Re: {Disarmed} Re: Problems with nss_ldap - where to start?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote:
> On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> > I think not as well.  The tactest user has been blown back out.  I can
> > re-add it from ldif again.
> > 
> > [root@ldap home]# getent passwd | grep example
> > [root@ldap home]# 
> > 
> > [root@ldap home]# cat /etc/nsswitch.conf | grep -v \#
> > 
> > 
> > passwd:     files ldap
> > shadow:     files ldap
> > group:      files ldap
> > 
> > hosts:      files dns
> > 
> > 
> > bootparams: nisplus [NOTFOUND=return] files
> > 
> > ethers:     files
> > netmasks:   files
> > networks:   files
> > protocols:  files
> > rpc:        files
> > services:   files
> > 
> > netgroup:   nisplus
> > 
> > publickey:  nisplus
> > 
> > automount:  files nisplus
> > aliases:    files nisplus
> > 
> > [root@ldap home]# cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_ldap.so use_first_pass
> > auth        required      pam_deny.so
> > 
> > account     required      pam_unix.so broken_shadow
> > account     sufficient    pam_localuser.so
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> > account     required      pam_permit.so
> > 
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password    sufficient    pam_ldap.so use_authtok
> > password    required      pam_deny.so
> > 
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     optional      pam_mkhomedir.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session     required      pam_unix.so
> > session     optional      pam_ldap.so
> > 
> > [root@ldap home]# cat /etc/ldap.conf | grep -v \#
> > 
> > 
> > BASE dc=tncionline, dc=net
> > URI ldap://MailScanner warning: numerical links are often malicious:
> > 127.0.0.1
> > port 389
> > 
> > SIZELIMIT    12
> > TIMELIMIT    15
> > DEREF        never
> > timelimit 600
> > bind_timelimit 600
> > bind_policy soft
> > idle_timelimit 3600
> > 
> > nss_initgroups_ignoreusers
> > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> > base dc=tncionline, dc=net
> > pam_password md5
> ----
> here's a big problem... /etc/ldap.conf
> 
> you need to add...(assuming this is where you have People/Groups)
> 
> nss_base_passwd         ou=People,tncionline,dc=net?one
> nss_base_shadow         ou=People,tncionline,dc=net?one                
> nss_base_group          ou=Groups,tncionline,dc=net?one                
> 
> take the space out of base...
> base dc=tncionline,dc=net
> 
> I'd also add (until you can deal)...
> ssl no
----
oh...

nss_initgroups_ignoreusers
pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus

you can remove pserwe,dgates from the list unless you have daemon services running as those users prior to LDAP start (highly unlikely)

and if the above doesn't work, it is because your slapd.conf ACL's are blocking anonymous binds at the indicated dn's

So you might want to either simplify your ACL's, permit anonymous binds to the 'people/groups' or let us see what you've got for ACL's

these are some rules that I've found good to have in /etc/openldap/slapd.conf - YMMV

allow           bind_anon_dn 

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by self write
        by anonymous auth
        by * none

access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$"
        by self read
        by anonymous auth
        by * none

# a bottom catchall rule...
access to *
        by anonymous read
        by * read

access to dn.base="cn=Subschema" by * read

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux