LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-11-2012, 05:50 PM   #1
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Rep: Reputation: 3
389-ds problems


hey guys and gals,
I decided to use this instead of OpenLDAP because 389 has a gui. Anyway, I'm using centos on 3 different VM's one DNS, one 389-ds, and one client. I'm having trouble connecting the client to the server. I can't wrap my head around. On the server i have three test users set up tuser1 tuser2 tuser3 and a test group called "test"

I can ping the client to the server.
i can ssh from the client to the server as root
i CANNOT ssh from the client to the server as tuser1
yes iptables is turned off on all three machines and chkconfig iptables off for all three machines too
i can telnet from the client to server on port 22 and port 389
from the client "getent passwd" looks like it returns /etc/passwd from the client

If i try to give tuser1 a home dir /home/tuser1
and populate it with skel directory
then change ownership to tuser1:test

Code:
chown -R tuser1:test /home/tuser1
i get an error saying
Code:
chown: invalid user: 'tuser1:test'



Commands ran on the client to the server:
Code:
ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
Code:
ldapsearch -x
i get back results from both of the commands above.


If you need any configuration files or have any questions let me know.
 
Old 12-12-2012, 03:35 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
you chose 389ds just from the (AWFUL) gui? Hmm, bad reasoning there. There re plenty of generic ldap managers. I'd always recommend OpenLDAP oer 389ds and it's other incarnations. Horrible service to use.

But anyway, bad choices aside, it should still work, so you need to divide and conquer.

so getent passwd does NOT return the users, so the ldap lookup is not working. If you're just using plaintext 389, i'd personally use tcpdump / wireshark to see if ldap requests are being made, and if so what is being transferred in those requests. Coupled with the serverside logs, that's a great place to start.
 
1 members found this post helpful.
Old 12-13-2012, 12:15 PM   #3
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
Thanks for the help Acid.

i guess i chose 389 becuase i thought it would be simpiler to setup than openldap is. I started setting up openldap and ran into a few issues. So for my studing purposes i went for the 389 dirsrv instead.

Anyway i ran some tests on from the client to the server and saved them all. Here is the outcome.

From the outcome of these tests I'm wondering if there is something that i have to do serverside to enable the 389 dirsrv to enable the users that i created? Like something in a text file or whathave you? For example i used authconfig-tui from client to server to connect to the dirsrv. If you guys need any more info let me know.


These are the outcome when i ran the command tehereal -ni eth0 > clientexttest.txt

here is the outcome when i pinged centoslabgui.example.com from the client
Code:
[root@CentOSLabGUI /]# cat /ldaptest/pingtest.txt 
  0.000000 08:00:27:68:e3:a9 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.101?  Tell 192.168.1.153
  0.013331 08:00:27:68:e3:a9 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.100?  Tell 192.168.1.153
  0.013388 08:00:27:72:2a:d5 -> 08:00:27:68:e3:a9 ARP 192.168.1.100 is at 08:00:27:72:2a:d5
  0.013776 192.168.1.153 -> 192.168.1.100 ICMP Echo (ping) request
  0.013832 192.168.1.100 -> 192.168.1.153 ICMP Echo (ping) reply
  1.185615 192.168.1.153 -> 192.168.1.100 ICMP Echo (ping) request
  1.185655 192.168.1.100 -> 192.168.1.153 ICMP Echo (ping) reply
  2.353804 192.168.1.153 -> 192.168.1.100 ICMP Echo (ping) request
  2.353846 192.168.1.100 -> 192.168.1.153 ICMP Echo (ping) reply
  3.520701 192.168.1.153 -> 192.168.1.100 ICMP Echo (ping) request
  3.520744 192.168.1.100 -> 192.168.1.153 ICMP Echo (ping) reply
  5.013786 08:00:27:72:2a:d5 -> 08:00:27:68:e3:a9 ARP Who has 192.168.1.153?  Tell 192.168.1.100
  5.014174 08:00:27:68:e3:a9 -> 08:00:27:72:2a:d5 ARP 192.168.1.153 is at 08:00:27:68:e3:a9
[root@CentOSLabGUI /]#
here is when i ran ldapsearch -x
Code:
[root@CentOSLabGUI /]# cat /ldaptest/ldapsearchtest.txt 
  0.000000 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11083573 TSER=0 WS=6
  0.000063 192.168.1.100 -> 192.168.1.153 TCP 389 > 35709 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=9999681 TSER=11083573 WS=7
  0.004761 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11083574 TSER=9999681
  0.010521 192.168.1.153 -> 192.168.1.100 LDAP bindRequest(1) "<ROOT>" simple 
  0.010565 192.168.1.100 -> 192.168.1.153 TCP 389 > 35709 [ACK] Seq=1 Ack=15 Win=14592 Len=0 TSV=9999692 TSER=11083575
  0.011019 192.168.1.100 -> 192.168.1.153 LDAP bindResponse(1) success 
  0.016580 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [ACK] Seq=15 Ack=15 Win=5888 Len=0 TSV=11083576 TSER=9999692
  0.058856 192.168.1.153 -> 192.168.1.100 LDAP searchRequest(2) "dc=example,dc=com" wholeSubtree 
  0.061112 192.168.1.100 -> 192.168.1.153 LDAP searchResEntry(2) "dc=example,dc=com" | searchResEntry(2) "cn=Directory Administrators,dc=example,dc=com" | searchResEntry(2) "ou=Groups,dc=example,dc=com" | searchResEntry(2) "ou=People,dc=example,dc=com" | searchResEntry(2) "ou=Special Users,dc=example,dc=com" | searchResEntry(2) "cn=Accounting Managers,ou=Groups,dc=example,dc=com" | searchResEntry(2) "cn=HR Managers,ou=Groups,dc=example,dc=com" | searchResEntry(2) "cn=QA Managers,ou=Groups,dc=example,dc=com" 
  0.061577 192.168.1.100 -> 192.168.1.153 LDAP searchResEntry(2) "cn=PD Managers,ou=Groups,dc=example,dc=com" 
  0.061806 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [ACK] Seq=71 Ack=2525 Win=11648 Len=0 TSV=11083587 TSER=9999742
  0.717922 192.168.1.153 -> 192.168.1.100 LDAP unbindRequest(3) 
  0.717966 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [FIN, ACK] Seq=78 Ack=2525 Win=11648 Len=0 TSV=11083721 TSER=9999742
  0.757884 192.168.1.100 -> 192.168.1.153 TCP 389 > 35709 [ACK] Seq=2525 Ack=79 Win=14592 Len=0 TSV=10000439 TSER=11083721
  0.968694 192.168.1.100 -> 192.168.1.153 TCP 389 > 35709 [FIN, ACK] Seq=2525 Ack=79 Win=14592 Len=0 TSV=10000650 TSER=11083721
  0.969162 192.168.1.153 -> 192.168.1.100 TCP 35709 > 389 [ACK] Seq=79 Ack=2526 Win=11648 Len=0 TSV=11083920 TSER=10000650
[root@CentOSLabGUI /]#
here is when i ssh to server as tuser1
Code:
[root@CentOSLabGUI /]# cat /ldaptest/sshtuser1.txt 
  0.000000 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11125097 TSER=0 WS=6
  0.000053 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=10048499 TSER=11125097 WS=7
  0.000272 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11125097 TSER=10048499
  0.017282 192.168.1.100 -> 192.168.1.153 SSH Server Protocol: SSH-2.0-OpenSSH_5.3\r
  0.018495 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1 Ack=22 Win=5888 Len=0 TSV=11125101 TSER=10048517
  0.022984 192.168.1.153 -> 192.168.1.100 SSH Client Protocol: SSH-2.0-OpenSSH_5.3\r
  0.023173 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=22 Ack=22 Win=14592 Len=0 TSV=10048523 TSER=11125101
  0.023607 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Key Exchange Init
  0.023641 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=22 Ack=814 Win=16128 Len=0 TSV=10048523 TSER=11125103
  0.024938 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Key Exchange Init
  0.025940 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Diffie-Hellman GEX Request
  0.028195 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Diffie-Hellman Key Exchange Reply
  0.030309 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Diffie-Hellman GEX Init
  0.036064 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Diffie-Hellman GEX Reply
  0.041603 192.168.1.153 -> 192.168.1.100 SSHv2 Client: New Keys
  0.081130 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=1678 Ack=998 Win=17664 Len=0 TSV=10048581 TSER=11125111
  0.081453 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  0.081493 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=1678 Ack=1046 Win=17664 Len=0 TSV=10048581 TSER=11125140
  0.081790 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  0.082388 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=64
  0.087939 08:00:27:72:2a:d5 -> ff:ff:ff:ff:ff:ff ARP Who has 192.168.1.101?  Tell 192.168.1.100
  0.088269 08:00:27:4f:37:61 -> 08:00:27:72:2a:d5 ARP 192.168.1.101 is at 08:00:27:4f:37:61
  0.088284 192.168.1.100 -> 192.168.1.101 DNS Standard query PTR 153.1.168.192.in-addr.arpa
  0.088781 192.168.1.101 -> 192.168.1.100 DNS Standard query response PTR tester.example.com
  0.089348 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  0.089789 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  0.092490 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=80
  0.201003 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1110 Ack=1806 Win=10560 Len=0 TSV=11125192 TSER=10048592
  3.598864 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=144
  3.638175 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=1806 Ack=1254 Win=19328 Len=0 TSV=10052138 TSER=11128169
  5.077356 08:00:27:4f:37:61 -> 08:00:27:72:2a:d5 ARP Who has 192.168.1.100?  Tell 192.168.1.101
  5.077387 08:00:27:72:2a:d5 -> 08:00:27:4f:37:61 ARP 192.168.1.100 is at 08:00:27:72:2a:d5
  5.535983 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  5.536074 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  5.536398 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  5.536419 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  5.536999 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=80
  5.540688 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1254 Ack=1886 Win=10560 Len=0 TSV=11129843 TSER=10054036
  8.864528 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=144
  8.864571 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=1886 Ack=1398 Win=20864 Len=0 TSV=10057364 TSER=11132741
 11.289536 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
 11.289677 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
 11.291490 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
 11.291517 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
 11.292209 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=80
 11.292836 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1398 Ack=1966 Win=10560 Len=0 TSV=11134830 TSER=10059792
 14.055715 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=144
 14.055766 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [ACK] Seq=1966 Ack=1542 Win=22400 Len=0 TSV=10062555 TSER=11137237
 15.844617 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
 15.844828 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
 15.845600 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
 15.845662 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
 15.846745 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=80
 15.847302 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1542 Ack=2046 Win=10560 Len=0 TSV=11138773 TSER=10064346
 15.865151 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [FIN, ACK] Seq=1542 Ack=2046 Win=10560 Len=0 TSV=11138776 TSER=10064346
 15.867341 192.168.1.100 -> 192.168.1.153 TCP 22 > 43010 [FIN, ACK] Seq=2046 Ack=1543 Win=22400 Len=0 TSV=10064367 TSER=11138776
 15.872187 192.168.1.153 -> 192.168.1.100 TCP 43010 > 22 [ACK] Seq=1543 Ack=2047 Win=10560 Len=0 TSV=11138777 TSER=10064367
[root@CentOSLabGUI /]#
here is when i used ssh as root from client to server
Code:
[root@CentOSLabGUI /]# cat /ldaptest/sshroot.txt 
  0.000000 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11161658 TSER=0 WS=6
  0.000059 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=10090941 TSER=11161658 WS=7
  0.005244 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11161659 TSER=10090941
  0.015739 192.168.1.100 -> 192.168.1.153 SSH Server Protocol: SSH-2.0-OpenSSH_5.3\r
  0.016948 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1 Ack=22 Win=5888 Len=0 TSV=11161661 TSER=10090957
  0.016988 192.168.1.153 -> 192.168.1.100 SSH Client Protocol: SSH-2.0-OpenSSH_5.3\r
  0.017179 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=22 Ack=22 Win=14592 Len=0 TSV=10090958 TSER=11161661
  0.019021 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Key Exchange Init
  0.021492 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Key Exchange Init
  0.061332 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=806 Ack=814 Win=16128 Len=0 TSV=10091003 TSER=11161662
  0.061686 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Diffie-Hellman GEX Request
  0.061720 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=806 Ack=838 Win=16128 Len=0 TSV=10091003 TSER=11161698
  0.063469 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Diffie-Hellman Key Exchange Reply
  0.074515 192.168.1.153 -> 192.168.1.100 SSHv2 Client: Diffie-Hellman GEX Init
  0.080746 192.168.1.100 -> 192.168.1.153 SSHv2 Server: Diffie-Hellman GEX Reply
  0.086557 192.168.1.153 -> 192.168.1.100 SSHv2 Client: New Keys
  0.127290 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=1678 Ack=998 Win=17664 Len=0 TSV=10091069 TSER=11161707
  0.127698 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  0.127722 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=1678 Ack=1046 Win=17664 Len=0 TSV=10091069 TSER=11161740
  0.128193 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  0.129002 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=64
  0.129943 192.168.1.100 -> 192.168.1.101 DNS Standard query PTR 153.1.168.192.in-addr.arpa
  0.130338 192.168.1.101 -> 192.168.1.100 DNS Standard query response PTR tester.example.com
  0.130725 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  0.131209 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  0.131787 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=80
  0.232553 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1110 Ack=1806 Win=10560 Len=0 TSV=11161785 TSER=10091073
  3.098320 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=144
  3.129387 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.129484 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.130191 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.130271 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.131556 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.131694 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.132108 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.132383 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.132852 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=32
  3.133968 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1254 Ack=1838 Win=10560 Len=0 TSV=11164329 TSER=10094074
  3.134697 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=128
  3.139236 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.139352 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.139845 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.139888 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.140952 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.141087 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.141391 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.142384 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.142781 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  3.144114 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=448
  3.145417 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=112
  3.146200 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.146351 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.146852 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.147010 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.147482 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.147642 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.148098 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.148102 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.150281 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=112
  3.150800 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1830 Ack=2110 Win=10560 Len=0 TSV=11164341 TSER=10094087
  3.151176 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
  3.151236 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
  3.151711 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
  3.151726 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
  3.190670 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=64
  3.245583 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1830 Ack=2174 Win=10560 Len=0 TSV=11164411 TSER=10094132
  4.608105 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  4.611928 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  4.612887 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1878 Ack=2222 Win=10560 Len=0 TSV=11165605 TSER=10095553
  4.680783 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  4.683955 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  4.685493 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1926 Ack=2270 Win=10560 Len=0 TSV=11165661 TSER=10095625
  4.848596 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  4.852670 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  4.853212 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1974 Ack=2318 Win=10560 Len=0 TSV=11165806 TSER=10095794
  4.858396 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=112
  4.859082 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=1974 Ack=2430 Win=10560 Len=0 TSV=11165808 TSER=10095800
  5.130301 08:00:27:72:2a:d5 -> 08:00:27:4f:37:61 ARP Who has 192.168.1.101?  Tell 192.168.1.100
  5.130944 08:00:27:4f:37:61 -> 08:00:27:72:2a:d5 ARP 192.168.1.101 is at 08:00:27:4f:37:61
  6.118367 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  6.126646 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  6.127630 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2022 Ack=2478 Win=10560 Len=0 TSV=11166873 TSER=10097068
  6.282135 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  6.287636 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  6.288051 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2070 Ack=2526 Win=10560 Len=0 TSV=11167014 TSER=10097229
  6.395997 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  6.398605 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  6.399054 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2118 Ack=2574 Win=10560 Len=0 TSV=11167109 TSER=10097340
  6.546577 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  6.555416 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  6.556377 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2166 Ack=2622 Win=10560 Len=0 TSV=11167245 TSER=10097497
  6.907368 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  6.912518 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=64
  6.924414 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2214 Ack=2686 Win=10560 Len=0 TSV=11167551 TSER=10097854
  7.335131 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  7.338527 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  7.339187 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2262 Ack=2734 Win=10560 Len=0 TSV=11167900 TSER=10098280
  7.428897 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  7.436510 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  7.437298 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2310 Ack=2782 Win=10560 Len=0 TSV=11167985 TSER=10098378
  7.579207 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
  7.585434 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=48
  7.586066 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2358 Ack=2830 Win=10560 Len=0 TSV=11168107 TSER=10098527
  7.588629 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=896
  7.592382 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2358 Ack=3726 Win=12352 Len=0 TSV=11168108 TSER=10098530
 11.394543 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=48
 11.398733 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=176
 11.398876 192.168.1.100 -> 192.168.1.153 SSHv2 Encrypted response packet len=64
 11.447177 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2406 Ack=3902 Win=14144 Len=0 TSV=11171308 TSER=10102340
 11.447227 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [ACK] Seq=2406 Ack=3966 Win=14144 Len=0 TSV=11171308 TSER=10102340
 11.450489 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=32
 11.450706 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=3966 Ack=2438 Win=22400 Len=0 TSV=10102392 TSER=11171309
 11.457751 192.168.1.153 -> 192.168.1.100 SSHv2 Encrypted request packet len=64
 11.458839 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
 11.458989 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
 11.460002 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
 11.460095 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
 11.460789 192.168.1.100 -> 192.168.1.101 DNS Standard query A tester.example.com
 11.460911 192.168.1.100 -> 192.168.1.101 DNS Standard query AAAA tester.example.com
 11.461932 192.168.1.101 -> 192.168.1.100 DNS Standard query response A 192.168.1.153
 11.464366 192.168.1.101 -> 192.168.1.100 DNS Standard query response, Refused
 11.465804 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [FIN, ACK] Seq=3966 Ack=2502 Win=22400 Len=0 TSV=10102405 TSER=11171310
 11.470624 192.168.1.153 -> 192.168.1.100 TCP 43011 > 22 [FIN, ACK] Seq=2502 Ack=3967 Win=14144 Len=0 TSV=11171312 TSER=10102405
 11.470712 192.168.1.100 -> 192.168.1.153 TCP 22 > 43011 [ACK] Seq=3967 Ack=2503 Win=22400 Len=0 TSV=10102412 TSER=11171312
 16.453016 08:00:27:4f:37:61 -> 08:00:27:72:2a:d5 ARP Who has 192.168.1.100?  Tell 192.168.1.101
[root@CentOSLabGUI /]#
here is when i did a getent passwd from client to server
Code:
nothing was sent at all
here is the outcome when before i ran any tests i did a tail -f /var/log/messages > /ldaptest/sometexttest.txt
Code:
[root@CentOSLabGUI /]# cat /ldaptest/logMessages.txt 
Oct 26 11:05:08 centoslabgui kernel: e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Oct 26 11:05:08 centoslabgui NetworkManager[1235]: <info> (eth0): carrier now ON (device state 8)
Oct 26 12:01:01 centoslabgui nslcd[1278]: [e4ccaf] ldap_start_tls_s() failed: Protocol error (uri="ldap://127.0.0.1/")
Oct 26 12:01:01 centoslabgui nslcd[1278]: [e4ccaf] failed to bind to LDAP server ldap://127.0.0.1/: Protocol error
Oct 26 12:01:01 centoslabgui nslcd[1278]: [e4ccaf] no available LDAP server found
Oct 26 12:01:01 centoslabgui nslcd[1278]: [e4ccaf] no available LDAP server found
Oct 26 12:08:08 centoslabgui nslcd[1278]: [6d8d3c] ldap_start_tls_s() failed: Protocol error (uri="ldap://127.0.0.1/")
Oct 26 12:08:08 centoslabgui nslcd[1278]: [6d8d3c] failed to bind to LDAP server ldap://127.0.0.1/: Protocol error
Oct 26 12:08:08 centoslabgui nslcd[1278]: [6d8d3c] no available LDAP server found
Oct 26 12:08:08 centoslabgui nslcd[1278]: [6d8d3c] no available LDAP server found
Oct 26 12:11:50 centoslabgui kernel: device eth0 entered promiscuous mode
Oct 26 12:12:16 centoslabgui kernel: device eth0 left promiscuous mode
Oct 26 12:12:33 centoslabgui kernel: device eth0 entered promiscuous mode
Oct 26 12:12:46 centoslabgui kernel: device eth0 left promiscuous mode
Oct 26 12:13:14 centoslabgui kernel: device eth0 entered promiscuous mode
Oct 26 12:13:30 centoslabgui nslcd[1278]: [588f54] ldap_start_tls_s() failed: Protocol error (uri="ldap://127.0.0.1/")
Oct 26 12:13:30 centoslabgui nslcd[1278]: [588f54] failed to bind to LDAP server ldap://127.0.0.1/: Protocol error
Oct 26 12:13:30 centoslabgui nslcd[1278]: [588f54] no available LDAP server found
Oct 26 12:13:33 centoslabgui nslcd[1278]: [2289ec] no available LDAP server found
Oct 26 12:13:33 centoslabgui nslcd[1278]: [e91b18] no available LDAP server found
Oct 26 12:13:33 centoslabgui nslcd[1278]: [437fdb] no available LDAP server found
Oct 26 12:13:39 centoslabgui nslcd[1278]: [44a45c] no available LDAP server found
Oct 26 12:13:39 centoslabgui nslcd[1278]: [fff902] no available LDAP server found
Oct 26 12:13:39 centoslabgui nslcd[1278]: [4a481a] no available LDAP server found
Oct 26 12:13:44 centoslabgui nslcd[1278]: [9478fe] ldap_start_tls_s() failed: Protocol error (uri="ldap://127.0.0.1/")
Oct 26 12:13:44 centoslabgui nslcd[1278]: [9478fe] failed to bind to LDAP server ldap://127.0.0.1/: Protocol error
Oct 26 12:13:44 centoslabgui nslcd[1278]: [9478fe] no available LDAP server found
Oct 26 12:13:44 centoslabgui nslcd[1278]: [9abb43] no available LDAP server found
Oct 26 12:13:44 centoslabgui nslcd[1278]: [c240fb] no available LDAP server found
Oct 26 12:13:51 centoslabgui kernel: device eth0 left promiscuous mode
Oct 26 12:14:02 centoslabgui kernel: device eth0 entered promiscuous mode
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a026fa] ldap_start_tls_s() failed: Protocol error (uri="ldap://127.0.0.1/")
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a026fa] failed to bind to LDAP server ldap://127.0.0.1/: Protocol error
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a026fa] no available LDAP server found
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a026fa] no available LDAP server found
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a1deaa] no available LDAP server found
Oct 26 12:14:15 centoslabgui nslcd[1278]: [a1deaa] no available LDAP server found
Oct 26 12:14:30 centoslabgui kernel: device eth0 left promiscuous mode
Oct 26 12:14:40 centoslabgui kernel: device eth0 entered promiscuous mode
Oct 26 12:14:58 centoslabgui kernel: device eth0 left promiscuous mode
[root@CentOSLabGUI /]#
 
Old 12-13-2012, 03:14 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
389ds is MUCH MUCH hard to get running nicely thatn lovely simple openldap!

But again, ignore ssh etc until "getent passwd" works.

So as I read the tethereal (Ethereal?? really?? ) output the ldapsearch principally isn't returning anything useful:

Code:
  0.061112 192.168.1.100 -> 192.168.1.153 LDAP searchResEntry(2) "dc=example,dc=com" | searchResEntry(2) "cn=Directory Administrators,dc=example,dc=com" | searchResEntry(2) "ou=Groups,dc=example,dc=com" | searchResEntry(2) "ou=People,dc=example,dc=com" | searchResEntry(2) "ou=Special Users,dc=example,dc=com" | searchResEntry(2) "cn=Accounting Managers,ou=Groups,dc=example,dc=com" | searchResEntry(2) "cn=HR Managers,ou=Groups,dc=example,dc=com" | searchResEntry(2) "cn=QA Managers,ou=Groups,dc=example,dc=com" 
  0.061577 192.168.1.100 -> 192.168.1.153 LDAP searchResEntry(2) "cn=PD Managers,ou=Groups,dc=example,dc=com"
There are no users in that query. And given you're doing an ldapsearch, you'd see the output on the console anyway. You need to back up further and have ldapsearch returning user objects first.
 
Old 12-13-2012, 04:24 PM   #5
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
Quote:
So as I read the tethereal (Ethereal?? really?? )
What does that mean? Am I using the wrong tools?
 
Old 12-13-2012, 04:26 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
Ethereal turned into Wireshark about what... 6 years ago? Doesn't matter what the tool is, just odd to see it in use still (unless tshark is a symlink to it still) wasn't an important comment tbh
 
Old 12-13-2012, 04:30 PM   #7
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
ohh ok, I found a guide to using wireshark and they used tethereal, so that is what i used.

I am not sure where to go to from here; i am open to different options and opinions. Any help advice or guidance would be greatly appreciated.
 
Old 12-13-2012, 04:46 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
well is there data in there? Where are the user accounts stored?

It looks like you're still at the stage of configuring the ldap server itself (so not too late to change to openldap *cough* * cough*), and not at all ready to start using it in anger.

Last edited by acid_kewpie; 12-13-2012 at 04:49 PM.
 
1 members found this post helpful.
Old 12-13-2012, 05:00 PM   #9
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
HAHAH; i like what you did there. Well lets see how this turns out and if you have a nice how to guide on setting OpenLDAP up then I would be open to it.
i used this guide http://www.linux.com/component/conte...rectory-server to add 3 users tuser1, tuser2, tuser3, and add them to the group Test.

As to where i have the user accounts stored i hope this helps. Also i have a google word doc of the steps that i have done up to this point if you think it would help.
 
Old 12-14-2012, 12:47 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
I don't think this is about steps and guides, you have a running server, so where have you put the user accounts in the tree? If the user accounts have been added then you should be able to see them with a simple ldapsearch command. Try specifying the exact OU where they reside, and binding explicitly as cn=manager.
 
1 members found this post helpful.
Old 12-14-2012, 01:47 PM   #11
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
Acid,

I have used this command here
Code:
ldapsearch -x -b 'dc=example,dc=com' \
      '(objectclass=*)'
on the client and i was returned information about the "tuser1" "tuser2""tuser3" and the group "Test"
while doing this i was capturing packets using tethereal command i used previously and i was returned similar results as before.
If you would like me to run a different command please let me know. I would ask that you give an example of the command as well. THanks again
 
Old 12-14-2012, 03:13 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
so these "tuser" accounts ARE on ldap? so IF you are getting users passed across from ldap but they don't show up in "getent passwd" then there's either missing data in the records or fields are not being mapped correctly (if mapping is required at all, which from 389ds it actually shouldn't) in /etc/nslcd.conf or /etc/ldap.conf

if you can use the full wireshark gui in xwindows (or copy a cpature file off to a windows box with wireshark) then you can explore the ldap data results much more freely and get a better insight into what data is there.
 
Old 12-14-2012, 05:55 PM   #13
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
Yes, the "tuser" accounts are on ldap along with the group "Test". I have installed the wireshark gui on this server. I'm not 100% sure what I'm looking for but I'll start wireshark and do some testing to see what the file says. In the mean time i will put up here some files that i think might be relevent. These are files from the server centoslabgui.example.com

/etc/openldap/ldap.conf
Code:
[root@CentOSLabGUI /]# cat /etc/openldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://127.0.0.1/
BASE dc=example,dc=com
[root@CentOSLabGUI /]#
/etc/nslcd.conf
Code:
[root@CentOSLabGUI /]# cat /etc/nslcd.conf 
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# NDS mappings
#map group uniqueMember member

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  uniqueMember     posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  uniqueMember     member
#map    group  gidNumber        gid
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://127.0.0.1/
base dc=example,dc=com
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
[root@CentOSLabGUI /]#
/etc/nsswitch.conf
Code:
[root@CentOSLabGUI /]# cat /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

[root@CentOSLabGUI /]#
/etc/sysconfig/ldap
Code:
[root@CentOSLabGUI /]# cat /etc/sysconfig/ldap 
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=

# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
#   yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
SLAPD_LDAPS=no

# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3

# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@CentOSLabGUI /]#

Last edited by malak33; 12-14-2012 at 05:56 PM. Reason: added last sentence
 
Old 12-14-2012, 06:59 PM   #14
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
So i ran wireshark's gui while i ran some tests in this order. All were from the client tester.example.com to the server
1. ping centoslabgui.example.com
2. ldapsearch -x
3. ssh tuser1@localhost
4. ssh malak@centoslabgui.example.com
5. nmap centoslabgui.example.com
6. ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*0)'
7. getent passwd

i included the capture file in this post. From what i can tell ping worked, ldapsearch worked ssh tuser, i dunno. ssh malak to server worked, its a user on the server. nmap worked. ldapsearch -x -b brought back the "tuser" accounts and the group "Test" and getent passwd did nothing. it actually from what i can tell got passwds from the local file.
 
Old 01-01-2013, 09:31 PM   #15
malak33
Member
 
Registered: Dec 2011
Location: Amish Country PA, USA
Distribution: CentOS 6.2
Posts: 104

Original Poster
Rep: Reputation: 3
Ok so after messing with this for a lot longer than i care to remember. I figured it out with some help. Since i can find nothing on the internet about this topic hopefully this can help someone in the future too. From what i can tell documentation about the change to sssd leaves a lot to be wanted.
Anyways this is what i did. If you have any problems or questions reply to thread or pm me.

{ on the server}
1. on the server i went to tuser1 then properties then on the left pane the Posix User.
i added a UID number of 5000
GID number 50000
Home directory of /home/tuser1
loginshell /bin/bash
{end of on the server}
1.
Code:
yum install sssd
vi /etc/sssd/sssd/conf

Code:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services =nss, pam
domains = LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://centoslabgui.example.com:389
ldap_search_base = dc=example,dc=com
2. edit and add 3 lines to nsswitch.conf
vi /etc/nsswitch.conf

Code:
passwd: files sss
shadow: files sss
group: files sss
3.
Code:
chown root:root /etc/sssd/sssd.conf
chmod 0600 /etc/sssd/sssd.conf

/etc/init.d/sssd restart

chkconfig sssd on

chown tuser1 /home/tuser1
i could then getent passwd tuser1 and get back info
i could also ssh tuser1@localhost

Last edited by malak33; 01-01-2013 at 09:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
389 DS Authentication turiyain Linux - Newbie 5 09-14-2012 02:15 AM
389 Directory Server Problems Tragic125 Linux - Server 2 05-29-2011 04:53 PM
389 Directory Server cnu80 Linux - Server 1 05-18-2011 04:50 PM
[SOLVED] 389-ds and Mac OS X Authentication cskip Linux - Server 1 03-08-2011 09:16 AM
389 Directory: Possible to selfservice? Swakoo Linux - Server 6 07-01-2010 11:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration