LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-10-2010, 07:06 AM   #16
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled

Well, I still have an issue...
I am not able to use the accounts to login to my linux clients. It is a bit weird as I can log on using ssh and su works fine as well. I guess I am still forgetting something, just don't know what. Pam, nsswitch and ldap.conf have to be well configured. Although if I google the net, then I sometimes see that there are still things that need to enable. What I also see is that in these articles they do a migration of the current users, I had hoped that I wouldn't need to do that.

Arjan

Last edited by Blue_Ice; 02-11-2010 at 09:19 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-11-2010, 06:37 PM   #17
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled
Hmm, things didn't go well today. Ssh,su and those things won't work anymore.

The slapd process writes the following errors to the log file:
Code:
Feb 12 01:15:20 server slapd[13851]: conn=148 fd=15 ACCEPT from IP=10.200.56.230:40681 (IP=0.0.0.0:389)
Feb 12 01:15:20 server slapd[13851]: conn=148 op=0 STARTTLS 
Feb 12 01:15:20 server slapd[13851]: conn=148 op=0 RESULT oid= err=0 text=  
Feb 12 01:15:20 server slapd[13851]: conn=148 fd=15 closed (TLS negotiation failure)
On the client, I get the following error in the log file:
Code:
Feb 12 01:16:48 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Feb 12 01:16:52 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Feb 12 01:17:00 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Feb 12 01:17:16 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Feb 12 01:17:48 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Feb 12 01:18:52 fedoraVM pam: gdm-password[4210]: nss_ldap: could not search LDAP server - Server is unavailable
To make it easier to find the problem, I have put the config files in this post as well.

First slapd.conf:
Code:
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/samba.schema

modulepath	/usr/lib64/openldap
moduleload	dynlist.la

TLSCipherSuite TLSv1+RSA:!NULL
TLSCACertificateFile /etc/openldap/cacerts/ldap_cacert.pem
TLSCertificateFile /etc/openldap/cacerts/ldap.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key

overlay dynlist
dynlist-attrset groupOfNames labeledURI member

database	bdb
suffix		"dc=hulshoff,dc=home"
rootdn		"cn=Manager,dc=hulshoff,dc=home"
rootpw		{SSHA}<encrypted_password>

directory	/var/lib/ldap

index objectClass                       		eq,pres
index ou,cn,mail,surname,givenname      		eq,pres,sub
index uidNumber,gidNumber,loginShell    		eq,pres
index uid,memberUid                     		eq,pres,sub
index nisMapName,nisMapEntry            		eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName	eq
At finally ldap.conf:
Code:
timelimit 120
timelimit 30
bind_timelimit 120
idle_timelimit 3600

rootbinddn cn=Manager,dc=hulshoff,dc=home

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl start_tls
TLS_CACERT /etc/openldap/cacerts/ldap_cacert.pem
pam_password crypt
URI ldap://ldap.hulshoff.home/
BASE dc=hulshoff,dc=home
bind_policy=soft
host ldap.hulshoff.home
Any idea what I am doing wrong here? Am I messing up something on the certificates?

Arjan.
 
Old 02-12-2010, 05:27 AM   #18
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well you need to do an ldapsearch to simulate what the code is doing on the backend. It's a TLS failure, so something like the trusted certs are wrong or some such. run this:

ldapsearch -x -ZZ -d3

and it should fail in a similar way, but give you some info probably about certificate chains, or cn's or something in that vein.

Worth asking if you have actually set up SSL certs for any of this. do you want to use TLS or SSL here at all?
 
Old 02-12-2010, 06:22 AM   #19
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
well you need to do an ldapsearch to simulate what the code is doing on the backend. It's a TLS failure, so something like the trusted certs are wrong or some such. run this:

ldapsearch -x -ZZ -d3

and it should fail in a similar way, but give you some info probably about certificate chains, or cn's or something in that vein.

Worth asking if you have actually set up SSL certs for any of this. do you want to use TLS or SSL here at all?
I ran this command without the debug option before posting my previous message and it returned the expected data. So on your suggestion, I used the debug option and it returned the following message (in fact the final part of the huge list of information):
Code:
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
tls_read: want=5 error=Bad file descriptor
The log file on the server has the following information after executing ldapsearch:
Code:
Feb 12 13:10:38 server slapd[8025]: conn=0 fd=15 ACCEPT from IP=10.200.56.232:58106 (IP=0.0.0.0:389)
Feb 12 13:10:38 server slapd[8025]: conn=0 op=0 STARTTLS
Feb 12 13:10:38 server slapd[8025]: conn=0 op=0 RESULT oid= err=0 text=
Feb 12 13:10:38 server slapd[8025]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
Feb 12 13:10:38 server slapd[8025]: conn=0 op=1 BIND dn="" method=128
Feb 12 13:10:38 server slapd[8025]: conn=0 op=1 RESULT tag=97 err=0 text=
Feb 12 13:10:38 server slapd[8025]: conn=0 op=2 SRCH base="dc=hulshoff,dc=home" scope=2 deref=0 filter="(uid=ws001$)"
Feb 12 13:10:38 server slapd[8025]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 12 13:10:39 server slapd[8025]: conn=0 op=3 UNBIND
Feb 12 13:10:39 server slapd[8025]: conn=0 fd=15 closed
To answer your final question... Yes, I need the TLS. Not using it will expose cleartext passwords on the network. Obviously that is not the desired way of working.
The certificates are specially created for this. So they are present.
 
Old 02-12-2010, 06:39 AM   #20
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
OK, so TLS IS getting established there, so I would look to compare /etc/ldap.conf, which is used for the actual login processes, and /etc/openldap/ldap.conf which is used by ldapsearch. I always forget they are seperate configs... A different syntax is used, but you should be able to match up the logical equivalents between them.
 
Old 02-12-2010, 06:56 AM   #21
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled
Wouldn't it be easier to create a symlink instead of keeping 2 different files?
 
Old 02-12-2010, 07:08 AM   #22
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
no, as i said they are different.
 
Old 02-12-2010, 09:15 AM   #23
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Original Poster
Rep: Reputation: Disabled
Thanks acid_kewpie!

That was my mistake... I made a symlink as I thought it would be easier to maintain. I didn't know that it made that much difference.
 
Old 02-12-2010, 10:32 AM   #24
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Certainly confusing, but the tools / libraries which use them are really very seperate, pam libraries vs openldap tools, so it's kinda understandable why they have different config files.
 
Old 07-02-2010, 04:17 AM   #25
abakhiet
Member
 
Registered: Apr 2010
Location: Assiut, Egypt
Posts: 166

Rep: Reputation: 15
hola,
i have some video for this issue
i think it is awesome, here is the link:
 
  


Reply

Tags
authentication, linux, openldap, samba, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba, Openldap and authentication mechanisms matiasquestions Linux - Server 0 01-07-2010 10:41 AM
Samba authentication from openLdap CNBarnes Linux - Server 1 12-29-2009 01:32 PM
Windows authentication against OpenLDAP socrbird Linux - Newbie 1 10-08-2009 04:09 PM
Centralized Authentication for Windows Clients using LDAP,SAMBA & LAM metallica1973 Linux - Networking 2 01-09-2009 05:20 PM
samba and openldap authentication issues! kcorupe Linux - Server 2 04-24-2008 08:14 PM


All times are GMT -5. The time now is 08:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration