RE: LDAP client auth almost working, need help.

Thanks Zach!

Changing the bind policy to "soft" did the trick for boot.  That was huge!  I can also log in via gdm now...strange?!  Only problem I have now is that I can't sudo as an ldapuser.  Have any idea what might be causing this?

Sorry for the top post, I'm having to use a webmail client until I get things set back up.

Jim

----- Original Message -----
From: Zach
Sent: Tue Oct 31 2006 09:46:37 GMT-0600 (CST)
Subject: Re: LDAP client auth almost working, need help.

On 10/31/06, Jim Canfield <jcanfield@xxxxxxxxxxx> wrote:
Greetings,

I'm a former gentooer and this is my first post to the ubuntu list.  So far,
I'm very impressed with ubuntu!  Great works guys!

...Anyway,  looks like the nss-ldap intigration is not quite what it should
be.  I looked at the Doc for LDAP clinet auth
(https://help.ubuntu.com/community/LDAPClientAuthentication)
and it's not correct for edgy.  Here's where I am.

Problem 1:

dpackage acts like it's configuring a libnss-ldap.conf  (or some type of
ldap.conf) but it never changes.  I had to manually go in and change the
ldap server settings.   After that `getent` seemed to be fine.

Problem 2:

FOOBAR BOOT!  For some ungodly reason udevd trys to connect to an ldap
server before devices have been created.  My hunch is that it looking for a
group name that doesn't exist locally and trying to use ldap to resolve it.
I've seen a few post on the debian list regarding this looking for the
''nogroup"  or  "nobody"...however ubuntu has these groups.  I'm confused.

This sounds like a problem I ran into where nsswitch was tring to
contact the ldap server early in the boot process and failing over and
over again, then only after giving up, does it proceed with booting.
In my case, I set "bind_policy" to "soft" in libnss-ldap.conf.  This
causes libnss to return immediately upon server failuer rather than
backing off and trying again.  I believe this is a reported bug, but
I'm not sure.


Problem 3:

Can't authticate via gdm.  I can "su ldapuser" fine and even switch to a
virtual console and login, but login through gdm fails miserably.


I would try to log in to the ldap server via ssh and run slapd
manually with debugging output turned on:
# /etc/init.d/slapd stop
# slapd -d1

the debug levels are documented in the slapd.conf(5) manpage.  They
basically are broken up into 1,2,4...2048.  You can add them together
to get specific combinations of debug output.

also have a look at your logs on both the client and server,
particularly auth.log.  tail -f is helpful here.

Are you using tls/ssl?  If so, might want to disable that first to get
logging in the clear working.  Then futz with tls.

When you do get ready to do tls, -d5 or -d7 are helpful.

I've been working with edgy and I've got it working with my dapper
ldap server.  Unfortunately I can't get to the edgy machine from here,
so I can't look at my configs.

Any help would be greatly appreciated...

Jim

Configs:

common-account

     account sufficient      pam_ldap.so
     account required        pam_unix.so

common-auth:

     auth    sufficient      pam_ldap.so
     auth    required        pam_unix.so nullok_secure use_first_pass

common-password:

password        sufficient      pam_ldap.so
password        required        pam_unix.so nullok obscure min=4 max=8 md5

common-session:

session optional        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/
session optional        pam_ldap.so
session optional        pam_foreground.so









--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users





--
If you reply to a message I posted in a mailing list thread,
There's a chance I may not see your response.  Feel free to
address me directly in the 'To:', in addition to posting to the list.



--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • RE: LDAP client auth almost working, need help.
    ... I'm having to use a webmail client until I get things set back up. ... LDAP client auth almost working, ... ldap server settings.   After that `getent` seemed to be fine. ...
    (Ubuntu)
  • Re: LDAP server client to itself?
    ... | A directory server (an LDAP server) cannot be its own client. ... when they say "An LDAP server cannot be its own ... The last phrase in the quote from the Sun document says "an LDAP ...
    (comp.unix.solaris)
  • Re: OpenLDAP + User Authentication
    ... and you cant really import the passwords from the other ldap server into yours. ... now what you will want to do is set up one ldap server as the masterm and the other as the replica. ... Subject: OpenLDAP + User Authentication ... is not the intended recipient or the employee or agent responsible to ...
    (RedHat)
  • Re: freebsd6 authenticating against openldap 2.4?
    ... machines to get LDAP authentication working. ... Every box was configured differently and ports trees had ... able to run shell accounts on different boxes on a per-user basis, ... LDAP server as user ldap, the system tries to consult all the sources ...
    (freebsd-questions)
  • Re: Migration Of All Users In LDAP Server In LINUX Fedora!
    ... One other command you may need to look at is authconfig...which will ... help set up all the config files necessary to authenticate using ldap ... LDAP server. ... Now we have the data in the format understood by LDAP server. ...
    (Fedora)