On Fri, 2009-05-22 at 12:00 +1200, Clint Dilks wrote: > Hi Everyone. > > I am doing some LDAP testing. I have setup a 389 Directory Server on > CentOS 5 and using the default schema I have populated it with a couple > of users. I then did the configuration on the client that I thought was > needed to make it authenticate. > > To test this I expected to be able to use id <uidNumber> of a user I had > defined. > But I get id: 1001: No such user id: 5001: No such user > > I then thought perhaps it was an LDAP permissions problem so I tried > binding to the LDAP server using a user I know has full rights using > these entries in /etc/openldap/ldap.conf there was no change. > > BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz > BINDPW LDAPt3st > > I can query these users from a desktop that I want to use the LDAP > server as an authentication source. > > Using > > * ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b > dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks* > # extended LDIF > # > # LDAPv3 > # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree > # filter: uid=LDilks > # requesting: ALL > # > > # LDilks, People, scms.waikato.ac.nz > dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz > givenName: LDAP-Clint > sn: Dilks > telephoneNumber: 4546 > loginShell: /bin/bash > gidNumber: 1001 > uidNumber: 1001 > mail: clintd at scms.waikato.ac.nz > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: LDilks > gecos: A Test LDAP account > cn: LDAP-Clint Dilks > homeDirectory: /home/LDAP-clint > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > *[root at distilled2 ~]# ldapsearch -x -H > ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz > uid=BBuilder* > # extended LDIF > # > # LDAPv3 > # base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree > # filter: uid=BBuilder > # requesting: ALL > # > > # BBuilder, scms.waikato.ac.nz > dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz > givenName: Bob > sn: Builder > loginShell: /bin/bash > uidNumber: 5001 > gidNumber: 5001 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: BBuilder > gecos: Got to love Cartoons > cn: Bob Builder > homeDirectory: /home/bob > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > The three files config files I am aware of are > > cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > URI ldap://distilled.scms.waikato.ac.nz > BASE dc=scms.dc=waikato,dc=ac,dc=nz > #BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz > #BINDPW LDAPt3st > TLS_CACERTDIR /etc/openldap/cacerts > > cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$' > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > cat /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > Can anyone give me any pointers as to where I am going wrong ?? And can > anyone confirm or deny that by default I should be able to bind > anonymously and get the required authentication information ? > > Thank you for any help you can offer. <snip> Interesting! I know my setup is working yet, if I do id <uidnumber>, it comes back with no such user. If I do id <uid>, it returns the appropriate information from LDAP. I have not taken the time to figure out why there is a difference. What happens if you do id <uid>? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society