LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 11-08-2007, 07:28 AM   #1
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Rep: Reputation: 30
Unhappy getent is unable to retrieve info from OpenLDAP


I setup Kerberos & OpenLDAP successfully on my server "Debian 4" (called machine1). I can successfully kinit & ldapsearch from another machine (machine2). I'm using ldaps only and a self-signed certificate. The problem is, I disabled the simple bind, all users have to use -Y GSSAPI to query the LDAP database. This works fine with ldap tools but unfortunately it does not with getent.

Without a ticket, the getent is unable to establish a connection to my LDAP server, here is the log:
Nov 8 14:07:21 machine2 getent: GSSAPI Error: Miscellaneous failure (Unknown code krb5 195)
Nov 8 14:07:21 machine2 getent: nss_ldap: failed to bind to LDAP server ldaps://machine1: Local error
Nov 8 14:07:21 machine2 getent: nss_ldap: could not search LDAP server - Server is unavailable

If I create a ticket using one of the principals (e.g. mesh), getent can successfully establish connection; however, it is still unable to get any info, it always returns blank. Here is the log (slapd):
Nov 8 14:20:00 machine1 slapd[2004]: SASL proxy authorize [conn=80]: authcid="mesh" authzid="mesh"
Nov 8 14:20:00 machine1 slapd[2004]: connection_get(10)
Nov 8 14:20:00 machine1 slapd[2004]: SRCH "ou=People,dc=mydomain,dc=com" 2 0
Nov 8 14:20:00 machine1 slapd[2004]: 0 0 0
Nov 8 14:20:00 machine1 slapd[2004]: filter: (objectClass=posixAccount)
Nov 8 14:20:00 machine1 slapd[2004]: attrs:
Nov 8 14:20:00 machine1 slapd[2004]: uid
Nov 8 14:20:00 machine1 slapd[2004]: userPassword
Nov 8 14:20:00 machine1 slapd[2004]: uidNumber
Nov 8 14:20:00 machine1 slapd[2004]: gidNumber
Nov 8 14:20:00 machine1 slapd[2004]: cn
Nov 8 14:20:00 machine1 slapd[2004]: homeDirectory
Nov 8 14:20:00 machine1 slapd[2004]: loginShell
Nov 8 14:20:00 machine1 slapd[2004]: gecos
Nov 8 14:20:00 machine1 slapd[2004]: description
Nov 8 14:20:00 machine1 slapd[2004]: objectClass
Nov 8 14:20:00 machine1 slapd[2004]:
Nov 8 14:20:00 machine1 slapd[2004]: send_ldap_result: err=10 matched="" text=""
Nov 8 14:20:00 machine1 slapd[2004]: connection_get(10)

I added ldap to my nsswitch.conf and here is /etc/libnss_ldap.conf:
base dc=mydomain,dc=com
uri ldaps://machine1
ldap_version 3
nss_base_passwd ou=People,dc=mydomain,dc=com
nss_base_shadow ou=People,dc=mydomain,dc=com
nss_base_group ou=Group,dc=mydomain,dc=com
ssl start_tls
ssl on
use_sasl on
sasl_auth_id
sasl_auth_id nssldap/machine1

Please note that I created a principal nssldap/machine1 and I added its key to the keytab file. I installed all packages using apt-get from Debian repositories.

Any help is highly appreciated.

Thank you very much
 
Old 11-08-2007, 09:25 AM   #2
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
Now I'm getting the following error:
Nov 8 15:45:29 machine1 slapd[2004]: SRCH "ou=Group,dc=mydomain,dc=com" 2 0
Nov 8 15:45:29 machine1 slapd[2004]: 0 0 0
Nov 8 15:45:29 machine1 slapd[2004]: filter: (objectClass=*)
Nov 8 15:45:29 machine1 slapd[2004]: attrs:
Nov 8 15:45:29 machine1 slapd[2004]:
Nov 8 15:45:29 machine1 slapd[2004]: bdb_idl_fetch_key: @ou=group,dc=mydomain,dc=com
Nov 8 15:45:29 machine1 slapd[2004]: connection_get(10)
Nov 8 15:45:29 machine1 slapd[2004]: connection_get(10)
Nov 8 15:45:29 machine1 slapd[2004]: send_ldap_result: err=0 matched="" text=""
Nov 8 15:45:29 machine1 slapd[2004]: connection_get(10)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
for loop to retrieve info and write approbiate line of code? ati Programming 2 05-07-2006 12:07 PM
Retrieve receiving interface info using ancillary fabdouze Programming 0 12-21-2005 03:00 PM
help trying to retrieve info from raid or another hge3 newusermike Linux - Newbie 4 07-30-2005 07:46 PM
Best way to retrieve system and hardware info vharishankar Programming 5 04-11-2005 07:29 AM
Authenticatin Service cannot retrieve authentication info sdandeker Linux - Security 3 04-03-2004 01:51 AM


All times are GMT -5. The time now is 10:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration