[SOLVED] OpenLDAP+Samba for authentication of both linux and windows clients
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Well, I still have an issue...
I am not able to use the accounts to login to my linux clients. It is a bit weird as I can log on using ssh and su works fine as well. I guess I am still forgetting something, just don't know what. Pam, nsswitch and ldap.conf have to be well configured. Although if I google the net, then I sometimes see that there are still things that need to enable. What I also see is that in these articles they do a migration of the current users, I had hoped that I wouldn't need to do that.
Last edited by Blue_Ice; 02-11-2010 at 10:19 AM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Hmm, things didn't go well today. Ssh,su and those things won't work anymore.
The slapd process writes the following errors to the log file:
Feb 12 01:15:20 server slapd: conn=148 fd=15 ACCEPT from IP=10.200.56.230:40681 (IP=0.0.0.0:389)
Feb 12 01:15:20 server slapd: conn=148 op=0 STARTTLS
Feb 12 01:15:20 server slapd: conn=148 op=0 RESULT oid= err=0 text=
Feb 12 01:15:20 server slapd: conn=148 fd=15 closed (TLS negotiation failure)
On the client, I get the following error in the log file:
Feb 12 01:16:48 fedoraVM pam: gdm-password: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Feb 12 01:16:52 fedoraVM pam: gdm-password: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Feb 12 01:17:00 fedoraVM pam: gdm-password: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Feb 12 01:17:16 fedoraVM pam: gdm-password: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Feb 12 01:17:48 fedoraVM pam: gdm-password: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Feb 12 01:18:52 fedoraVM pam: gdm-password: nss_ldap: could not search LDAP server - Server is unavailable
To make it easier to find the problem, I have put the config files in this post as well.
dynlist-attrset groupOfNames labeledURI member
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName eq
well you need to do an ldapsearch to simulate what the code is doing on the backend. It's a TLS failure, so something like the trusted certs are wrong or some such. run this:
ldapsearch -x -ZZ -d3
and it should fail in a similar way, but give you some info probably about certificate chains, or cn's or something in that vein.
Worth asking if you have actually set up SSL certs for any of this. do you want to use TLS or SSL here at all?
I ran this command without the debug option before posting my previous message and it returned the expected data. So on your suggestion, I used the debug option and it returned the following message (in fact the final part of the huge list of information):
The log file on the server has the following information after executing ldapsearch:
Feb 12 13:10:38 server slapd: conn=0 fd=15 ACCEPT from IP=10.200.56.232:58106 (IP=0.0.0.0:389)
Feb 12 13:10:38 server slapd: conn=0 op=0 STARTTLS
Feb 12 13:10:38 server slapd: conn=0 op=0 RESULT oid= err=0 text=
Feb 12 13:10:38 server slapd: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
Feb 12 13:10:38 server slapd: conn=0 op=1 BIND dn="" method=128
Feb 12 13:10:38 server slapd: conn=0 op=1 RESULT tag=97 err=0 text=
Feb 12 13:10:38 server slapd: conn=0 op=2 SRCH base="dc=hulshoff,dc=home" scope=2 deref=0 filter="(uid=ws001$)"
Feb 12 13:10:38 server slapd: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 12 13:10:39 server slapd: conn=0 op=3 UNBIND
Feb 12 13:10:39 server slapd: conn=0 fd=15 closed
To answer your final question... Yes, I need the TLS. Not using it will expose cleartext passwords on the network. Obviously that is not the desired way of working.
The certificates are specially created for this. So they are present.
OK, so TLS IS getting established there, so I would look to compare /etc/ldap.conf, which is used for the actual login processes, and /etc/openldap/ldap.conf which is used by ldapsearch. I always forget they are seperate configs... A different syntax is used, but you should be able to match up the logical equivalents between them.