| View previous topic :: View next topic |
| Author |
Message |
sinate
n00b
Joined: 16 Apr 2003
Posts: 29
Location: Southampton, UK
|
 Posted: Sun Jul 24, 2005 2:31 pm Post subject: LDAP headache - getent won't work |
 |
|
Hi,
I've followed the Gentoo LDAP guide and a similar guide over at http://old.monkeybox.org.uk, but after following both guides I come up against the same problem.
I can do a ldapsearch and look at all the entries fine. But getent refuses to show the LDAP entries for passwd, group, hosts.
The message I get on /var/log/messages when I do the getent is:
| Code: |
Jul 24 15:23:15 lister slapd[7809]: conn=2 fd=11 ACCEPT from IP=127.0.0.1:32981 (IP=0.0.0.0:389)
Jul 24 15:23:15 lister slapd[7813]: conn=2 op=0 BIND dn="" method=128
Jul 24 15:23:15 lister slapd[7813]: conn=2 op=0 RESULT tag=97 err=0 text=
Jul 24 15:23:15 lister slapd[7813]: conn=2 op=1 SRCH base="dc=rmsel,dc=net" scope=2 filter="(objectClass=posixAccount)"
Jul 24 15:23:15 lister slapd[7813]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul 24 15:23:15 lister slapd[7813]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 24 15:23:15 lister slapd[7809]: conn=2 fd=11 closed
|
By the way, I am currently doing this from the LDAP server it's self, as root.
Let me know which files you would like to look at to see where I've gone wrong.
Thanks,
Steve. |
|
| Back to top |
|
 |
corley
Tux's lil' helper
Joined: 12 May 2005
Posts: 78
|
| Posted: Sun Jul 24, 2005 3:25 pm Post subject: file |
|
|
| can you please post the contents of your slapd.conf file. |
|
| Back to top |
|
|
sinate
n00b
Joined: 16 Apr 2003
Posts: 29
Location: Southampton, UK
|
| Posted: Sun Jul 24, 2005 5:42 pm Post subject: |
|
|
Here is my slapd.conf file:
| Code: |
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
# Include the needed data schemes
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Use md5 to hash the passwords
password-hash {crypt}
# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#access to *
# by dn="cn=Manager,dc=rmsel,dc=net" write
# by users read
# by anonymous auth
# by * read
#access to attrs=userPassword,gecos,description,loginShell
# by self write
access to dn="" by * read
access to *
by self write
by users read
by anonymous read
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
#checkpoint 32 30 # <kbyte> <min>
suffix "dc=rmsel,dc=net"
rootdn "cn=Manager,dc=rmsel,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}AbKvr5MO6Z7+sbBbLeNtrg==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-ldbm
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
access to *
by dn=''uid=root,ou=People,dc=rmsel,dc=net'' write
by dn="cn=Manager,dc=rmsel,dc=org" write
by users read
by anonymous auth
by * search
access to attribute=userPassword,gecos,description
by dn=''cn=Manager,dc=rmsel,dc=org'' write
by dn=''uid=root,ou=People,dc=rmsel,dc=net'' write
by self write
by anonymous auth
by * none
access to *
by dn="cn=Manager,dc=rmsel,dc=org" write
by * read
|
Steve. |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Sun Jul 24, 2005 11:57 pm Post subject: |
|
|
WILD guess...
try lowering your ACL's to a very open policy. See if it works then. Then tighten it step by step and see what breaks it.
I'm not sure, but the ACL looks quite restrictive (maybe TOO restrictive, maybe just right...) |
|
| Back to top |
|
|
corley
Tux's lil' helper
Joined: 12 May 2005
Posts: 78
|
| Posted: Mon Jul 25, 2005 12:32 am Post subject: well |
|
|
| Did you see you have access * defined twice? It looks like it's picking up the second 1 and using that, which is basically the output you are seeing from what you posted. Also it doesn't look like you are allowing anyone to read those other fields. |
|
| Back to top |
|
|
sinate
n00b
Joined: 16 Apr 2003
Posts: 29
Location: Southampton, UK
|
| Posted: Mon Jul 25, 2005 6:07 pm Post subject: |
|
|
Thanks.
Putting "by anonymous read" got it working (plus removing the other access *)
How would you use "by anonymous auth" then? Or is this never used?
Maybe I should read the docs a bit more. Anyway, at least I've got something to play with now.
Cheers,
Steve. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
