Hello!
Thank you very much for your great help!! With your help i could bring
TLS/SSL to work. I had to do the "sufficient" thing in /etc/system-auth for
pam_unix.so. see --> (7.) After that it worked. but without TLS/SSL it
worked right from the start. What does that have to do with TLS???
I noticed a lot of stuff like this that make me think that this whole
OpenLDAP think behaves very funny and unlogical. I feel like working under
Windows again... :-)
About THE PROXYAGENT PROBLEM:
--> (1.)
> Typo:
> binddn cn=proxyagent,ou=profile,dc=example,dc=com, change to yr specific.
I didn't find a typo. And the log file of slapd tells me that the BIND dn is
"proxyagent..." So the login into the LDAP server with the binddn works. But
i have the same "id: cannnot find name for user ID..." Problem. Without this
proxyagent stuff (ldif, ACLs in slapd.conf, binddn&bindpw in ldap.conf) it
works. I expirimented a bit with the acls but from the man page i don't get
the point.
--> (2.)
> U r missing binddn and bindpw in /etc/ldap.conf at the ldap client
That's because i deleted everything that had to do with proxyagent out of
the config files. Because i couldn't get it to work
--> (3.)
>1) Add a proxyagent person, i.e. import the followings into LDAP tree data
...
>2) Add ACL in slapd.conf to allow proxyagent to read user info. (change
>the specfic pls), and restart ldap service
...
>3) edit /etc/ldap.conf at ldap client, add these lines on top of what u
>already have, protect this file as mode 400
...
I did it. I mean i used the slapd.conf, ldap.conf and ldif from your HOWTO,
inserted it and checked if everything is there and without typo. But as
before with your HOTWO in the inet. It gives me everything in 1.)
--> (4.)
And there is a additional question in slapd.conf: why do users don't have to
read the userinfo but anonymous users do?
> by users auth
> by anonymous read
--> (5.)
Another question in ldap.conf: Why does
-------------------
# The port.
# Optional: default is 389.
port 636
-------------------
not work?
# netstat -antup
and
# nmap 192.168.0.1
tells me that port 636 (ldapssl) and 389 (ldap) are both open
--> (6.)
> 1) Hv u checked dir perms for /etc and /etc/openldap?
[root@server root]# ls -ld /etc; ls -ld /etc/openldap
drwxr-xr-x 78 root root 12288 17. Sep 12:25 /etc
drwxr-xr-x 2 root root 4096 17. Sep 11:35 /etc/openldap
--> (7.)
> 2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
> change this:
> account sufficient /lib/security/$ISA/pam_unix.so
This really did something (see above) but why?
--> (8.)
> 3) if 1) and 2) do not help
> Can u post these files on ldap client (full content pls) to us (or to
> just me as too much info):
> /etc/ldap.conf,
> /etc/openldap/ldap.conf
> /etc/pam.d/system-auth
> /etc/nsswitch.conf
> /etc/resolv.conf
> /etc/hosts
> and these files on ldap server:
> slapd.conf
see aattatchment
--> (9.)
> output of:
> partial ldapsearch output showing the testuser user details
I did
# ldapsearch -x -v -b "uid=testuser,ou=group,dc=amazone,dc=or,dc=at" -s base
-h ldaps.amazone.or.at -LLL -ZZ
(with the proxyagent stuff disabled), what gave me
---------------------------------------------------------------------------
ldap_init( ldaps.amazone.or.at, 0 )
filter: (objectclass=*)
requesting: ALL
dn: uid=testuser,ou=group,dc=amazone,dc=or,dc=at
givenName: Maeky
sn: Messer
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Maeki Messer
homeDirectory: /home/testuser
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
---------------------------------------------------------------------------
--> (10.)
> rpm -qa | grep openldap
---------------------------------------------------------------------------
openldap-clients-2.1.29-1
openldap-2.1.29-1
---------------------------------------------------------------------------
--> (11.)
> rpm -qa | grep nss_ldap
---------------------------------------------------------------------------
nss_ldap-217-1
---------------------------------------------------------------------------
--> (12.)
> rpm -qa | grep pam
---------------------------------------------------------------------------
pam_krb5-2.0.10-1
pam-0.77-40
pam_smb-1.1.7-3.1
pam-devel-0.77-40
---------------------------------------------------------------------------
--> (13.)
> strace id testuser (u must hv strace rpm installed)
Did
[I have no name!@acerAspire nico] $ strace id martina > strace-nico.txt 2>&1
as user nico: see strace-nico.txt.gz
# strace id martina > strace-root.txt 2>&1
and for root of the client: see strace-root.txt.gz
--> (14.)
> ldd `which id`
---------------------------------------------------------------------------
libselinux.so.1 => /lib/libselinux.so.1 (0x00d64000)
libc.so.6 => /lib/tls/libc.so.6 (0x0044c000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00433000)
---------------------------------------------------------------------------
--
NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++Attachment:
slapd.conf.bak
Description: Binary data
Attachment:
openldap-ldap.conf.bak
Description: Binary data
Attachment:
ldap.conf.bak
Description: Binary data
Attachment:
system-auth
Description: Binary data
Attachment:
nsswitch.conf
Description: Binary data
Attachment:
resolv.conf
Description: Binary data
Attachment:
hosts
Description: Binary data
Attachment:
strace-nico.txt.gz
Description: GNU Zip compressed data
Attachment:
strace-root.txt.gz
Description: GNU Zip compressed data
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
