LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-25-2009, 01:16 PM   #1
jim_fields
Member
 
Registered: Nov 2006
Distribution: Slackware 11.0, Debian Lenny, testing
Posts: 32

Rep: Reputation: 16
NSS-LDAP not reading LDAP


Hello All,
I am running debian stable with Kerberos and LDAP. My LDAP server seems to be working OK, but I can't get nss to work. When I login it does not change the UID,GID or my home dir. My nsswitch.con file looks like:
passwd: files ldap
8 group: files ldap
9 shadow: files ldap
10
11 hosts: files dns ldap
12 networks: files ldap
13
14 protocols: db files
15 services: db files ldap
16 ethers: db files
17 rpc: db files
18
19 netgroup: nis

/etc/nss-ldap.conf:

The user and group nslcd should run as.
6 uid nslcd
7 gid nslcd
8
9 # The location at which the LDAP server(s) should be reachable.
10 uri ldap://192.168.1.100/
11
12 # The search base that will be used for all queries.
13 base dc=moose,dc=com
14
15 # The LDAP protocol version to use.
16 #ldap_version 3
17
18 # The DN to bind with for normal lookups.
19 #binddn cn=annonymous,dc=example,dc=net
20 #bindpw secret
21
22 # The search scope.
23 #scope sub

I have been following the tutorial at http://techpubs.spinlocksolutions.com/dklar/ldap.html

but I've been stuck on this for a couple of days now, any help would be appreciated.
Thanks
 
Old 04-25-2009, 02:28 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
from the way you describe the problem, it sounds like you have a local account and a remote account with the same name?? This sounds like the case as you imply you can still log in, but fdon't get the data listed in the ldap server. the first account that is found is the one that is used, so the local files would be read first, and those credentials used. You would need to delete the local account to use the ldap one.
 
Old 04-26-2009, 07:52 PM   #3
jim_fields
Member
 
Registered: Nov 2006
Distribution: Slackware 11.0, Debian Lenny, testing
Posts: 32

Original Poster
Rep: Reputation: 16
Thanks for your reply. I created a new account on the server machine and sshed to the server (as the new user) but I got the same results
 
Old 04-27-2009, 02:43 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
can you clarify what is actually happening then..? The symptoms you give don't make sense with a unique user within ldap. More details please.
 
Old 04-28-2009, 06:53 PM   #5
jim_fields
Member
 
Registered: Nov 2006
Distribution: Slackware 11.0, Debian Lenny, testing
Posts: 32

Original Poster
Rep: Reputation: 16
If I do a ldapsearch (from either the server its self or a remote machine), that returns the information that you would expect. However, when I go to login to the system it uses the default account info (uid=1000,gid=1000) instead of the values in ldap (uid=20000, gid=20000). PAM is configured the way it is described in the tutorial (http://techpubs.spinlocksolutions.com/dklar/ldap.html), and as far as I can tell it is working the way it should. It appears that my client is not receiving the meta-data provided by nscd and nslcd, although when I run either daemon in debug mode I dont get any error messages and they seem to parse the ldap data. This the debug from nslcd:

nslcd: DEBUG: add_uri(ldap://64.85.66.48/)
nslcd: version 0.6.7 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(108) done
nslcd: DEBUG: setuid(106) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=10132 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_group_bymember(moose)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=moose,dc=com", filter="(&(objectClass=posixAccount)(uid=moose))")
nslcd: [8b4567] DEBUG: simple anonymous bind to ldap://64.85.66.48/
nslcd: [8b4567] connected to LDAP server ldap://64.85.66.48/
nslcd: [8b4567] DEBUG: myldap_search(base="dc=moose,dc=com", filter="(&(objectClass=posixGroup)(|(memberUid=moose)(uniqueMember=uid=roman,ou=People,dc=moose,dc=c om)))")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=10134 uid=1000 gid=0
nslcd: [7b23c6] DEBUG: nslcd_service_byname(afsprot,)
nslcd: [7b23c6] DEBUG: myldap_search(base="dc=moose,dc=com", filter="(&(objectClass=ipService)(cn=afsprot))")
nslcd: [7b23c6] DEBUG: simple anonymous bind to ldap://64.85.66.48/
nslcd: [7b23c6] connected to LDAP server ldap://64.85.166.148/
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=10135 uid=0 gid=1000
nslcd: [3c9869] DEBUG: nslcd_group_bymember(moose)
nslcd: [3c9869] DEBUG: myldap_search(base="dc=moose,dc=com", filter="(&(objectClass=posixAccount)(uid=moose))")
nslcd: [3c9869] DEBUG: simple anonymous bind to ldap://64.85.66.48/
nslcd: [3c9869] connected to LDAP server ldap://64.85.66.48/
nslcd: [3c9869] DEBUG: myldap_search(base="dc=moose,dc=com", filter="(&(objectClass=posixGroup)(|(memberUid=moose)(uniqueMember=uid=roman,ou=People,dc=moose,dc=c om)))")
nslcd: [3c9869] DEBUG: ldap_result(): end of results


And the ldapsearch data:

ldapsearch -x uid=moose
# extended LDIF
#
# LDAPv3
# base <dc=moose,dc=com> (default) with scope subtree
# filter: uid=moose
# requesting: ALL
#

# moose, People, moose.com
dn: uid=moose,ou=People,dc=moose,dc=com
uid: moose
uidNumber: 20000
gidNumber: 20000
cn: Moose
sn: Moose
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /afs/moose.com/user/moose

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


But like I said, when I login I keep getting the default user account info. If you need more info let me know.
ty
 
Old 04-29-2009, 06:25 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
yet again... "Default account info"??? there is only other information to use if the account already exists locally. if you don't undersatnd what I mean, post the output of "getent passwd"
 
Old 04-29-2009, 09:15 PM   #7
jim_fields
Member
 
Registered: Nov 2006
Distribution: Slackware 11.0, Debian Lenny, testing
Posts: 32

Original Poster
Rep: Reputation: 16
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13roxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
moose:x:1000:1000:moose,,,:/home/moose:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
openldap:x:104:106:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
ntp:x:105:107::/home/ntp:/bin/false
nslcd:x:106:108:nss-ldapd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
nscld:x:1001:1001::/home/nscld:/bin/sh
moose:x:1002:1002:,,,:/home/moose:/bin/bash
moose:x:20000:20000:moose:/afs/moose.com/user/moose
 
Old 04-30-2009, 01:41 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
right, so you have THREE accounts with the same name... Was there a particular reason you kept not reading the advice I gave you??

"the first account that is found is the one that is used... You would need to delete the local account to use the ldap one."

"The symptoms you give don't make sense with a unique user within ldap"

"there is only other information to use if the account already exists locally."

just delete the accounts with uid 1000 and 1001.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating fuzzyworm Linux - Server 5 01-01-2009 04:29 PM
Ubuntu Hardy (php-ldap):Can't contact LDAP server eantoranz Programming 7 12-02-2008 07:40 PM
ldap-nss.c error et al keithmcd Red Hat 4 08-19-2008 07:04 AM
authenticating through one ldap server that uses other ldap servers & active director dreamm Linux - Server 1 02-21-2007 09:22 AM
LXer: LDAP Series Part IV - Installing OpenLDAP on Debian Plus Some LDAP Commentary LXer Syndicated Linux News 0 10-31-2006 07:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration