Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 02-02-2012, 10:49 AM   #1
Registered: Apr 2006
Location: Athens, Greece
Distribution: slackware, debian, ubuntu
Posts: 647

Rep: Reputation: 38
EITHER can't access ldap server OR client isn't configured correctly

Hello everyone,
I seem to be in a complete stall as to how or why I can't seem to get a client pc to connect to an LDAP server....

ubuntu version is 11.10.
I started off using this tutorial

which helped in setting up the LDAP server on a server machine.
I also added TLS support (chapter "TLS") but i didn't follow chapters "replication" or "replication and TLS".

Then I went on to configure the client (chapter "LDAP Authentication").

I followed the steps again and again , reconfigured the package ldap-auth-config but had no luck..

since yesterday I have read/tried countless tutorials, (for different versions of ubuntu, different distros).. but I haven't managed to get the command
getent passwd
to fetch some ldap users that exist only in the ldap server DIT.

The thing is I don't know if there is a problem with the client config of some problem with the LDAP server (btw -firewalls are down on both the ldap server and client), and I can't find a single tutorial to help me give me some sort of command that does ldap queries from the client side, just to see if the server responds to it!!

what's more, I am extremely confused at this point at the differences between libnss-ldap, libpam-ldap, libpam-ldapd, libnss-ldapd (if that thing even exists - i can't remember all the different options for authentication I came across) and the list can go on.

where should files be located in the client? /etc/ or /etc/ldap/ ?
how should they be called? libnss-ldap.conf? libpam-ldap.conf? something else? what else is needed?

Can someone help with checking the contents of my client config files? As I have very ZERO experience with pam, nss, and ldap ...

Thank you for your help

here are some of the relevant files (ask for it if I forgot something)

nass@server00:/etc$ ls -l /etc/lib*
-rw-r--r-- 1 root root 76 2012-02-02 13:10 libnss-ldap.conf
-rw-r--r-- 1 root root 76 2012-02-02 13:06 libnss-ldap.conf-dpkg.old
-r--r----- 1 root root 6 2012-02-02 13:06 libnss-ldap.secret
as well as

nass@server00:/etc$ sudo ls -l /etc/ld*
-rw-r--r-- 1 root root 9136 2012-02-02 13:08 /etc/ldap.conf
-rw------- 1 root root 6 2012-02-02 13:08 /etc/ldap.secret
nass@server00:/etc$ sudo ls -l /etc/pam*
-rw-r--r-- 1 root root 552 2011-08-19 04:05 /etc/pam.conf
-rw-r--r-- 1 root root 76 2012-02-02 13:10 /etc/pam_ldap.conf
-r--r----- 1 root root 6 2012-02-02 13:11 /etc/pam_ldap.secret
drwxr-xr-x 2 root root 4096 2012-02-02 14:01 pam.d
and the file contents are
nass@server00:/etc$ cat /etc/libnss-ldap.conf
host ldap
base dc=da,dc=asfa,dc=gr
rootbinddn cn=admin,dc=da,dc=asfa,dc=gr
/etc/libnss-ldap.conf is the same as /etc/pam_ldap.conf
the relevant .secret files are the same too (contain only the plain text LDAP root user password (why should that exist on a client pc, i don't know - but the ncurses dpkg-reconfigure ldap-auth-config asked for it)

nass@server00:/etc$ cat /etc/ldap.conf | egrep -v '^(#|$)' 
base dc=da,dc=asfa,dc=gr
uri ldapi:///
ldap_version 3
rootbinddn cn=admin,dc=da,dc=asfa,dc=gr
pam_password exop
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,mysql,news,nslcd,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
the /etc/pam.d/common-* files
nass@server00:/etc$ cat /etc/pam.d/common-* | egrep -v '^(#|$)'
account [success=2 new_authtok_reqd=done default=ignore]
account [success=1 default=ignore]
account requisite
account required
auth [success=2 default=ignore] nullok_secure
auth [success=1 default=ignore] use_first_pass
auth requisite
auth required
password [success=2 default=ignore] obscure sha512
password [success=1 user_unknown=ignore default=die] use_authtok try_first_pass
password requisite
password required
session [default=1]
session requisite
session required
session optional
session required
session optional
session [default=1]
session requisite
session required
session optional
session required
session optional
I think that's about it.
If you need something else, let me know,
If there is any command that I can use on the client side to check connectivity to LDAP server, please let me know!!!!

Thank you very much for your help.
Old 02-02-2012, 01:39 PM   #2
LQ Newbie
Registered: Apr 2011
Distribution: Red Hat
Posts: 17

Rep: Reputation: 0
You can try using ldapsearch (if installed) from the client to make sure the DS is setup properly.

Use "man ldapsearch" to get the exact parameters, but I use something like this:

ldapsearch -b <dc=example,dc=com> -h <hostname> objectclass=*

If you get values returned from this that means your client made a successful anonymous bind (assuming that's allowed on your DS) to the ldap server and your configuration on the client side is wrong (since getent passwd isn't working).

If ldapsearch isn't installed on the client I think you can do the same basic test directly from the DS. It won't test communication problems between the client/server though obviously.

When I was setting up it was useful to tackle this in stages:
1. Get ldapsearch working
2. Get lookup ("getent passwd" or "id <ldap_user>") working
3. Get pam authentication working with ldap
Old 02-02-2012, 06:28 PM   #3
Registered: Apr 2006
Location: Athens, Greece
Distribution: slackware, debian, ubuntu
Posts: 647

Original Poster
Rep: Reputation: 38
hello there!
unfortunately ldapsearch tool is part of the ldap server suite.
as such i don't have it in the clients - i am going to install the server again in another machine just to be able to connect to the other system while i'm trying to set ldap up.
ldapsearch does work fine when im querying the ldap server locally.. i guess the server runs fine..
sane ACLs have also been setup through the tutorial .. so i believe that's ok,too

i am fuzzy about TLS and how I should connect to the server though.
in the ubuntu guide i referenced, it says that ldap:// & ldapi:// connections should be favored instead of ldaps:// ones...

considering the step by step check you propose, thaats exactly what i'm doing...
1.ldapsearch ---check
2.getent ---- not ok ....
so i needs tests in between to find out what has gone wrong...

should i start fresh without TLS to make sure its ok before i add encrypted transmission??


ldap, nss, pamauth

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Must winbindd run on linux box client on network with samba ldap server configured as PDC? jcdole Linux - Networking 5 12-06-2010 01:36 PM
[SOLVED] openldap client fails to connect ldap server 'ldap_bind: Can't contact LDAP server' JALITE Linux - Server 12 09-30-2010 08:17 AM
Does this server have RAID configured correctly? Nunawading Linux - Server 2 10-05-2009 02:24 AM
udev isn't configured correctly, stops initramfs-tools from being updated xaos5 Debian 2 09-30-2007 08:39 PM
Server responds to all configured ip addresses when the cable isn't plugged in. Mike_the_Man Linux - Networking 2 10-04-2006 02:37 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:58 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration