[nflug] ldap ubuntu errors

Darin Perusich Darin.Perusich at cognigencorp.com
Thu Nov 29 14:50:40 EST 2007 

I'm going to assume the layout of your DIT is pretty standard, separate
OU's for People and group since that's all that really matters here.
What directory server are you using? Is there a proxy account which NSS
can use to bind to the server and view attributes like userPassword?

This is a working /etc/ldap.conf for Linux systems to bind to a
directory server. I don't know if this is the same on Ubuntu but Debian
splits this into two files but you can consolidate then into a single
/etc/pam_ldap.conf, I've never used ubuntu so I have no idea. Granted
you won't need the TLS stuff but it's strongly recommended unless you
don't mind people sniffing you passwords on the wire.

host    ldap1.domain.com ldap2.cognigencorp.com
base    dc=domain,dc=com
ldap_version    3
binddn  cn=proxyagent,ou=profile,dc=domain,dc=com
bindpw  password
ssl     start_tls
nss_map_attribute       uniqueMember member
pam_filter      objectclass=posixAccount
nss_base_passwd ou=people,dc=domain,dc=com?one
nss_base_shadow ou=people,dc=domain,dc=com?one
nss_base_group  ou=group,dc=domain,dc=com?one
tls_checkpeer   yes
tls_cacertfile  /etc/ssl/certs/cacert.pem


Jon Skulski wrote:
> Well I upgraded to ubuntu 7.10 and discovered there is a pretty critical
> bug that causes boot to hang waiting for ldap. So i put it aside for
> now, but obviously I'd like to get this working in the near future.
> 
> ldap.conf contains:
> # The distinguished name of the search base.
> base dc=humboldt,dc=edu
> 
> # Another way to specify your LDAP server is to provide an
> uri ldapi://lb1.humboldt.edu/
> # Unix Domain Sockets to connect to a local LDAP Server.
> #uri ldap://127.0.0.1/
> #uri ldaps://127.0.0.1/  
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
> 
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> ldap_version 3
> 
> On Nov 28, 2007 12:45 PM, Darin Perusich
> <Darin.Perusich at cognigencorp.com
> <mailto:Darin.Perusich at cognigencorp.com>> wrote:
> 
>     Can you send a copy of /etc/ldap.conf and /etc/openldap/ldap.conf?
> 
>     Jon Skulski wrote:
>     > Hello,
>     >
>     > I'm trying to (eventually) authorize my linux box against an
>     > ldap/kerberos setup. I am having some trouble. I can talk to the ldap
>     > server fine with ldaptools. The problem is where nss comes in. getent
>     > passwd will only list local entries in passwd. Yes I have
>     nssswitch.conf
>     > configured correctly. I have it configured so correctly that if I
>     listen
>     > to the network traffic I can actually see the ldap request and
>     response,
>     > but for some reason NSS ignores it.
>     >
>     > Interesting behaviors:
>     >
>     > - only local users and groups are listed by getent
>     > - NSS is ignoring the ldap response
>     > - the ldap response is very very large, so i thought that might be
>     it. i
>     > tried using a smaller base search (only me) and it still ignored
>     the result.
>     > - strace of getent does not show anything unusual
>     > - now whenever I log in or sudo or anything, i have to enter my
>     password
>     > twice. the first time is thrown out, whether right or wrong. this may
>     > have more to do with an incomplete setup of pam.
>     >
>     > oh yeah this is all on ubuntu 7.04 fresh install. and i'm about to
>     > upgrade to 7.10 because well, i'm out of ideas.
>     >
>     > Anyway, I would really like to get this working because if i don't
>     > they'll make me use windows to develop a php application :O SAVE
>     ME LUG!
>     >
>     >
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > nflug mailing list
>     > nflug at nflug.org <mailto:nflug at nflug.org>
>     > http://www.nflug.org/mailman/listinfo/nflug
> 
>     --
>     Darin Perusich
>     Unix Systems Administrator
>     Cognigen Corporation
>     395 Youngs Rd.
>     Williamsville, NY 14221
>     Phone: 716-633-3463
>     Email: darinper at cognigencorp.com <mailto:darinper at cognigencorp.com>
>     _______________________________________________
>     nflug mailing list
>     nflug at nflug.org <mailto:nflug at nflug.org>
>     http://www.nflug.org/mailman/listinfo/nflug
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com

More information about the nflug mailing list