Typo: binddn cn=proxyagent,ou=profile,dc=example,dc=com, change to yr specific. -----Original Message----- From: Tay, Gary on behalf of Tay, Gary Sent: Fri 9/17/2004 1:17 AM To: Pluggable Authentication Modules Cc: Subject: RE: id: cannot find name for user ID 500 I read the thread, u hv actually posted most of the info. U r missing binddn and bindpw in /etc/ldap.conf at the ldap client 1) Add a proxyagent person, i.e. import the followings into LDAP tree data dn: ou=profile,dc=example,dc=com ou: profile objectClass: top objectClass: organizationalUnit dn: cn=proxyagent,ou=profile,dc=example,dc=com cn: proxyagent sn: proxyagent objectClass: top objectClass: person userPassword: {CRYPT}l14aeXtphVSUg 2) Add ACL in slapd.conf to allow proxyagent to read user info. (change the specfic pls), and restart ldap service access to attr=userPassword by self write by * auth access to dn="ou=People,dc=example,dc=com" by self write by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read by users auth by anonymous read access to * by self write by * read # service ldap restart 3) edit /etc/ldap.conf at ldap client, add these lines on top of what u already have, protect this file as mode 400 binddn cn=proxyagent,ou=profile,dc=platts,dc=mhm,dc=mhc bindpw password nss_base_passwd ou=People,dc=example,dc=com?one nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=group,dc=example,dc=com?one # Filter to AND with uid=%s #pam_filter objectclass=account pam_filter objectclass=posixAccount # The user ID attribute (defaults to uid) pam_login_attribute uid Good luck to u. -----Original Message----- From: Tay, Gary on behalf of Tay, Gary Sent: Fri 9/17/2004 12:22 AM To: Pluggable Authentication Modules Cc: Subject: RE: id: cannot find name for user ID 500 1) Hv u checked dir perms for /etc and /etc/openldap? ls -ld /etc; ls -ld /etc/openldap 2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth change this: account required /lib/security/$ISA/pam_unix.so to that: account sufficient /lib/security/$ISA/pam_unix.so 3) if 1) and 2) do not help Can u post these files on ldap client (full content pls) to us (or to just me as too much info): /etc/ldap.conf, /etc/openldap/ldap.conf /etc/pam.d/system-auth /etc/nsswitch.conf /etc/resolv.conf /etc/hosts and these files on ldap server: slapd.conf output of: partial ldapsearch output showing the testuser user details rpm -qa | grep openldap rpm -qa | grep nss_ldap rpm -qa | grep pam strace id testuser (u must hv strace rpm installed) ldd `which id` Rgds Gary -----Original Message----- From: pam-list-bounces@xxxxxxxxxx on behalf of Markus Nicolussi Sent: Thu 9/16/2004 11:31 PM To: pam-list@xxxxxxxxxx Cc: Subject: Re: id: cannot find name for user ID 500 Hello! Thank u very much 4 all the response. I spent a whole day in testing all the stuff that came as help over the maillist and to my personal EMail Account. * The 2 cacerts on client and server are the same. *openssl s_client -connect ldaps.amazone.or.at:636 -showcerts gives me --------------------------------------------------------------------------- CONNECTED(00000003) depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx i:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx issuer=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx --- No client certificate CA names sent --- SSL handshake has read 1167 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0F9232AC5D606B153E3E4A371B1AFDE8D466B2FE04A398CFBCC7F2DC6BD6228D Session-ID-ctx: Master-Key: 5C6EB4AED5CBC153F715AD6417492C3C1373DB138ECCD470046D296721B1C9E6777BAA8F8CB0F65DC8A2CE58FEA9F746 Key-Arg : None Krb5 Principal: None Start Time: 1095235867 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- ************ now i have to press [Ctrl] + [D] ************** DONE --------------------------------------------------------------------------- * ldapsearch -x -LLL -ZZZ -h ldaps.amazone.or.at prints out all Information in my LDAP directory. also does # ldapsearch -v -Z -x -H ldaps://ldaps.amazone.or.at/ * Doug Wilson wrote: > try a 'getent passwd' as root and then as testuser. You'll probably find > that root can see all of the UIDs, but the testuser can't. getent passwd as root and as testuser both display exactly the /etc/passwd file on the client machine * as root on the client i can see that /etc/openldap/cacert.pem is world readable --------------------------------------------------------------------------- [root@acerAspire root]# ls -l /etc/openldap/ total 16 -rw-r--r-- 1 root root 1359 Sep 10 10:56 cacert.pem -rw-r--r-- 1 root root 488 Sep 15 11:28 ldap.conf --------------------------------------------------------------------------- but logged in as a user... --------------------------------------------------------------------------- [I have no name!@acerAspire testuser]$ ls -l /etc/openldap/ insgesamt 0 ?--------- ? ? ? ? ? cacert.pem ?--------- ? ? ? ? ? ldap.conf --------------------------------------------------------------------------- and if i type #finger testuser with the debuging in /etc/ldap.conf switched on, i get --------------------------------------------------------------------------- ldap_create ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldaps.amazone.or.at:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.1:636 ldap_connect_timeout: fd: 3 tm: 30 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa TLS: could not load verify locations (file:`/etc/openldap/cacert.pem',dir:`'). TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104 TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279 ldap_unbind ldap_create ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldaps.amazone.or.at:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.0.1:636 ldap_connect_timeout: fd: 4 tm: 30 async: 0 ldap_ndelay_on: 4 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa TLS: could not load verify locations (file:`/etc/openldap/cacert.pem',dir:`'). TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104 TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279 ldap_unbind finger: testuser: no such user. --------------------------------------------------------------------------- this looks as if i have a problem with the permission of /etc/openldap/cacert.pem, but what can i do? *Tommy Henriksen worte: > if possible, you can also enable some extra debug information on your > OpenLDAP server, - if you can restart the slapd try and play with -d > <level>, - you can see different debug levels in following link at > openldap. I did this with different levels from -1 to 2048 but could never see anything apropriate to the TLS connection... which level should i use and what exprssion sould i look 4. > To enable debug on your nss_ldap client you can recompile setting the > DEBUG option, either make a #define DEBUG in config.h or add a -DDEBUG as > compile option, - this should let you see if nss connect to your ldap > server. Compiling is at the moment to freaky for me. Everytime i compile a software and it doesn't run straight trough i can never solve the issue... So i use the binarys supported by Fedora Core 2. But i tried a hind form Vsevolod. Is this maybe what you mean? (see next point) * Vsevolod (Simon) Ilyushchenko wrote: > If you want to debug this, insert "debug 9" into /etc/ldap.conf, type > "id user" and watch what happens. doing this and then issuing # id testuser gives me --------------------------------------------------------------------------- ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldaps.amazone.or.at:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.1:636 ldap_connect_timeout: fd: 3 tm: 30 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: ldaps.amazone.or.at port: 636 (default) refcnt: 2 status: Connected last used: Wed Sep 15 11:31:27 2004 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ber_get_next failed. ldap_unbind ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_send_unbind ber_flush: 7 bytes to sd 3 ldap_free_connection: actually freed id: testuser: No such user --------------------------------------------------------------------------- I can't read much out from this... Is there anyone who has a clou what this means? thank u all very much 4 the help so far. and for helping me further. ciao, nico. -- NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ -- NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
<<winmail.dat>>
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list