OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
O. Hartmann
ohartman at zedat.fu-berlin.de
Fri Oct 26 11:16:35 PDT 2007
Ulrich Spoerlein wrote:
> On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote:
>
>> At this point it seems senseless to try out what's going wrong and I need
>> some hints or tipps. I read about others successfully running OpenLDAP on
>> FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7.
>>
>
> I do. It's working just fine ...
>
Good to hear, but it doesn't on mine ... :-(
>
>> P.S. If someone wants me to offer config details and/or log excerpts, please
>> contact me.
>>
>
> Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to
> ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf.
> Some actual error messages would be fine too.
>
All right, here I am. nss_ldap.conf and ldap.conf are located in
/usr/local/etc and are identical (link). I copied all tags I use and
deleted commented out tags:
host 192.168.2.210 (or 127.0.0.1 alternatively)
base dc=office,dc=de
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# Specify a minium or maximum UID number allowed
pam_min_uid 1000
pam_max_uid 30000
pam_password ssha
nss_base_passwd ou=users,dc=office,dc=de?one
nss_base_shadow ou=users,dc=office,dc=de?one
nss_base_group ou=group,dc=office,dc=de?one
pam_filter objectClass=posixAccount
The slapd.conf is this, comments roped:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# additional schema
include /usr/local/share/examples/samba/LDAP/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel 512
sizelimit unlimited
allow bind_v2
modulepath /usr/local/libexec/openldap
moduleload back_bdb
everse-lookup off
access to *
by self write
by users read
by anonymous auth
database bdb
suffix dc=office,dc=de
rootdn cn=admin,dc=office,dc=de
rootpw
directory /data/openldap-data/nuggad/
index objectClass eq,pres
index uid,memberUid pres,eq,sub
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index nisMapName,nisMapEntry eq,pres,sub
NSCD is up and running, my nsswitch.conf looks like this:
group: cache ldap[ unavail=continue notfound=continue ] files
passwd: cache ldap [ unavail=continue notfound=continue ] files
#group_compat: nis
hosts: compat
networks: files
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
And I changed some lines in /etc/pam.d/sshd,login,system,other like this
*commented out due to system gets stuck forever when enab;ed
nss_ldap/pam_ldap):
system:
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
#account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
#password sufficient /usr/local/lib/pam_ldap.so no_warn
use_authtok
password required pam_unix.so no_warn
try_first_pass
sshd:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#
# auth
#auth sufficient pam_opie.so no_warn
no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
#password sufficient /usr/local/lib/pam_ldap.so use_authtok
password required pam_unix.so no_warn
try_first_pass
Some errors from console:
(At boot time)
Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]:
nss_ldap: could not search LDAP server - Server is unavailable
and this
Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]:
nss_ldap: could not search LDAP server - Server is unavailable
Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap:
could not search LDAP server - Server is unavailable
==>> Oct 26 13:04:00 gauss kernel: Oct 26 13:04:00 gauss sshd[1127]:
pam_ldap: ldap_simple_bind Can't contact LDAP server
Oct 26 13:14:24 gauss kernel: Oct 26 13:14:24 gauss sshd[41139]:
nss_ldap: could not search LDAP server - Server is unavailable
When showing up these unavailable messages, sockstat shows that the slad
is listening on its ports and I can access the slapd server from a
client running LUMA for configuration purposes.
I feel helpless because I can not see any mistakes.
One point: what is about compile time options of OpenLDAP? Does LDAP
forces itself using SSL although not configured explicitely in slapd.conf?
nss_ldap-1.257 <<===
openldap-client-2.3.38
openldap-server-2.3.38
pam_ldap-1.8.2
FreeBSD 7.0=BETA1 from today's buildworld
> Your should run tcpdump in some window to actuall see what's going on.
> It also helps to turn on massive debugging in slapd.conf and tail(1)ing
> /var/log/debug.log
>
> I'm running the following versions on 7-CURRENT from 30. September
>
> nss_ldap-1.256
> openldap-sasl-client-2.3.38
> openldap-server-2.3.38
> pam_ldap-1.8.2
>
> Cheers,
> Ulrich Spoerlein
>
More information about the freebsd-ports
mailing list