nsswitch ldap lookup problems

Klavs Klavsen kl at vsen.dk
Wed Feb 2 05:18:43 PST 2005 

Has anyone gotten nsswitch ldap lookup working on a FreeBSD-5.x?

I tried this exact config on a linux-client (to the same ldap-server)
and it worked fine - I could do:
getent passwd - and it also returned the users only on the ldap server.

I try to do the equivalent (I think - there's no getent for freebsd :( )
- by doing an(on FreeBSD-5.3):
# id ktk
id: ktk: no such user

in linux it gives me:
# id ktk
uid=5042(ktk) gid=5001(drift) groups=5001(drift)

(the ktk user only exists in ldap)

the /etc/ldap.conf, /usr/local/etc/ldap.conf and
/usr/local/etc/openldap/ldap.conf files are exactly alike on Linux and
FreeBSD and now look like this:

ssl start_tls
ssl on
suffix          "dc=vsen,dc=dk"

uri ldaps://auth.vsen.dk/
#pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=vsen,dc=dk
nss_base_shadow ou=People,dc=vsen,dc=dk
nss_base_group  ou=Group,dc=vsen,dc=dk
nss_base_hosts  ou=Hosts,dc=vsen,dc=dk

scope one


on 02-02-2005 11:18 Klavs Klavsen wrote:
> Hi guys,
> 
> I've gotten my kerberos and openldap up and running on FreeBSD 5.3 - and
> can login with my user (because he has been created in kerberos and pam
> looks in that), but nsswitch can't find the user in ldap for some reason.
> 
> All help will be greatly appreciated
> 
> When I login with ssh I get this in debug.log:
> Feb  2 11:06:06 auth01 sshd[771]: NSSWITCH(nss_method_lookup): ldap,
> passwd, endpwent, not found
> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
> group, setgrent, not found
> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
> group, getgrent_r, not found
> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
> group, endgrent, not found
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 fd=12 ACCEPT from
> IP=172.21.1.109:56828 (IP=0.0.0.0:636)
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=0 BIND dn="" method=128
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=0 RESULT tag=97 err=0 text=
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=1 SRCH
> base="ou=People,dc=vsen,dc=dk" scope=1 deref=0
> filter="(&(objectClass=posixAccount)(uid=ktk))"
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Feb  2 11:06:09 auth01 slapd[604]: conn=2 fd=12 closed
> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
> group, setgrent, not found
> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
> group, getgrent_r, not found
> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
> group, endgrent, not found
> Feb  2 11:06:09 auth01 sshd[774]: NSSWITCH(nss_method_lookup): ldap,
> passwd, endpwent, not found
> 
> if I try to do an ldapsearch for the same:
> # ldapsearch "(&(objectClass=posixAccount)(uid=ktk))" -b
> "ou=People,dc=vsen,dc=dk"  -Y gssapi
> 
> It seems to work fine:
> [SNIP - cut SASL talk]
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (&(objectClass=posixAccount)(uid=ktk))
> # requesting: -b ou=People,dc=vsen,dc=dk -Y gssapi
> #
> 
> # ktk, People, telmore.dk
> dn: uid=ktk,ou=People,dc=vsen,dc=dk
> 
> # search result
> search: 5
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> my /usr/local/etc/ldap.conf (on freebsd 5.3) looks like this:
> BASE    dc=vsen, dc=dk
> URI          ldaps://auth.vsen.dk:636/
> TLS_REQCERT  allow
> 
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> 
> scope sub
> port 389
> pam_password md5
> ldap_version 3
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute memberUid
> nss_base_passwd ou=People,dc=vsen,dc=dk?one
> nss_base_group ou=Groups,dc=vsen,dc=dk?one
> nss_base_shadow ou=People,dc=vsen,dc=dk?one
> #debug testing
> logdir /var/log
> debug 9
> 
> 
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the freebsd-questions mailing list