Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to disable anonymous users being able to read/search our LDAP server. We are using OpenDJ, which is based on OpenDS. I don't really think the server has anything to do it it.
So far, I can type "ldapsearch -x -Z" and pull the entire LDAP database(minus the passwords of course)
When I change the anonymous access from "anyone" to "all" it then requires an LDAP user/password to pull the LDAP info.
ldapsearch -x -Z shows nothing, and I can no longer login as an LDAP user. That's cool!
I created a user in the base of my LDAP called "Binder" to be used to show/search/read LDAP info.
Just like before, everything in the LDAP server appears, wonderful! So it is accepting this new user and letting me read the directory.
Now. I am using Centos 6 as a client.
I add the following lines to /etc/pam_ldap.conf AND /etc/nslcd.conf
binddn "cn=Binder,dc=example,dc=com"
bindpw pa$$w0rd
But ldapsearch -x -Z still shows nothing. It is not taking those credentials and still sees me as anonymous. I still cannot "su" to an ldap user.
Is there a step I am missing? cn=binder is obvuiously working as I can manually enter the credentials and view the directory..But the lines I have added are not taking.
I may be just a bit confused with the bindpw part
Do I type the plaintext password after bindpw? or do I store it in a file called /etc/bindpw (chmod 600) and change those lines to bindpw /etc/bindpw ?
Frig, I am so close I just need a kick in the right direction for this one
I hope someone can lend me some of that expert knowledge!
the bindpw IS the password yes, but you seem to have jumped a few steps here. you need "getent passwd" to return the user data first, don't worry about logins until you can see the accounts. Additionally you don't seem to have gotten it working without the bind account anyway, so there's no reason to think that it's actually realted to the bind creds.
I did not skip any steps, I have never in my life once used getent (Maybe I should start?)
Heres how it's done.
Created a user in the base of the ldap called Binder, no posix classes, simple user.
vi /etc/nslcd.conf
binddn cn=Binder,dc=example,dc=com
bindpw pa55word
vi /etc/pam_ldap.conf
binddn cn=Binder,dc=example,dc=com
bindpw pa55word
service nslcd restart
ldapsearch -x -Z
No info shown, GOOD!
ldapsearch -x -Z -D cn=Binder,dc=example,dc=com
Info shown, GOOD!
su - Divebomb
GOOD!
For my tests I was doing "ldapsearch -x -Z" thinking that it would automatically enter the user/password from the config files. I never actually attempted to su - Divebomb. I assumed that ldapsearch returned nothing, su wouldn't work.
well by missed a step i meant in terms of the appropriate checks that you're going OK. you changed multiple things at once, and were left not knowing what was wrong.
But anyway, ldapsearch does NOT use /etc/ldap.conf, it uses the totally different file /etc/openldap/ldap.conf
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.