|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Fahrendorf (fahrendorf_at_helix-gmbh.net)
Date: Mon Feb 03 2003 - 01:50:07 CST
Stefan van der Eijk wrote:
> I switched the (non-system) users on my system to ldap only --> removed
> them from the local passwd, group and shadow files. A number of things
> broke:
>
> * postfix didn't know the users anymore and started rejecting mail
> for them :
>
> Feb 1 10:49:44 taz postfix/smtpd[26026]: 781749EB3B: reject: RCPT
> from mia8.macon.nl[212.83.208.254]: 450 <stefan
eijk.nu>: User
> unknown in local recipient table;
> from=<stefan.v.d.eijklogicacmg.com> proto=ESMTP helo=<mia8.macon.nl>
>
> I fixed it by adding these lines to the /etc/postfix/main.cf
> ===
> ldap_timeout=10
> ldap_search_base=dc=eijk,dc=nu
> ldap_server_host=localhost
> ldap_server_port=389
> ldap_query_filter=(mailacceptinggeneralid=%s)
> ldap_cache=no
> ===
>
Na, this is not realy neccessary. Postfix normaly uses the system nss
libs to query the user id. BUT, there seems to be a missconfiguration im
mdk9.0 and those &$# chroot of postfix. postfix is bound to some libs,
which are needet in the chroot environment (/var/spool/postfix). But the
libs postfix uses are lib*.so.2 but in the chroot env there are only
lib*-2.2.5.so libs, so the linkage failes and the nss functions are
missing (at least at my hosts). so either disable chroot or create a
symlink from every lib*-2.2.5.so to lib*.so.2.
> * local users can't login with X11. I'm only running nss_ldap on the
> client, not the pam stuff (yet).
>
You need pam th authenticate your users. so you had to install the
pam-ldap stuff. It is not hard to install.
>
> Other issues:
>
> * mandrake's openldap-servers-2.0.27-4mdk package still borks on my
> box. I needed to recompile it on my box to get it to work with the
> ldap database I already had. I've asked Florin if he had actually
> tested the package --> run an ldap server on it, but didn't get a
> reply from him (yet). Has anybody been succesful running an ldap
> server on cooker's openldap-servers-2.0.27-4mdk package?
> * the ssh stuff. When I turned off "ssl start_tls" and when back to
> "ssl off" in /etc/ldap.conf ssh allowed me to login again.
> * the MySQL problem
>
The ssh stuff seems to be problematic on cooker systems only. On my
boxes there is no problem (mdk8.1 and mdk9.0). And the mysql problem is
partialy solved. Change the /etc/init.d/mysql stript. Edit the line
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file 2>&1 |
logger -t safe_mysqld &
to
cmd="$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file 2>&1 |
logger -t safe_mysqld &"
su - mysql -c "$cmd"
>
> Buchan Milne wrote:
>
>> We're completing our LDAP setup now, in conjunction with the samba-ldap
>> packages, and it is really starting to work well (except for the small
>> niggles such as with ssh/ssl etc).
>>
>> So, I am trying to make setting up an LDAP server easier, and I would
>> also appreciate feedback on the samba-ldap stuff from others who are
>> using it (or just LDAP, but might want better tools).
>>
>> I don't know if it's appropriate for this list, and may be too
>> high-volume for discussmandrakesecure.net, so if you're interested in
>> working on these issues, mail me off-list (unless significant numbers
>> think it should stay on-list) and I will cc everyone tomorrow to get
>> going.
>>
>> In the meantime, here is the wizard I have started on. I am not sure if
>> drakwizard is rich enough for this (we will need a password entry field,
>> which I don't think drakwizard supports, and for importing ldap entries
>> a progress dialog would be nice), but I think it's worth a start.
>>
>> However, since I'm not good with perl, it would help if someone who is
>> could lend a hand, I can tell you exactly what I need done, and
>> prototype in bash ...
>>
>> To try the drakwizard:
>> 1)urpmi drakwizard
>>
>> 2)Get this:
>> http://ranger.dnsalias.com/mandrake/cooker/drakwizard-ldap-0.0.20030130.tar.gz
>>
>>
>> and untar it in /usr/share/wizards
>>
>>
>> Goal is to provide a gui that does all the basics:
>> 1)Setup ldap server in master or slave
>> 1a)if master, be able to import data from the system (with
>> openldap-migration and another script for samba users)
>> 1b)If slave, be able to import data from the master via 'ldapsearch -x
>> -h master -D "$rootdn" -w "$rootpw"|su ldap - -c "slapadd -c"
>> 2)Be able to add/remove slave servers to a master server, so that you
>> can setup a slave server in 1b (prompting when to do what on the other
>> machine).
>>
>>
>> Regards,
>> Buchan
>>
>>
>
>
>
Martin
-- ------------------------------------------------------------ H E L I X Gesellschaft für Software & Engineering mbH ------------------------------------------------------------ Hanauer Landstrasse 52 Telefon (069) 4789 35-30 60314 Frankfurt am Main Telefax (069) 4789 35-44 ------------------------------------------------------------ http://www.helix-gmbh.net info
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]