LDAP Client login problem

Gresso · #1 23rd April 2009, 06:52 PM

Hi guys,
I have a login problem to LDAP server. All the needed configurations have been done but when I tried to apply this command:-

chown ldapuser:users /home/ldapuser

I got this error:

chown: invalid user 'ldapuser:users'

I am going to list all the configuration files (ldap.conf, nsswitch.conf, slapd.conf for the server side).

The user is already created in the server side and all the databases are migrated.

----------ldap.conf--------------

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 192.168.200.35
BASE dc=skyshare,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

-----------nsswitch.conf------------
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files
shadow: files
group: files

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus

-------------slapd.conf-----------

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

################################################## #####################
# ldbm and/or bdb database definitions
################################################## #####################

database bdb
suffix "dc=skyshare,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=skyshare,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}sVGojFPUiB1n+iEUW1HtwwNtTUofVtKm

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

# enable monitoring
database monitor

# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=admin,dc=my-domain,dc=com" read
by * none

--------------------------------------

Can help to figure out what is the problem?
Thanks in advance.

scottro · #2 23rd April 2009, 10:42 PM

There are several configuration tutorials out there, most of which contradict each other.

I'd start with the linuxhomenetworking.com one. Just follow it step by step.

As you get more comfortable with LDAP, you can start customizing.

Seems as if the client isn't realizing the server is there.

Actually, while it can have merit to post all files, especially when 90 percent of it is going to be the default config, you should probably only post the parts that you change. It makes it more likely that they'll get read.

ibbo · #3 24th April 2009, 04:33 PM

chown: invalid user 'ldapuser:users'

This states it all.

cat /etc/passwd | grep ldapuser
cat /etc/passwd | grep users

Do they exist?

chown says not.

Ibbo

johatter · #4 27th April 2009, 09:59 AM

run "getent passwd" to make sure this user_id is valid in your machine.

Gresso · #5 28th April 2009, 05:50 PM

First of all, I'm already following inuxhomenetworking.com and I want to mention something, there is LDAP beside file in the nsswitch.conf which I forget to include, but it didn't work too.

When I'm trying to make CHOWN from client side, I get "chown: invalid user 'ldapuser:users'' error. although the user and it's group are already exist in the server side, the client is hunging up when it tries to login.

scottro · #6 28th April 2009, 10:25 PM

Right, which goes back to what we're suggesting, that somehow, the client isn't looking to the server for info.

Important question--did you definitely add the account on the server to the server's LDAP, as opposed to simply making it an account on the server?

Also, have you edited /etc/openldap/ldap.conf to point to the LDAP server.

Lastly, what happened when you ran getent, did the test user show up?

For instance, if my test user is called ldapuser, doing

grep ldapuser /etc/passwd

gives me nothing, but getent passwd |grep ldapuser shows me that my client machine is asking the LDAP server.

Gresso · #7 1st May 2009, 01:01 PM

I've uninstalled the old version of openldap that I had, and I've installed openldap 2.4.16. I've been in a very hard time trying to configure the slapd and running it as a login server, so, sory guys I'm going to give you each step that I've followed.

After compiling the openldap from the source code, the path to it becomes /usr/local/etc/openldap. Regarding the slapd.conf, I've changed the base name (dc=sky,dc=com). After that I run slapd (/usr/local/libexec/slapd start), I've added my directory structure, administrator account, organizational unit (users) and a user account to the server. I didn't use any migration tools to migrate my account users, groups, protocol, services, etc.. but I just created and added administrator and user account in ldif file and added it to the server, I don't know if this is right or not?

ldapadd -x -W -D 'cn=Manager,dc=sky,dc=com' -f all.ldif

Everything went just fine and I restarted the server.
To verify my database I've applied

ldapsearch -x -b 'dc=sky,dc=com'

I've got everything in there. I've also verified that the ldap port (389) is open by using

nmap localhost

For the the ldap client I went to administration authentication and I've enabled ldap support and configured it (changing the base DN and ldap server IP address).

So I didn't need to configure ldap.conf and nsswitch.conf because they are already configured.

I pinged the server IP address and it did reply. I tried to make a home directory for the ldap user in the client PC by using

mkdir /home/test
chmod 700 /home/test

When I try to apply the following command

chown -R test:users /home/test

I get the message (chown invalid user 'test:users')

When I try to login using the test user the PC freezes for a long time. It seems the PC tried to login but there is no response.
When I try to login by using any local users account the PC freezes also. So I have to login as root user to uncheck the ldap support in the administration authentication and restart my PC, then I can use any local account.

I really have no idea what is going on and it's been a week trying to make it run and I really really need your help guys.

-----------------Here you find all.ldif file----------------------------

# root dn entry
dn: dc=sky,dc=com
objectclass: dcobject
objectclass: organization
dc: sky
o: Sky

# directory administrator
dn: cn=Manager,dc=sky,dc=com
cn: Manager
objectclass: organizationalRole

dn: ou=users,dc=sky,dc=com
objectclass: organizationalUnit
ou: users

dn: uid=test,ou=users,dc=sky,dc=com
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Test Test1
sn: Test1
uid: test
userPassword: password
mail: test.test1@sky.com