Mageia forum

[jiunnyik]

Hi,

Setting up machine with openldap client via Mageia Control Center. But not working.

Mageia 3 , 32 bit.

Thanks.

[wintpe]

the file its modifying is

/etc/openldap/ldap.conf

in common with all redhat based distrubutions.

check to see if your changes are being made to this file.

also if your using ldap for nss services, ie passwd group etc, make sure that /etc/nsswitch.conf is configured
for ldap

example

passwd: files ldap

regards peter

[isadora]

Hi wintpe,

Here is the /etc/openldap/ldap.conf

Code: Select all

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#HOST   ldap.example.com ldap-master.example.com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# SSL/TSL configuration. With CA-signed certs, TLS_REQCERT should be
# "demand", with the CA certificate accessible
#TLS_REQCERT    ([demand],never,allow,try)
# We ship with allow by default as some LDAP clients (e.g. evolution) have
# no interactive SSL configuration
TLS_REQCERT     allow

# CA Certificate locations
# Use the default self-signed cert generated by openldap-server postinstall
# by default
TLS_CACERT      /etc/pki/tls/certs/ldap.pem

# If requiring support for certificates signed by all CAs (noting risks
# pam_ldap if doing DNS-based suffix lookup etc.
#TLS_CACERTDIR  /etc/pki/tls/rootcerts

this is the content for /etc/nsswitch.conf

passwd:         files ldap [NOTFOUND=return] db
shadow:         files ldap
group:          files ldap [NOTFOUND=return] db

hosts:           mdns4_minimal files nis dns myhostname mdns4
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files ldap
aliases:        files

I do believe the actual modification file is /etc/ldap.conf, and here is the content

Code: Select all

base dc=polyscientific,dc=com
host 192.168.1.250
nss_base_group dc=polyscientific,dc=com?sub
nss_base_shadow dc=polyscientific,dc=com?sub
nss_base_passwd dc=polyscientific,dc=com?sub

ldap user unable login.

Thanks.

[wintpe]

im not sure you want host, i think from our config here that you want

uri ldap://hsotname:389 ldap://hostnamefailover:389

and for your passwd group etc

you may want

for example

nss_base_group ou=Groups, dc=polyscientific,dc=com?sub

just some ideas...

regards peter

[jiunnyik]

Hi Peter,

I have checked Mageia 2 , and previous version of Mandriva.

The config file are same with the Mageia 3.

I just wonder why in Mageia 3 it is not working.

[wintpe]

this use of the words "it is not working" is a pet hate of mine.

sorry to sound like im off on one, but its not working means nothing to an engineer.

just that your perception is its not doing what you expect under ideal circumstances.

you may wonder, but so do 99% of the people who created mageai 3 as this could be the result of an upstream change

and unless you test it during beta , and report that its a problem, your the first to realise there is a problem.

what steps have you gone through to assess that its not working and where its breaking.

for example what does the command id -a username give you, that is a username in ldap.

there are verious levels at which this might "not be working"

name resolution may work, ie accessing user details via ldap, but pam authentication may be broken.

any errors in /var/log/secure or /var/log/messages that hint to authentication problems.

some example ldapsearch lines from mga2 system and mga3

you need to provide examples of what parts of the ldap integration are not working.

regards peter

[jiunnyik]

Hi Peter,

Sorry for the words "it is not working".

There is no /var/log/secure or /var/log/messages.

I'm not familiar with the ldapsearch command, it is possible for you to guide me ?

[wintpe]

can you give a full description of what is not working.

and what did the command id -a username give you.

there are many examples of ldap search on google.

do some homework.

regards peter

[jiunnyik]

hi peter,

1. ldapuser unable login into kdm

2. ldapuser unable login through terminals

since the ldap user is totally unable to login , i think there is no way to run command id -a as the ldap user.

[jiunnyik]

tried with ldapsearch -LLL "(sn=calvin)" cn sn telephoneNumber

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

[wintpe]

Re
1. ldapuser unable login into kdm

2. ldapuser unable login through terminals

since the ldap user is totally unable to login , i think there is no way to run command id -a as the ldap user.

No thats a wrong assumption.

login is controlled by pam, (password authentication module)

whereas the id -a command is controlled by nsswitch.conf, and where the passwd and group is pointing at.

if nsswitch has access to all the user databases and group, then it can lookup that user without any authentication.

so when you look at files on a unified userspace across NFS, you will see files with userid's against them.

if your system is unable to resolve say userid 78678 then files will look like they are owned by 78678.

if its ldap it then depends on how ldap.conf is setup

there is also a /etc/nslcd.conf involved in redhat6, not sure if its also present in mageia.

you could have pam wrong, yes still be able to id -a the userid.

not sure about mageia but authconfig is involved in redhat6, so it may be in mageia (ive only recently been made aware of this change in redhat6, and being that its downstream of fedora, its likely mageia uses it also).

for example

Code: Select all

authconfig --enableldap --enableldapauth  --ldapserver="ldap://ldap01.example.com" --ldapbasedn="dc=example,dc=com" --enableforcelegacy [--nisdomain=<domain>  --nisserver=<server>  --nostart] --update

pam is setup in /etc/pam.d/system-auth-ac

the resulting setup should be something like (based on redhat6 again)

Code: Select all

auth        sufficient    pam_ldap.so use_first_pass
account     sufficient    pam_localuser.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

this will need the nss-ldap package i think, but have not checked.

and also check /etc/sysconfig/authconfig

Code: Select all

USELDAP=yes

regards peter