Re: [opensuse] 12.1 LDAP nscd Samba problems

On 23/11/11 17:44, Ralf Haferkamp wrote:
Am Mittwoch 23 November 2011, 16:28:57 schrieb lynn:
On 23/11/11 15:22, Ken Schneider - openSUSE wrote:
On 11/23/2011 06:22 AM, lynn pecked at the keyboard and wrote:
Hi everyone. Sorry this is a bit long:
Scenario: LDAP - Samba Clean install 12.1 server for a single
sign an opensuse/win-7 lan.

The boot process seems to be broken.The system boots but services
take forever to become available. Console 1 does not give a
login prompt for over 5 minutes.
Hm, this sound like a missing
bind_policy soft

in /etc/ldap.conf. Can you check that? If that is missing and you setup
LDAP client using YaST, please open a Bugreport.


Yes I have:
bind_policy soft
in /etc/ldap.conf

But to make tls work I had to change /etc/openldap/ldap.conf:

TLS_REQCERT hard
TLS_CACERT /etc/openldap/cacert.pem

Does that make any difference?

bugzilla as to why, here:
https://bugzilla.novell.com/show_bug.cgi?id=730046


I have to disable services and then enable them on boot.

Using Yast runlevel editor: Disable LDAP, nscd, smb and nmb.
Disable Yast LDAP Client.

Reboot and login as root:

then activate in this order:

1. rcldap start
2. Yast -> LDAP Client -> use LDAP
3. rcnscd start
4. rcsmb start
5. rcnmb start

I could see a workaround by putting the commands in
/etc/after.local but I would need 2 /etc/nsswitch files. One for
the boot without ldap and the other one created by the Yast LDAP
Client.

What a mess!

Anyone any ideas?

BTW. Everything works, It's just that I have to start the system
manually.

Thanks, L x

Have you tried hitting F5 at the boot prompt and using sysvinit
instead of systemd? A comparison would be helpful in finding a
cause.
I enabled LDAP, nscd, smb nmb and have Yast -> LDAP Client do its bit
with nsswitch.conf and _yes_, it works. (With system V init using f5
from the boot prompt). My other problem with changing runlevels has
also gone away. What has changed with 12.1?

I still think the boot order is wrong. Surely, the LDAP server should
be started _before_ of whatever starts nss-ldap. Here are the errors:

Nov 23 16:06:20 hh1 dbus-daemon: nss-ldap: do_open: do_start_tls
failed:stat=-1
Nov 23 16:06:20 hh1 dbus-daemon: nss_ldap: could not search LDAP server
- Server is unavailale
This is quite normal and should not be a problem. Also there is nothing
much we can do about it. dbus-daemon is ususally one of the first things
that is started. Long before the network is up. So if your LDAP Server is
not running on localhost you always get that error message. And if your
LDAP Server is on localhost you still can't start before dbus-daemon
because of some other dependencies IIRC.

Is there any reason you are using nss_ldap instead of sssd, btw?

regards,
Ralf

Hi

No reason. I've done this as a newbie because I had to make a single sign on setup for our LAN when win 7 boxes were connected. Otherwise it would have cost us a small fortune for the local computer consultancy to do it for us. I've done most of this via Yast. I made the certificates for tls support by hand because the 12.1 Yast CA management module is broken:

https://bugzilla.novell.com/show_bug.cgi?id=730889

Other than this I have no idea what the difference is between nss_ldap and sssd. You seem to suggest that sssd is better. If so, is it easy to change?

Thanks for your interest.
L x


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

Relevant Pages

  • Re: Does samba 3.0.14Aa on OS 5.0.6 work with ldapsam backend on another LDAP server?
    ... used 3.0.9 on SCO 5.0.6 for quite some time after suffering problems I ... a RedHat4 box running samba 3.0.10 and OpenLDAP 2.2.13. ... and no LDAP server (although there were the ... share on the SCO server without any smbpasswd on that server! ...
    (comp.unix.sco.misc)
  • Re: [opensuse] Re: ldap slpd config
    ... (I used "localhost" as my server, using the server name doesn't seem to ... your name service configuration is somehow screwed, ... I let yast set it up, ... shows ldap listening on port 389, ...
    (SuSE)
  • RE: LDAP & Find People not working
    ... need to refer to the KB article below to know how to use LDAP: ... | Yes, the scanner is on the local area network, so as you indicated below, ... | So I wonder why the scanner does not see the LDAP server. ...
    (microsoft.public.windows.server.sbs)
  • slapd - slow starting
    ... contact LDAP server ... then slapd started fine but I without ldap in nsswitch.conf I cant ... # The user ID attribute (defaults to uid) ... # SSL enabled. ...
    (freebsd-stable)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... On the SBS server box, open Server Management console, navigate to ... by companies that are independent of Microsoft. ... Configuring LDAP on Entourage 2004 OS X ...
    (microsoft.public.windows.server.sbs)