nss_ldap: failed to bind to LDAP server

pitccorp01 · 11-29-2011, 02:59 AM

Hi,

I am trying to configure openldap 2.4.23 client running on openSuSE 11.4 64 bit server with modules pam 1.1.3 nss ldap 265-9.3 and krb5 1.8.3 but I am receiving the following error message when the server connects to the ldap server (Windows Sever 2008).

Quote:

Unable to find a suitable server for domain POWELLITC

my /etc/ldap.conf settings are:

Code:

base    dc=server,dc=com
binddn  cn=Administrator,cn=Users,dc=server,dc=com
bindpw  password
port    389
bind_policy     soft
pam_lookup_policy       yes
pam_password    exop
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member
ssl     no
uri     ldap://x.x.x.x
ldap_version    3
pam_filter      objectClass=posixAccount

my /etc/nscd.conf

Code:

        enable-cache            passwd          yes
        positive-time-to-live   passwd          600
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes

        enable-cache            hosts           yes
        positive-time-to-live   hosts           600
        negative-time-to-live   hosts           0
        suggested-size          hosts           211
        check-files             hosts           yes

my /etc/krb5.conf settings are:

Code:

[libdefaults]
        default_realm = POWELLITC.COM
        clockskew = 300

[realms]
POWELLITC = {
        kdc = x.x.x.x
        default_domain = POWELLITC
        admin_server = x.x.x.x
}
POWELLITC.COM = {
        kdc = x.x.x.x
        default_domain = powellitc.com
        admin_server = x.x.x.x
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .powellitc.com = POWELLITC.COM
        .powellitc = POWELLITC
        .POWELLITC = POWELLITC.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd
}

I have successfully connected from the linux server to the ldap server using the command

Quote:

ldapsearch -x -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -W "sAMAccountName"

with password from the /etc/ldap.conf

Code:

# search result
search: 2
result: 0 Success

# numResponses: 246
# numEntries: 242
# numReferences: 3

I do not receive any errors executing the command

Quote:

kinit Administrator@POWELLITC.COM

using password from /etc/ldap.conf

I am also able to browse the ldap server using the yast ldap browser GUI. So, I am thinking there is something that I have overlooked in a configuration setting. Please help!

Thanks.

kbscores · 11-29-2011, 09:10 AM

First, I am by no means an ldap expert; however there are a lot of things here that are troublesome.

The primary issues are binddn, base, and ldapsearch.

Think of binddn and base as backwards pathes - base is your root node to your ldap directory - in this case it would be your domain:

Code:

base dc=powellitc,dc=com

Your binddn would be considered your root login and in order for ldap to recall information it needs a path to get to it so it would look like this:

Code:

binddn  cn=Administrator,cn=Users,dc=powellitc,dc=com

Keep in mind this information MUST match slapd.conf file on ldap server.
Also - I'm assuming all directory information has been loaded into server correctly -
If it has not you will continue to get no results.

ok - so a couple things about ldapsearch -
when using certificates simple authentication isn't required (-x, -W) You may still use simple authentication if it is set up within slapd.conf file on ldap server. Listed below are a few examples of ldapsearch calls with explanations:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W *

This will use simple authentication (no certificate) and will return all attributes listed within server with their values.

Note: ldapsearch by default uses sub as its scope. Meaning it will search all directories including sub directories. You can change scope with -s and one of three values (base,sub,children)

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID

The example listed above uses simple authentication and will return all attributes for objects associated with uid=myID.

To list only attributes stored in directory structure use:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W -A

To list specific information about a directory structure search use:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID sn cn shadowMin

pitccorp01 · 11-29-2011, 12:47 PM

Thanks for the tips and pointers. I have updated the /etc/openldap/slapd.conf /etc/ldap.conf files, and restarted the ldap service. Here is the returned messages

Quote:

Nov 29 12:31:12 localhost slapd[29376]: @(#) $OpenLDAP: slapd 2.4.23 $#012#011opensuse-buildservice@opensuse.org
Nov 29 12:31:13 localhost slapd[29380]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Nov 29 12:31:13 localhost slapd[29380]: slapd starting
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 ACCEPT from IP=[::1]:60872 (IP=[::]:389)
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 BIND dn="" method=128
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 RESULT tag=97 err=0 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=2 UNBIND
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 closed

Any suggestions? Thanks.

kbscores · 12-01-2011, 10:35 AM

Are you familar with LDAP? If not I recommend starting off with a simpler configuration until you get concepts. It can get fairly complicated when you start throwing in extensions, especially if you haven't set up a basic server before.

There are several variables here that make it difficult to troubleshoot. Just from that output which I guess is from -d 0 from starting slapd?

Id say start with a basic configuration and slowly add elements into conf files. When slapd doesn't start - that is error. Also, Here is a fairly extensive guide for openLDAP that might be able to shed more light on configurations: http://tldp.org/HOWTO/LDAP-HOWTO/index.html

pitccorp01 · 12-14-2011, 12:37 PM

I resolved the issue using the following procedure starting from scratch:

1. Install openldap and openldap tools
2. Generate encrypted password using

Code:

slappasswd

Quote:

{SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+

3. Edit configuration file /etc/openldap/slapd.conf for

Code:

suffix          "dc=powell,dc=com"
rootdn          "cn=Administrator,cn=Users,dc=powell,dc=com"
rootpw          {SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+

4. Start service rcldap start
5. Test connection with

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powell,dc=com" -x -W uid=myuserid

Expected output:

Quote:

# extended LDIF
#
# LDAPv3
# base <DC=powell,DC=com> (default) with scope subtree
# filter: uid=myuserid
# requesting: ALL
#
# search reference

ref: ldap://ForestDnsZones.powell.com/DC=ForestDnsZones,DC=powell,DC=com
# search reference
ref: ldap://DomainDnsZones.powell.com/DC=DomainDnsZones,DC=powell,DC=com
# search reference
ref: ldap://powell.com/CN=Configuration,DC=powell,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3

6. grep slapd /var/log/messages to see results when slapd started

Quote:

Dec 10 14:29:11 serverA slapd[4710]: @(#) $OpenLDAP: slapd 2.4.17 (Mar 3 2011 09:39:43) $#012#011abuild@build21:/usr/src/packages/BUILD/openldap-2.4.17/servers/slapd

Dec 10 14:29:11 serverA slapd[4714]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Dec 10 14:29:11 serverA slapd[4714]: slapd starting
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 ACCEPT from IP=[::1]:44389 (IP=[::]:389)
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 BIND dn="" method=128
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 RESULT tag=97 err=0 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=2 UNBIND
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 closed

7. Install clamav, clamdb, ldapsmb, bind
8. Add

Quote:

1.1.1.1 domain-ctrl.powell.com windctrl01

to /etc/hosts file
9. Edit file /etc/samba/smb.conf with the settings:

Code:

[global]
        workgroup = POWELL
        netbios name = serverA
        realm = POWELL.COM
        password server = domain-ctrl.powell.com
        encrypt passwords = yes
        log level = 1
        syslog = 0
        domain master = no
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        security = ADS
        wins support = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

10. Edit /etc/krb5.conf with the settings below:

Code:

[libdefaults]

        default_realm = POWELL.COM
        clockskew = 300
[realms]

POWELL.COM = {
        kdc = domain-ctrl.powell.com
        default_domain = powell.com
        admin_server = domain-ctrl.powell.com
}

powell.com = {
        kdc = domain-ctrl.powell.com
        default_domain = powell.com
        admin_server = domain-ctrl.powell.com
}

POWELL  = {
        kdc = domain-ctrl.powell.com
        default_domain = POWELL
        admin_server = domain-ctrl.powell.com
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .powell.com = POWELL.COM
        .POWELL = POWELL

[appdefaults]

pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 0
        try_first_pass = true
}

11. Execute command

Code:

/usr/bin/kinit Administrator@POWELL.COM

to create kerberos ticket
12. execute command

Code:

klist

to view the ticket information
Expected Output:

Quote:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@POWELL.COM

Valid starting Expires Service principal
12/10/11 15:07:12 12/11/11 01:07:22 krbtgt/POWELL.COM@POWELL.COM
renew until 12/11/11 15:07:12

13. Execute command

Code:

net ads join -S domain-ctrl.powell.com -U Administrator

to join Windows domain powell.com

Expected Output:

Quote:

Enter Administrator's password:

Using short domain name -- POWELL
Joined 'serverA' to realm 'powell.com'

14. start

Code:

rcwinbind start

to start winbind service
15. Execute

Code:

wbinfo -u

to list users in the domain powell.com

Quote:

POWELL\user1
POWELL\user2
POWELL\user3

16. Logon to Windows DC server to verify the machine has been added

I hope this post was helpful to someone who has the same issue as I did!

Thanks