Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
getent passwd doesn't show ldap user
4,037 views
Skip to first unread message
stefano malini
Apr 23, 2012, 6:30:02 AM4/23/12
to
hi,
installed openldap and configured nslcd.conf and nsswitch.conf on debian
squeeze server.
At the moment getent passwd doesn't show ldap user.
I create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
You can see some checks.
FIRST SHELL
nslcd -d
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
SECOND SHELL: getent passwd-->shows only local users
FIRST SHELL shows:
nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG:
ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
(uri="ldap://localhost:389")
nslcd: [8b4567] ldap_result() failed: No such object
These are the permissions of nslcd files and folder
ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/*
-rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf
drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/
-rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid
srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket
Opening /var/run/nslcd/socket it shows:
Error reading /var/run/nslcd/socket: No such device or address
Follow nslcd.conf and slapd.conf.
__________________________________________________________________
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
___________________________________________________________________
slapd.conf
slapd.conf
#Basics
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel trace
modulepath /usr/lib/ldap
moduleload back_hdb
#Database Configuration
backend hdb
database hdb
suffix "dc=amahoro,dc=bi"
rootdn "cn=Manager,dc=amahoro,dc=bi"
rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9
directory /var/lib/ldap
index objectClass,cn eq
#ACLs
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
Please, do you have some ideas?
thanks
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F952D3C...@gmail.com
installed openldap and configured nslcd.conf and nsswitch.conf on debian
squeeze server.
At the moment getent passwd doesn't show ldap user.
I create a user nslcd_proc for nslcd lookups.
this user belong to the System organizationalUnit.
You can see some checks.
FIRST SHELL
nslcd -d
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
SECOND SHELL: getent passwd-->shows only local users
FIRST SHELL shows:
nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG:
ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
(uri="ldap://localhost:389")
nslcd: [8b4567] ldap_result() failed: No such object
These are the permissions of nslcd files and folder
ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/*
-rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf
drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/
-rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid
srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket
Opening /var/run/nslcd/socket it shows:
Error reading /var/run/nslcd/socket: No such device or address
Follow nslcd.conf and slapd.conf.
__________________________________________________________________
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost:389
# The search base that will be used for all queries.
base dc=amahoro,dc=bi
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi
bindpw *****
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
___________________________________________________________________
slapd.conf
slapd.conf
#Basics
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel trace
modulepath /usr/lib/ldap
moduleload back_hdb
#Database Configuration
backend hdb
database hdb
suffix "dc=amahoro,dc=bi"
rootdn "cn=Manager,dc=amahoro,dc=bi"
rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9
directory /var/lib/ldap
index objectClass,cn eq
#ACLs
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
Please, do you have some ideas?
thanks
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F952D3C...@gmail.com
Per Carlson
Apr 23, 2012, 8:50:02 AM4/23/12
to
Hi Stefano.
> installed openldap and configured nslcd.conf and nsswitch.conf on debian
> squeeze server.
Did you install nslcd by it self or in companion with libnss-ldapd and
libpam-ldapd?
How does your /etc/nsswitch.conf look like? Here are the relevant
lines from mine:
passwd: files ldap
group: files ldap
shadow: files ldap
You need libnss-ldapd for the "ldap" rule in the lines above.
> At the moment getent passwd doesn't show ldap user.
> I create a user nslcd_proc for nslcd lookups.
> this user belong to the System organizationalUnit.
This is unnecessary, nslcd functions fine without a DN.
> nslcd: [8b4567] DEBUG:
> ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
> (uri="ldap://localhost:389")
> nslcd: [8b4567] ldap_result() failed: No such object
Looks like LDAP can't find the DN in the repository. Can you log in
manually as this user?
server$ ldapsearch -xW -D "uid=nslcd_proc,ou=System,dc=amahoro,dc=bi"
-H ldapi:///
> slapd.conf
Do you have a slapd.conf? Have you compiled it from source or
installed as a Debian package?
server$ apt-cache policy slapd
I've got:
slapd:
Installed: 2.4.23-7.2
Candidate: 2.4.23-7.2
Version table:
*** 2.4.23-7.2 0
700 http://ftp.no.debian.org/debian/ squeeze/main amd64 Packages
100 /var/lib/dpkg/status
AFAIK the openldap server (binary package is called slapd in Debian)
packaged no longer use that file. Instead the config is stored in a
LDAP repository (/etc/ldap/slapd.d) and modified by using LDIF-files.
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAOURYnDjhQpbrZFYd4urzp5u...@mail.gmail.com
> installed openldap and configured nslcd.conf and nsswitch.conf on debian
> squeeze server.
libpam-ldapd?
How does your /etc/nsswitch.conf look like? Here are the relevant
lines from mine:
passwd: files ldap
group: files ldap
shadow: files ldap
You need libnss-ldapd for the "ldap" rule in the lines above.
> At the moment getent passwd doesn't show ldap user.
> I create a user nslcd_proc for nslcd lookups.
> this user belong to the System organizationalUnit.
> nslcd: [8b4567] DEBUG:
> ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***")
> (uri="ldap://localhost:389")
> nslcd: [8b4567] ldap_result() failed: No such object
manually as this user?
server$ ldapsearch -xW -D "uid=nslcd_proc,ou=System,dc=amahoro,dc=bi"
-H ldapi:///
> slapd.conf
Do you have a slapd.conf? Have you compiled it from source or
installed as a Debian package?
server$ apt-cache policy slapd
I've got:
slapd:
Installed: 2.4.23-7.2
Candidate: 2.4.23-7.2
Version table:
*** 2.4.23-7.2 0
700 http://ftp.no.debian.org/debian/ squeeze/main amd64 Packages
100 /var/lib/dpkg/status
AFAIK the openldap server (binary package is called slapd in Debian)
packaged no longer use that file. Instead the config is stored in a
LDAP repository (/etc/ldap/slapd.d) and modified by using LDIF-files.
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
stefano malini
Apr 23, 2012, 9:40:02 AM4/23/12
to
Hi Per,
thanks for reply.
> Did you install nslcd by it self or in companion with libnss-ldapd and
> libpam-ldapd?
nslcd has been installed automatically installing libnss-ldapd.
> How does your /etc/nsswitch.conf look like? Here are the relevant
> lines from mine:
This is my /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
> This is unnecessary, nslcd functions fine without a DN.
ok, i removed it
> Looks like LDAP can't find the DN in the repository. Can you log in
> manually as this user?
Trying your command:
root@amahoro:~# ldapsearch -xW -D
"uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I don't know why but trying with this:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
I don't understand where is wrong.
> Do you have a slapd.conf? Have you compiled it from source or
> installed as a Debian package?
I installed it as a Debian package:
root@amahoro:~# apt-cache policy slapd
100 /var/lib/dpkg/status
What do you think?
thanks for reply.
> Did you install nslcd by it self or in companion with libnss-ldapd and
> libpam-ldapd?
> How does your /etc/nsswitch.conf look like? Here are the relevant
> lines from mine:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
> This is unnecessary, nslcd functions fine without a DN.
> Looks like LDAP can't find the DN in the repository. Can you log in
> manually as this user?
root@amahoro:~# ldapsearch -xW -D
"uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I don't know why but trying with this:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
I don't understand where is wrong.
> Do you have a slapd.conf? Have you compiled it from source or
> installed as a Debian package?
root@amahoro:~# apt-cache policy slapd
slapd:
Installed: 2.4.23-7.2
Candidate: 2.4.23-7.2
Version table:
*** 2.4.23-7.2 0
500 http://ftp.us.debian.org/debian/ squeeze/main i386 Packages
Installed: 2.4.23-7.2
Candidate: 2.4.23-7.2
Version table:
*** 2.4.23-7.2 0
100 /var/lib/dpkg/status
What do you think?
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F955955...@gmail.com
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Per Carlson
Apr 23, 2012, 10:20:01 AM4/23/12
to
Hi Stefano.
>> Did you install nslcd by it self or in companion with libnss-ldapd and
>> libpam-ldapd?
>
> nslcd has been installed automatically installing libnss-ldapd.
Ok.
> This is my /etc/nsswitch.conf:
>> This is unnecessary, nslcd functions fine without a DN.
>
> ok, i removed it
Try stopping the caching daemon ("sudo service nscd stop") and try
again. getent still doesn't resolve?
I'm not 100% sure, but LDAP might bee needed in pam as well.
Installing libpam-ldapd should do that automatically. Look for
"pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
>> Looks like LDAP can't find the DN in the repository. Can you log in
>> manually as this user?
>
> Trying your command:
> root@amahoro:~# ldapsearch -xW -D
> "uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
That explains why nslcd didn't succeed binding.
> I don't know why but trying with this:
>
> root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=amahoro,dc=bi> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> I don't understand where is wrong.
Are you sure you have a working LDAP-database? Make sure you can
resolve things manually first. When that is working you can continue
working on nslcd.
>> Do you have a slapd.conf? Have you compiled it from source or
>> installed as a Debian package?
>
> I installed it as a Debian package:
>
> root@amahoro:~# apt-cache policy slapd
>
> slapd:
> Installed: 2.4.23-7.2
> Candidate: 2.4.23-7.2
> Version table:
> *** 2.4.23-7.2 0
> 500 http://ftp.us.debian.org/debian/ squeeze/main i386 Packages
> 100 /var/lib/dpkg/status
In that case the configuration isn't done by slapd.conf. Check out the
documentation: "zless /usr/share/doc/slapd/README.Debian.gz"
> What do you think?
This command should give you the suffix and ACL's and some more info
(assuming a HDB database):
server$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
"(objectclass=olchdbconfig)"
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
>> Did you install nslcd by it self or in companion with libnss-ldapd and
>> libpam-ldapd?
>
> nslcd has been installed automatically installing libnss-ldapd.
> This is my /etc/nsswitch.conf:
>
> passwd: files ldap
> group: files ldap
> shadow: files ldap
That's fine.
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>> This is unnecessary, nslcd functions fine without a DN.
>
> ok, i removed it
again. getent still doesn't resolve?
I'm not 100% sure, but LDAP might bee needed in pam as well.
Installing libpam-ldapd should do that automatically. Look for
"pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
>> Looks like LDAP can't find the DN in the repository. Can you log in
>> manually as this user?
>
> Trying your command:
> root@amahoro:~# ldapsearch -xW -D
> "uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" -H ldapi:///
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> I don't know why but trying with this:
>
> root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=amahoro,dc=bi> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> I don't understand where is wrong.
resolve things manually first. When that is working you can continue
working on nslcd.
>> Do you have a slapd.conf? Have you compiled it from source or
>> installed as a Debian package?
>
> I installed it as a Debian package:
>
> root@amahoro:~# apt-cache policy slapd
>
> slapd:
> Installed: 2.4.23-7.2
> Candidate: 2.4.23-7.2
> Version table:
> *** 2.4.23-7.2 0
> 500 http://ftp.us.debian.org/debian/ squeeze/main i386 Packages
> 100 /var/lib/dpkg/status
documentation: "zless /usr/share/doc/slapd/README.Debian.gz"
> What do you think?
This command should give you the suffix and ACL's and some more info
(assuming a HDB database):
server$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
"(objectclass=olchdbconfig)"
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAOURYnB3sSs6DJzmWvcWzXmw...@mail.gmail.com
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
stefano malini
Apr 23, 2012, 11:30:02 AM4/23/12
to
Hi Per,
> Try stopping the caching daemon ("sudo service nscd stop") and try
> again. getent still doesn't resolve?
i tried without success
> I'm not 100% sure, but LDAP might bee needed in pam as well.
> Installing libpam-ldapd should do that automatically. Look for
> "pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
i installed it and common-* files are updated automatically but it
didn't resolve it.
> Are you sure you have a working LDAP-database? Make sure you can
> resolve things manually first. When that is working you can continue
> working on nslcd.
Checking with:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
it shows:
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Checking with:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi" -b "" -s
base
it shows:
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Why these differences only adding the DN for the search and adding the
specified entry am looking for?
> In that case the configuration isn't done by slapd.conf. Check out the
> documentation: "zless /usr/share/doc/slapd/README.Debian.gz
I know. In this case i deleted slapd.d folder and i created a new file
slapd.conf and i specified it in /etc/default/slapd
> This command should give you the suffix and ACL's and some more info
> (assuming a HDB database):
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# filter: (objectclass=olchdbconfig)
Another strange thing:
ls /var/lib/ldap/
alock __db.001 __db.003 __db.005 dn2id.bdb log.0000000001
cn.bdb __db.002 __db.004 __db.006 id2entry.bdb objectClass.bdb
There is not DB_CONFIG.
How is created it?
> Try stopping the caching daemon ("sudo service nscd stop") and try
> again. getent still doesn't resolve?
> I'm not 100% sure, but LDAP might bee needed in pam as well.
> Installing libpam-ldapd should do that automatically. Look for
> "pam_ldap.so" in /etc/pam.d/common-{auth,password,session}
didn't resolve it.
> Are you sure you have a working LDAP-database? Make sure you can
> resolve things manually first. When that is working you can continue
> working on nslcd.
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=amahoro,dc=bi> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
Checking with:
root@amahoro:~# ldapsearch -xW -D "cn=Manager,dc=amahoro,dc=bi" -b "" -s
base
it shows:
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
# requesting: ALL
#
#
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
# numResponses: 2
# numEntries: 1
Why these differences only adding the DN for the search and adding the
specified entry am looking for?
> In that case the configuration isn't done by slapd.conf. Check out the
> documentation: "zless /usr/share/doc/slapd/README.Debian.gz
slapd.conf and i specified it in /etc/default/slapd
> This command should give you the suffix and ACL's and some more info
> (assuming a HDB database):
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
"(objectclass=olchdbconfig)"
SASL/EXTERNAL authentication started
"(objectclass=olchdbconfig)"
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
#
# LDAPv3
# filter: (objectclass=olchdbconfig)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
#
# search result
search: 2
result: 32 No such object
Another strange thing:
ls /var/lib/ldap/
alock __db.001 __db.003 __db.005 dn2id.bdb log.0000000001
cn.bdb __db.002 __db.004 __db.006 id2entry.bdb objectClass.bdb
There is not DB_CONFIG.
How is created it?
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F957431...@gmail.com
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
stefano malini
Apr 23, 2012, 1:00:02 PM4/23/12
to
Hi Per.
something is improved! now i can log manually, there was an error, a big
error, i didn't insert the root as ldif in the directory. Very big error!
Anyway, the problem with getent passwd is still there:
This is the output of nslcd -d typing getent passwd fro another shell:
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=3478 uid=0 gid=0
On 04/23/2012 04:11 PM, Per Carlson wrote:
something is improved! now i can log manually, there was an error, a big
error, i didn't insert the root as ldif in the directory. Very big error!
Anyway, the problem with getent passwd is still there:
This is the output of nslcd -d typing getent passwd fro another shell:
nslcd: DEBUG: add_uri(ldap://localhost:389)
nslcd: version 0.7.15 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi",
filter="(objectClass=posixAccount)")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
(uri="ldap://localhost:389")
nslcd: [8b4567] ldap_result() failed: No such object
Thanks
nslcd: [8b4567] ldap_result() failed: No such object
On 04/23/2012 04:11 PM, Per Carlson wrote:
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F95891F...@gmail.com
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Per Carlson
Apr 23, 2012, 4:40:02 PM4/23/12
to
Hi Stefano
> nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)")
restrictive ACL with "by * none".
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
With this one in-place you must add back the binddn's in nslcd.conf.
Sorry for misleading you there.
Can you do a ldapsearch with the same parameters as nslcd tries (see
above), but binding with a DN?
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
> nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)")
> nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
> (uri="ldap://localhost:389")
>
> nslcd: [8b4567] ldap_result() failed: No such object
Looking back at your first post, I now see that you have a very
> (uri="ldap://localhost:389")
>
> nslcd: [8b4567] ldap_result() failed: No such object
restrictive ACL with "by * none".
access to *
by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
by self write
by * none
Sorry for misleading you there.
Can you do a ldapsearch with the same parameters as nslcd tries (see
above), but binding with a DN?
--
Pelle
"D’ä e å, vett ja”, skrek ja, för ja ble rasen,
”å i åa ä e ö, hörer han lite, d’ä e å, å i åa ä e ö"
- Gustav Fröding, 1895
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/CAOURYnApvBf9YAA3hT97FJZw...@mail.gmail.com
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
stefano malini
Apr 25, 2012, 10:20:01 AM4/25/12
to
Per, it runs. yes, i forgot to put it. thanks.
now it the samba round! maybe i'll wrote you again!
thank you very much.
On 04/23/2012 10:36 PM, Per Carlson wrote:
> Hi Stefano
>
>> nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)")
>> nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
>> (uri="ldap://localhost:389")
>>
>> nslcd: [8b4567] ldap_result() failed: No such object
>
> Looking back at your first post, I now see that you have a very
> restrictive ACL with "by * none".
>
> access to *
> by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
> by self write
> by * none
>
> With this one in-place you must add back the binddn's in nslcd.conf.
> Sorry for misleading you there.
>
> Can you do a ldapsearch with the same parameters as nslcd tries (see
> above), but binding with a DN?
>
--
now it the samba round! maybe i'll wrote you again!
thank you very much.
On 04/23/2012 10:36 PM, Per Carlson wrote:
> Hi Stefano
>
>> nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)")
>> nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
>> (uri="ldap://localhost:389")
>>
>> nslcd: [8b4567] ldap_result() failed: No such object
>
> Looking back at your first post, I now see that you have a very
> restrictive ACL with "by * none".
>
> access to *
> by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read
> by self write
> by * none
>
> With this one in-place you must add back the binddn's in nslcd.conf.
> Sorry for misleading you there.
>
> Can you do a ldapsearch with the same parameters as nslcd tries (see
> above), but binding with a DN?
>
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4F9805E2...@gmail.com
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
0 new messages