LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 11-29-2011, 03:59 AM   #1
pitccorp01
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Rep: Reputation: Disabled
nss_ldap: failed to bind to LDAP server


Hi,

I am trying to configure openldap 2.4.23 client running on openSuSE 11.4 64 bit server with modules pam 1.1.3 nss ldap 265-9.3 and krb5 1.8.3 but I am receiving the following error message when the server connects to the ldap server (Windows Sever 2008).

Quote:
Unable to find a suitable server for domain POWELLITC
my /etc/ldap.conf settings are:
Code:
base    dc=server,dc=com
binddn  cn=Administrator,cn=Users,dc=server,dc=com
bindpw  password
port    389
bind_policy     soft
pam_lookup_policy       yes
pam_password    exop
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member
ssl     no
uri     ldap://x.x.x.x
ldap_version    3
pam_filter      objectClass=posixAccount
my /etc/nscd.conf
Code:
        enable-cache            passwd          yes
        positive-time-to-live   passwd          600
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes

        enable-cache            hosts           yes
        positive-time-to-live   hosts           600
        negative-time-to-live   hosts           0
        suggested-size          hosts           211
        check-files             hosts           yes
my /etc/krb5.conf settings are:
Code:
[libdefaults]
        default_realm = POWELLITC.COM
        clockskew = 300

[realms]
POWELLITC = {
        kdc = x.x.x.x
        default_domain = POWELLITC
        admin_server = x.x.x.x
}
POWELLITC.COM = {
        kdc = x.x.x.x
        default_domain = powellitc.com
        admin_server = x.x.x.x
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .powellitc.com = POWELLITC.COM
        .powellitc = POWELLITC
        .POWELLITC = POWELLITC.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd
}
I have successfully connected from the linux server to the ldap server using the command
Quote:
ldapsearch -x -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -W "sAMAccountName"
with password from the /etc/ldap.conf
Code:
# search result
search: 2
result: 0 Success

# numResponses: 246
# numEntries: 242
# numReferences: 3
I do not receive any errors executing the command using password from /etc/ldap.conf


I am also able to browse the ldap server using the yast ldap browser GUI. So, I am thinking there is something that I have overlooked in a configuration setting. Please help!

Thanks.

Last edited by pitccorp01; 11-29-2011 at 04:03 AM. Reason: changed dc=powellitc
 
Old 11-29-2011, 10:10 AM   #2
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
First, I am by no means an ldap expert; however there are a lot of things here that are troublesome.

The primary issues are binddn, base, and ldapsearch.

Think of binddn and base as backwards pathes - base is your root node to your ldap directory - in this case it would be your domain:

Code:
base dc=powellitc,dc=com
Your binddn would be considered your root login and in order for ldap to recall information it needs a path to get to it so it would look like this:

Code:
binddn  cn=Administrator,cn=Users,dc=powellitc,dc=com
Keep in mind this information MUST match slapd.conf file on ldap server.
Also - I'm assuming all directory information has been loaded into server correctly -
If it has not you will continue to get no results.

ok - so a couple things about ldapsearch -
when using certificates simple authentication isn't required (-x, -W) You may still use simple authentication if it is set up within slapd.conf file on ldap server. Listed below are a few examples of ldapsearch calls with explanations:

Code:
ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W *
This will use simple authentication (no certificate) and will return all attributes listed within server with their values.

Note: ldapsearch by default uses sub as its scope. Meaning it will search all directories including sub directories. You can change scope with -s and one of three values (base,sub,children)

Code:
ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID
The example listed above uses simple authentication and will return all attributes for objects associated with uid=myID.

To list only attributes stored in directory structure use:

Code:
ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W -A
To list specific information about a directory structure search use:

Code:
ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID sn cn shadowMin
 
Old 11-29-2011, 01:47 PM   #3
pitccorp01
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the tips and pointers. I have updated the /etc/openldap/slapd.conf /etc/ldap.conf files, and restarted the ldap service. Here is the returned messages
Quote:
Nov 29 12:31:12 localhost slapd[29376]: @(#) $OpenLDAP: slapd 2.4.23 $#012#011opensuse-buildservice@opensuse.org
Nov 29 12:31:13 localhost slapd[29380]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Nov 29 12:31:13 localhost slapd[29380]: slapd starting
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 ACCEPT from IP=[::1]:60872 (IP=[::]:389)
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 BIND dn="" method=128
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 RESULT tag=97 err=0 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=2 UNBIND
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 closed
Any suggestions? Thanks.
 
Old 12-01-2011, 11:35 AM   #4
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Are you familar with LDAP? If not I recommend starting off with a simpler configuration until you get concepts. It can get fairly complicated when you start throwing in extensions, especially if you haven't set up a basic server before.

There are several variables here that make it difficult to troubleshoot. Just from that output which I guess is from -d 0 from starting slapd?

Id say start with a basic configuration and slowly add elements into conf files. When slapd doesn't start - that is error. Also, Here is a fairly extensive guide for openLDAP that might be able to shed more light on configurations: http://tldp.org/HOWTO/LDAP-HOWTO/index.html
 
Old 12-14-2011, 01:37 PM   #5
pitccorp01
LQ Newbie
 
Registered: Nov 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Fixed It!

I resolved the issue using the following procedure starting from scratch:

1. Install openldap and openldap tools
2. Generate encrypted password using
Code:
slappasswd
Quote:
{SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+
3. Edit configuration file /etc/openldap/slapd.conf for
Code:
suffix          "dc=powell,dc=com"
rootdn          "cn=Administrator,cn=Users,dc=powell,dc=com"
rootpw          {SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+
4. Start service rcldap start
5. Test connection with
Code:
ldapsearch -D "cn=Administrator,cn=Users,dc=powell,dc=com" -x -W uid=myuserid
Expected output:
Quote:
# extended LDIF
#
# LDAPv3
# base <DC=powell,DC=com> (default) with scope subtree
# filter: uid=myuserid
# requesting: ALL
#
# search reference

ref: ldap://ForestDnsZones.powell.com/DC=ForestDnsZones,DC=powell,DC=com
# search reference
ref: ldap://DomainDnsZones.powell.com/DC=DomainDnsZones,DC=powell,DC=com
# search reference
ref: ldap://powell.com/CN=Configuration,DC=powell,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
6. grep slapd /var/log/messages to see results when slapd started
Quote:
Dec 10 14:29:11 serverA slapd[4710]: @(#) $OpenLDAP: slapd 2.4.17 (Mar 3 2011 09:39:43) $#012#011abuild@build21:/usr/src/packages/BUILD/openldap-2.4.17/servers/slapd

Dec 10 14:29:11 serverA slapd[4714]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Dec 10 14:29:11 serverA slapd[4714]: slapd starting
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 ACCEPT from IP=[::1]:44389 (IP=[::]:389)
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 BIND dn="" method=128
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 RESULT tag=97 err=0 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=2 UNBIND
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 closed
7. Install clamav, clamdb, ldapsmb, bind
8. Add
Quote:
1.1.1.1 domain-ctrl.powell.com windctrl01
to /etc/hosts file
9. Edit file /etc/samba/smb.conf with the settings:
Code:
[global]
        workgroup = POWELL
        netbios name = serverA
        realm = POWELL.COM
        password server = domain-ctrl.powell.com
        encrypt passwords = yes
        log level = 1
        syslog = 0
        domain master = no
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        security = ADS
        wins support = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775
10. Edit /etc/krb5.conf with the settings below:
Code:
[libdefaults]

        default_realm = POWELL.COM
        clockskew = 300
[realms]

POWELL.COM = {
        kdc = domain-ctrl.powell.com
        default_domain = powell.com
        admin_server = domain-ctrl.powell.com
}

powell.com = {
        kdc = domain-ctrl.powell.com
        default_domain = powell.com
        admin_server = domain-ctrl.powell.com
}

POWELL  = {
        kdc = domain-ctrl.powell.com
        default_domain = POWELL
        admin_server = domain-ctrl.powell.com
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .powell.com = POWELL.COM
        .POWELL = POWELL

[appdefaults]

pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 0
        try_first_pass = true
}
11. Execute command
Code:
/usr/bin/kinit Administrator@POWELL.COM
to create kerberos ticket
12. execute command
Code:
klist
to view the ticket information
Expected Output:
Quote:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@POWELL.COM

Valid starting Expires Service principal
12/10/11 15:07:12 12/11/11 01:07:22 krbtgt/POWELL.COM@POWELL.COM
renew until 12/11/11 15:07:12
13. Execute command
Code:
net ads join -S domain-ctrl.powell.com -U Administrator
to join Windows domain powell.com

Expected Output:
Quote:
Enter Administrator's password:

Using short domain name -- POWELL
Joined 'serverA' to realm 'powell.com'
14. start
Code:
rcwinbind start
to start winbind service
15. Execute
Code:
wbinfo -u
to list users in the domain powell.com
Quote:
POWELL\user1
POWELL\user2
POWELL\user3
16. Logon to Windows DC server to verify the machine has been added

I hope this post was helpful to someone who has the same issue as I did!

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] LDAP Server Bind Failed sheelavantar Linux - Server 2 08-26-2011 04:52 AM
samba 3.5 failed to bind to ldap server invalid credentials mercxi Linux - Server 1 07-28-2010 05:58 PM
nss_ldap hangs at failover of master LDAP server to slave linux=future Linux - Software 8 03-31-2010 11:27 AM
nss_ldap: reconnecting to LDAP server (sleeping 64 seconds) your_shadow03 Linux - Newbie 1 01-13-2010 01:59 PM
nss_ldap, can't contact LDAP server! mesh2005 Linux - Networking 3 12-06-2005 02:22 AM


All times are GMT -5. The time now is 11:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration