Buchan Milne wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Vincent Danen wrote:
>|
>| On Wednesday, October 23, 2002, at 09:13 AM, Stefan van der Eijk
>wrote:
>|
>|> I'm trying to get TLS working with the latest cooker openldap-server
>and
>|> nss_ldap packages. The server is running with the default config and
>the
>|> things mentioned in the "Using OpenLDAP for Authentication" guide on
>|> mandrakesecure.
>|>
>|> Changing "ssl start_tls" in /etc/ldap.conf results in nss not being
>able
>|> to find the ldap server (on port 398 and 636).
>|>
>|> Any idea's?
>|
>|
>
>It seems to work for me:
>
>[bgmilne:~]# ldapsearch -x -ZZ -LL "(uid=bgmilne)" dn
>version: 1
>
>dn: uid=bgmilne,ou=People,dc=cae,dc=co,dc=za
>
>This box is running cooker (updated this morning from yesterday's
>packages)
>
>(getent passwd also works, even after restarting nscd having changed ssl
>to start_tls from ssl and back).
>
hmmm... must be some incorrect configuration on my side. When I switch
over to start_tls in the ldap.conf file getent fails to retreive
information from the ldap server. In the ldap logfiles I see the following:

Oct 24 15:17:11 nl-ein-l052583l slapd[863]: daemon: conn=5 fd=10
connection from IP=127.0.0.1:1044 (IP=0.0.0.0:389) accepted.
Oct 24 15:17:11 nl-ein-l052583l slapd[1104]: conn=5 op=0 BIND dn=""
method=128
Oct 24 15:17:11 nl-ein-l052583l slapd[1104]: conn=5 op=0 RESULT tag=97
err=0 text=
Oct 24 15:17:12 nl-ein-l052583l slapd[1104]: conn=5 op=1 SRCH
base="ou=People,dc=eijk,dc=nu" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=501))"
Oct 24 15:17:12 nl-ein-l052583l slapd[1104]: conn=5 op=1 SEARCH RESULT
tag=101 err=0 text=
Oct 24 15:17:12 nl-ein-l052583l slapd[1465]: conn=5 op=2 SRCH
base="ou=Group,dc=eijk,dc=nu" scope=1
filter="(&(objectClass=posixGroup)(gidNumber=501))"
Oct 24 15:17:12 nl-ein-l052583l slapd[1465]: conn=5 op=2 SEARCH RESULT
tag=101 err=0 text=
Oct 24 15:17:12 nl-ein-l052583l slapd[863]: conn=-1 fd=10 closed
Oct 24 15:17:24 nl-ein-l052583l slapd[863]: daemon: conn=6 fd=10
connection from IP=127.0.0.1:1045 (IP=0.0.0.0:389) accepted.
Oct 24 15:17:24 nl-ein-l052583l slapd[1465]: conn=6 op=1 UNBIND
Oct 24 15:17:24 nl-ein-l052583l slapd[1465]: conn=-1 fd=10 closed
Oct 24 15:17:24 nl-ein-l052583l slapd[863]: daemon: conn=7 fd=10
connection from IP=127.0.0.1:1046 (IP=0.0.0.0:389) accepted.
Oct 24 15:17:24 nl-ein-l052583l slapd[1465]: conn=7 op=1 UNBIND
Oct 24 15:17:24 nl-ein-l052583l slapd[1465]: conn=-1 fd=10 closed

conn=5 was with "ssl off", conn=6 & 7 are with "ssl start_tls".

>Note that at one stage there was an issue with using SSL/TLS on the
>server (IIRC). But I just tested on the server also:
>
>[caepdc:/home/users/bgmilne]# ldapsearch -x -ZZ -LL "(uid=bgmilne)" dn
>version: 1
>
>dn: uid=bgmilne,ou=People,dc=cae,dc=co,dc=za
>
>Do you get anything in the logs?
>
See above. I'm running the client & server on the same machine here.

Another question: This morning i tried to login to the machine via xdm
and it failed for the user accounts that are only in ldap. I need to
update the pam configuration files to fix this.

Is there a replacement for redhat's authconf tool that edit the pam
config files?

an other thing I changed in /etc/openldap/slapd.conf is set
"password-hash {CRYPT}". After I changed a password with ldappasswd I
couldn't login anymore with that account ( default password-has = {SSHA}
). Setting it to {CRYPT} allowed me to login after the password has been
changed.

regards,

Stefan van der Eijk

PS: config files attached.

# (#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1

# The distinguished name of the search base.
base dc=eijk,dc=nu

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=proxyuser,dc=eijk,dc=nu

# The credentials to bind with.
# Optional: default is no credential.
bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
#rootbinddn cn=proxyuser,dc=eijk,dc=nu
#rootbinddn cn=Manager,dc=eijk,dc=nu

# The port.
# Optional: default is 389.
#port 389
#port 636

# The search scope.
#scope sub
scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

#pam_check_host_attr yes

# Filter to AND with uid=%s
pam_filter objectclass=account

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute gid

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

pam_password md5

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=eijk,dc=nu?one
nss_base_shadow ou=People,dc=eijk,dc=nu?one
nss_base_group ou=Group,dc=eijk,dc=nu?one
nss_base_hosts ou=Hosts,dc=eijk,dc=nu?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
ssl off

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/openldap/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client sertificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Modified by Christian Zoffoli <czoffolilinux-mandrake.com>
# Version 0.2
#

include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema

#include /usr/share/openldap/schema/rfc822-MailMember.schema
#include /usr/share/openldap/schema/pilot.schema
#include /usr/share/openldap/schema/autofs.schema
#include /usr/share/openldap/schema/samba.schema
#include /usr/share/openldap/schema/qmail.schema
#include /usr/share/openldap/schema/mull.schema
#include /usr/share/openldap/schema/netscape-profile.schema
#include /usr/share/openldap/schema/trust.schema
#include /usr/share/openldap/schema/dns.schema
#include /usr/share/openldap/schema/cron.schema

include /etc/openldap/schema/local.schema

# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
password-hash {CRYPT}

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args

modulepath /usr/lib/openldap
#moduleload back_dnssrv.la
#moduleload back_ldap.la
#moduleload back_passwd.la
#moduleload back_sql.la

# SASL config
#sasl-host ldap.eijk.nu

# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
#TLSRandFile /dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
#TLSCACertificatePath /etc/ssl/openldap/
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0

#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=eijk,dc=nu"
rootdn "cn=Manager,dc=eijk,dc=nu"

#suffix "o=My Organization Name,c=US"
#rootdn "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}p5WWYRXatRuE2hTWCs9SoU02KRFpg5YH

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial

# logging
loglevel 256

# This is a good place to put slapd access-control directives

access to dn=".*,dc=eijk,dc=nu" attr=userPassword
        by dn="cn=Manager,dc=eijk,dc=nu" write
        by dn="cn=proxyuser,dc=eijk,dc=nu" read
        by self write
        by * auth

access to *
        by dn="cn=Manager,dc=eijk,dc=nu" write
        by * read

For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net. To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]