RE: id: cannot find name for user ID 500

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Typo: 
binddn cn=proxyagent,ou=profile,dc=example,dc=com, change to yr specific.

	-----Original Message----- 
	From: Tay, Gary on behalf of Tay, Gary 
	Sent: Fri 9/17/2004 1:17 AM 
	To: Pluggable Authentication Modules 
	Cc: 
	Subject: RE: id: cannot find name for user ID 500
	
	
	I read the thread, u hv actually posted most of the info.
	 
	U r missing binddn and bindpw in /etc/ldap.conf at the ldap client
	 
	1) Add a proxyagent person, i.e. import the followings into LDAP tree data
	 
	dn: ou=profile,dc=example,dc=com
	ou: profile
	objectClass: top
	objectClass: organizationalUnit
	dn: cn=proxyagent,ou=profile,dc=example,dc=com
	cn: proxyagent
	sn: proxyagent
	objectClass: top
	objectClass: person
	userPassword: {CRYPT}l14aeXtphVSUg
	 
	2) Add ACL in slapd.conf to allow proxyagent to read user info. (change the specfic pls), and restart ldap service
	 

	access to attr=userPassword

	            by self write

	            by * auth

	access to dn="ou=People,dc=example,dc=com"

	            by self write

	            by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read

	            by users auth

	            by anonymous read

	access to * by self write

	            by * read

	 
	# service ldap restart
	 
	3) edit /etc/ldap.conf at ldap client, add these lines on top of what u already have, protect this file as mode 400
	 
	binddn cn=proxyagent,ou=profile,dc=platts,dc=mhm,dc=mhc
	bindpw password
	nss_base_passwd ou=People,dc=example,dc=com?one
	nss_base_shadow ou=People,dc=example,dc=com?one
	nss_base_group          ou=group,dc=example,dc=com?one
	# Filter to AND with uid=%s
	#pam_filter objectclass=account
	pam_filter objectclass=posixAccount
	# The user ID attribute (defaults to uid)
	pam_login_attribute uid
	

	Good luck to u.

	-----Original Message----- 
	From: Tay, Gary on behalf of Tay, Gary 
	Sent: Fri 9/17/2004 12:22 AM 
	To: Pluggable Authentication Modules 
	Cc: 
	Subject: RE: id: cannot find name for user ID 500
	
	

		1) Hv u checked dir perms for /etc and /etc/openldap?
		ls -ld /etc; ls -ld /etc/openldap
		 
		2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
		change this:

		account     required      /lib/security/$ISA/pam_unix.so

		to that:

		

		account     sufficient      /lib/security/$ISA/pam_unix.so
		 
		3) if 1) and 2) do not help
		 
		Can u post these files on ldap client (full content pls) to us (or to just me as too much info):
		/etc/ldap.conf,
		/etc/openldap/ldap.conf
		/etc/pam.d/system-auth
		/etc/nsswitch.conf
		/etc/resolv.conf
		/etc/hosts
		 
		and these files on ldap server:
		slapd.conf
		 
		output of:
		partial ldapsearch output showing the testuser user details
		rpm -qa | grep openldap
		rpm -qa | grep nss_ldap
		rpm -qa | grep pam
		strace id testuser (u must hv strace rpm installed)
		ldd `which id`
		 
		Rgds
		Gary
		 
		-----Original Message----- 
		From: pam-list-bounces@xxxxxxxxxx on behalf of Markus Nicolussi 
		Sent: Thu 9/16/2004 11:31 PM 
		To: pam-list@xxxxxxxxxx 
		Cc: 
		Subject: Re: id: cannot find name for user ID 500
		
		

			Hello!
			
			
			Thank u very much 4 all the response. I spent a whole day in testing all the
			stuff that came as help over the maillist and to my personal EMail Account.
			
			
			* The 2 cacerts on client and server are the same.
			
			
			*openssl s_client -connect ldaps.amazone.or.at:636 -showcerts
			
			gives me
			
			---------------------------------------------------------------------------
			CONNECTED(00000003)
			depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			verify error:num=20:unable to get local issuer certificate
			verify return:1
			depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			verify error:num=21:unable to verify the first certificate
			verify return:1
			---
			Certificate chain
			 0 s:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			   i:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			-----BEGIN CERTIFICATE-----
			...
			-----END CERTIFICATE-----
			---
			Server certificate
			subject=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			issuer=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
			Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
			---
			No client certificate CA names sent
			---
			SSL handshake has read 1167 bytes and written 340 bytes
			---
			New, TLSv1/SSLv3, Cipher is AES256-SHA
			Server public key is 1024 bit
			SSL-Session:
			    Protocol  : TLSv1
			    Cipher    : AES256-SHA
			    Session-ID:
			0F9232AC5D606B153E3E4A371B1AFDE8D466B2FE04A398CFBCC7F2DC6BD6228D
			    Session-ID-ctx:
			  
			Master-Key:
			5C6EB4AED5CBC153F715AD6417492C3C1373DB138ECCD470046D296721B1C9E6777BAA8F8CB0F65DC8A2CE58FEA9F746
			    Key-Arg   : None
			    Krb5 Principal: None
			    Start Time: 1095235867
			    Timeout   : 300 (sec)
			    Verify return code: 21 (unable to verify the first certificate)
			---
			
			************ now i have to press [Ctrl] + [D] **************
			
			DONE
			---------------------------------------------------------------------------
			
			
			* ldapsearch -x -LLL -ZZZ -h ldaps.amazone.or.at
			
			prints out all Information in my LDAP directory. also does
			
			# ldapsearch -v -Z -x -H ldaps://ldaps.amazone.or.at/
			
			
			
			* Doug Wilson wrote:
			> try a 'getent passwd' as root and then as testuser. You'll probably find
			> that root can see all of the UIDs, but the testuser can't.
			
			getent passwd as root and as testuser both display exactly the /etc/passwd
			file on the client machine
			
			* as root on the client i can see that /etc/openldap/cacert.pem is world
			readable
			---------------------------------------------------------------------------
			[root@acerAspire root]# ls -l /etc/openldap/
			total 16
			-rw-r--r--  1 root root 1359 Sep 10 10:56 cacert.pem
			-rw-r--r--  1 root root  488 Sep 15 11:28 ldap.conf
			---------------------------------------------------------------------------
			
			but logged in as a user...
			---------------------------------------------------------------------------
			[I have no name!@acerAspire testuser]$ ls -l /etc/openldap/
			insgesamt 0
			?---------  ? ? ? ?            ? cacert.pem
			?---------  ? ? ? ?            ? ldap.conf
			---------------------------------------------------------------------------
			
			and if i type
			#finger testuser
			with the debuging in /etc/ldap.conf switched on, i get
			---------------------------------------------------------------------------
			ldap_create
			ldap_simple_bind
			ldap_sasl_bind
			ldap_send_initial_request
			ldap_new_connection
			ldap_int_open_connection
			ldap_connect_to_host: TCP ldaps.amazone.or.at:636
			ldap_new_socket: 3
			ldap_prepare_socket: 3
			ldap_connect_to_host: Trying 192.168.0.1:636
			ldap_connect_timeout: fd: 3 tm: 30 async: 0
			ldap_ndelay_on: 3
			ldap_is_sock_ready: 3
			ldap_ndelay_off: 3
			ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
			TLS: could not load verify locations
			(file:`/etc/openldap/cacert.pem',dir:`').
			TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
			TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
			TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
			lib by_file.c:279
			ldap_unbind
			ldap_create
			ldap_simple_bind
			ldap_sasl_bind
			ldap_send_initial_request
			ldap_new_connection
			ldap_int_open_connection
			ldap_connect_to_host: TCP ldaps.amazone.or.at:636
			ldap_new_socket: 4
			ldap_prepare_socket: 4
			ldap_connect_to_host: Trying 192.168.0.1:636
			ldap_connect_timeout: fd: 4 tm: 30 async: 0
			ldap_ndelay_on: 4
			ldap_is_sock_ready: 4
			ldap_ndelay_off: 4
			ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
			TLS: could not load verify locations
			(file:`/etc/openldap/cacert.pem',dir:`').
			TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
			TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
			TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
			lib by_file.c:279
			ldap_unbind
			finger: testuser: no such user.
			---------------------------------------------------------------------------
			this looks as if i have a problem with the permission of
			/etc/openldap/cacert.pem, but what can i do?
			
			*Tommy Henriksen worte:
			> if possible, you can also enable some extra debug information on your
			> OpenLDAP server, - if you can restart the slapd try and play with -d
			> <level>, - you can see different debug levels in following link at
			> openldap.
			I did this with different levels from -1 to 2048 but could never see
			anything apropriate to the TLS connection... which level should i use and
			what exprssion sould i look 4.
			
			> To enable debug on your nss_ldap client you can recompile setting the
			> DEBUG option, either make a #define DEBUG in config.h or add a -DDEBUG as
			> compile option, - this should let you see if nss connect to your ldap
			> server.
			Compiling is at the moment to freaky for me. Everytime i compile a software
			and it doesn't run straight trough i can never solve the issue... So i use
			the binarys supported by Fedora Core 2. But i tried a hind form Vsevolod. Is
			this maybe what you mean? (see next point)
			
			* Vsevolod (Simon) Ilyushchenko wrote:
			> If you want to debug this, insert "debug 9" into /etc/ldap.conf, type
			> "id user" and watch what happens.
			
			doing this and then issuing
			# id testuser
			
			gives me
			
			---------------------------------------------------------------------------
			ldap_create
			ldap_extended_operation_s
			ldap_extended_operation
			ldap_send_initial_request
			ldap_new_connection
			ldap_int_open_connection
			ldap_connect_to_host: TCP ldaps.amazone.or.at:636
			ldap_new_socket: 3
			ldap_prepare_socket: 3
			ldap_connect_to_host: Trying 192.168.0.1:636
			ldap_connect_timeout: fd: 3 tm: 30 async: 0
			ldap_ndelay_on: 3
			ldap_is_sock_ready: 3
			ldap_ndelay_off: 3
			ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
			ldap_open_defconn: successful
			ldap_send_server_request
			ber_flush: 31 bytes to sd 3
			ldap_result msgid 1
			ldap_chkResponseList for msgid=1, all=1
			ldap_chkResponseList returns NULL
			wait4msg (infinite timeout), msgid 1
			wait4msg continue, msgid 1, all 1
			** Connections:
			* host: ldaps.amazone.or.at  port: 636  (default)
			  refcnt: 2  status: Connected
			  last used: Wed Sep 15 11:31:27 2004
			
			** Outstanding Requests:
			 * msgid 1,  origid 1, status InProgress
			   outstanding referrals 0, parent count 0
			** Response Queue:
			   Empty
			ldap_chkResponseList for msgid=1, all=1
			ldap_chkResponseList returns NULL
			ldap_int_select
			read1msg: msgid 1, all 1
			ber_get_next
			ber_get_next failed.
			ldap_unbind
			ldap_free_request (origid 1, msgid 1)
			ldap_free_connection
			ldap_send_unbind
			ber_flush: 7 bytes to sd 3
			ldap_free_connection: actually freed
			id: testuser: No such user
			---------------------------------------------------------------------------
			
			I can't read much out from this... Is there anyone who has a clou what this
			means?
			
			thank u all very much 4 the help so far. and for helping me further.
			
			ciao, nico.
			
			--
			NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
			+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
			
			--
			NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
			+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
			
			
			_______________________________________________
			
			Pam-list@xxxxxxxxxx
			https://www.redhat.com/mailman/listinfo/pam-list
			

<<winmail.dat>>

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux