none
    >
    > access to *
    > by users read
    > by self write
    > by dn="cn=Manager,dc=example,dc=com" write
    > by * none
    >
    > database ldbm
    > suffix "dc=example,dc=com"
    > rootdn "cn=Manager,dc=example,dc=com"
    > rootpw secret
    > directory /var/lib/ldap
    > mode 0700
    > index objectClass eq,pres
    > index ou,cn,mail,surname,givenname eq,pres,sub
    > index uidNumber,gidNumber,loginShell eq,pres
    > index uid,memberUid eq,pres,sub
    > index nisMapName,nisMapEntry eq,pres,sub
    >
    > cachesize 2000
    > loglevel 296
    >
    > ------------------------
    > # /etc/ldap.conf
    >
    > base dc=example,dc=com
    > uri ldap://example.com/
    > ldap_version 3
    >
    > pam_filter objectclass=posixAccount
    > pam_login_attribute uid
    > pam_password md5
    >
    > nss_base_passwd ou=users,dc=example,dc=com?one
    > nss_base_shadow ou=users,dc=example,dc=com?one
    > nss_base_group ou=groups,dc=example,dc=com?one
    >
    > ssl start_tls
    > tls_checkpeer no

    ---
    wow - you got this all working on FC-1 without understanding all these
    things?
    Make life easy on yourself at first. Comment out the complexities and
    then add them back in after you get things working so you can gauge the
    effect of each change...
    comment out disallow anon_bind & security statements
    comment all the acl's out and simply 'access to * by * write'
    comment out ssl start_tls
    you don't have a binddn/rootbinddn in /etc/ldap.conf (does FC-3
    use /etc/openldap/ldap.conf?)
    /etc/ldap.secret?
    Did you actually generate the certs? 
    using certs and plaintext 'secret' for cn=Manager,dc=example,dc=com
    Logging is your friend
    logging from slapd.conf
    loglevel 256 (or whatever you feel is appropriate/man slapd.conf)
    add to /etc/syslog.conf
    local4.*                                                /var/log/slapd.log
    (restart syslogd)
    FC-3 uses a much newer version of openldap and things have changed
    greatly from 2.0.7 to 2.2.13 and it's doubtful that you can simply
    migrate without modification - in fact, I am surprised that you can even
    get ldap service started - see the docs about converting from 2.0.x to
    2.1.x to 2.2.x. Also, with 2.2.13, you probably want to use dbd instead
    of ldbm but that is a subject for another day.
    Craig
    -- 
    fedora-list mailing list
    fedora-list@redhat.com
    To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    

  • Next message: Timothy Ha: "Is there a MONO package for FC3 ?"

    Relevant Pages

    • Re: Antw: Re: LDAP Authentication Problem
      ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
      (de.comp.sys.novell)
    • Re: possible LDAP over SSl bug in OS 10, 10.4, 10.5, 10.6
      ... These were both LDAP over SSL issues. ... > would access a LDAP server over SSL. ... > nca = without Certificate Authority certificate installed for the ldap ...
      (microsoft.public.mac.office.entourage)
    • Redhat linux ldap ssl client config
      ... I have a redhat ldap client working against a Sun ldap server 5.2. ... Running into issues trying to get tls and/or ssl working. ...
      (comp.os.linux.setup)
    • slapd - slow starting
      ... contact LDAP server ... then slapd started fine but I without ldap in nsswitch.conf I cant ... # The user ID attribute (defaults to uid) ... # SSL enabled. ...
      (freebsd-stable)
    • openldap, pam_ldap and nss_ldap
      ... I am having difficulties setting up openldap user authentication using ... (but he was using the native sun ldap clients) ... # with Netscape Directory Server) ... # Netscape SDK SSL options ...
      (SunManagers)