Re: Probleme mit OpenLDAP
Hallo Michael,
beiliegend meine Version von slapd.conf. Ich bin ziemlich sicher, dass
ich sie seit der Erstinstallation nicht verändert habe. Mir sind auf den
ersten Blick keine Unterschiede aufgefallen außer der letzten Zeile mit
rootpw. (Aber Du hast geschrieben, dass Du die auch schon entfernt
hattest?)
Ich hatte letztens ein ähnliches Problen, und da lag es an falschen
Dateirechten. Die von meinem (jetzt wieder funktionierenden) System lege
ich auch bei.
Ich habe noch nie mit webmin gearbeitet. Kannst Du nachvollziehen, was
er bei der Installation gemacht hat? Evtl. Änderungen an der Datenbank
vorgenommen?
Viele Grüße
Joachim Fahnenmüller
Herder-Gymnasium
Kattowitzer Straße 52
51065 Köln
Am Dienstag, den 15.02.2011, 13:48 +0100 schrieb Michael Koch:
> Am 15.02.2011, 13:40 Uhr, schrieb Klaus Ade Johnstad <klaus@skolelinux.no>:
>
> > Tirsdag 15. februar 2011 13.24.54 skrev Michael Koch :
> >> The rootpw error disappeared, but the other
> >> error ("rootdn is always granted...") still remains.
> >
> > That is not a critical error. Your ldap should be running now, and if it
> > doesn't, then that error message about "rootdn is always granted..." is
> > not the reason.
> >
> > But, there is no webmin for Lenny, where did you get it?
> >
>
> I installed it from webmin.com for easier configuration of all server
> modules.
> And with webmin (and no-ip), I'm able to maintain the server at home.
> But I think I broke the LDAP configuration with webmin.
> I attached the current slapd.conf file to this mail.
> It would be quite helpful, if someone can send me Skole's default
> slapd.conf file, so I can compare both and check for differences.
>
>
>
> --
> Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
> -- User mailing list User@skolelinux.de subscribe/unsubscribe: https://www.skolelinux.de/mailman/listinfo/user mailing list Bitte beachten: http://www.skolelinux.de/wiki/MailingListe
# ls -ld /var/lib/ldap/
drwxr-xr-x 2 openldap openldap 4096 15. Feb 21:46 /var/lib/ldap/
# ls -l /var/lib/ldap/
insgesamt 37800
-rw-r--r-- 1 openldap openldap 2048 15. Feb 21:46 alock
-rw------- 1 openldap openldap 1105920 13. Feb 12:17 cn.bdb
-rw------- 1 openldap openldap 8192 15. Feb 21:49 __db.001
-rw------- 1 openldap openldap 2629632 15. Feb 21:50 __db.002
-rw------- 1 openldap openldap 589824 15. Feb 21:46 __db.003
-rw------- 1 openldap openldap 1892352 15. Feb 21:50 __db.004
-rw------- 1 openldap openldap 24576 15. Feb 21:46 __db.005
-rw------- 1 openldap openldap 3080 31. Mai 2010 DB_CONFIG
-rw------- 1 openldap openldap 40960 13. Feb 12:14 displayName.bdb
-rw------- 1 openldap openldap 733184 13. Feb 12:20 dn2id.bdb
-rw------- 1 openldap openldap 65536 13. Feb 12:14 gidNumber.bdb
-rw------- 1 openldap openldap 28672 13. Feb 12:17 groupType.bdb
-rw------- 1 openldap openldap 4784128 15. Feb 21:46 id2entry.bdb
-rw------- 1 openldap openldap 10485700 13. Feb 12:14 log.0000000001
-rw------- 1 openldap openldap 10485231 13. Feb 12:14 log.0000000002
-rw------- 1 openldap openldap 5472292 13. Feb 12:20 log.0000000003
-rw------- 1 openldap openldap 73728 15. Feb 21:46 memberUid.bdb
-rw------- 1 openldap openldap 225280 15. Feb 21:46 objectClass.bdb
-rw------- 1 openldap openldap 8192 13. Feb 12:14 ou.bdb
-rw------- 1 openldap openldap 8192 13. Feb 12:14 sambaDomainName.bdb
-rw------- 1 openldap openldap 8192 13. Feb 12:14 sambaGroupType.bdb
-rw------- 1 openldap openldap 57344 13. Feb 12:14 sambaSID.bdb
-rw------- 1 openldap openldap 491520 13. Feb 12:20 uid.bdb
-rw------- 1 openldap openldap 40960 13. Feb 12:14 uidNumber.bdb
# ls -ld /etc/ldap
drwxr-xr-x 5 root root 4096 31. Mai 2010 /etc/ldap
# ls -l /etc/ldap
insgesamt 384
-rw-r--r-- 1 root root 1794 30. Aug 2009 autofs.ldif
-rw-r--r-- 1 root root 7287 19. Jan 2010 dhcp.ldif
-rw-r--r-- 1 root root 2386 3. Nov 2009 dns_arpa.ldif
-rw-r--r-- 1 root root 326496 3. Nov 2009 dns_ranges.ldif
-rw-r--r-- 1 root root 5820 3. Nov 2009 dns_skole.ldif
-rw-r--r-- 1 root root 355 31. Mai 2010 ldap.conf
-rw-r--r-- 1 root root 1175 30. Aug 2009 netgroup.ldif
-rw-r--r-- 1 root root 188 30. Aug 2009 rootDSE-debian-edu.ldif
-rw-r--r-- 1 root root 3605 30. Aug 2009 root.ldif
drwxr-xr-x 2 root root 4096 26. Nov 2009 sasl2
drwxr-xr-x 2 root root 4096 31. Mai 2010 schema
lrwxrwxrwx 1 root root 37 31. Mai 2010 slapd.conf -> /etc/ldap/slapd-lenny_debian-edu.conf
-rw-r--r-- 1 root root 6516 30. Aug 2009 slapd-lenny_debian-edu.conf
drwxr-x--x 2 openldap openldap 4096 31. Mai 2010 ssl
# ls -l /etc/ldap/ssl/
insgesamt 12
-rw-r--r-- 1 root root 1058 31. Mai 2010 ldap-server-pubkey.pem
-rw-r--r-- 1 openldap openldap 300 30. Aug 2009 slapd-cert.cnf
-rw------- 1 openldap openldap 1945 31. Mai 2010 slapd.pem
# Allow LDAPv2 binds
allow bind_v2
# The skolelinux slapd configuration file
#
# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/courier.schema
include /etc/ldap/schema/automount.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/lis.schema
include /etc/ldap/schema/dhcp.schema
include /etc/ldap/schema/dnsdomain2.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# Read slapd.conf(5) for possible values
#loglevel 65535
loglevel none
rootDSE /etc/ldap/rootDSE-debian-edu.ldif
# TLS/SSL
TLSCACertificateFile /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
TLSCertificateFile /etc/ldap/ssl/slapd.pem
#TLSCACertificateFile /var/lib/pyca/Root/cacert.pem
#TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem
#TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_monitor
defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
security update_ssf=128 simple_bind=128
backend bdb
backend monitor
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database bdb
# Set the database in memory cache size.
#
cachesize 4000
dbnosync
sizelimit 4000
# First database
suffix "dc=skole,dc=skolelinux,dc=no"
rootdn "cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
# Where the database file are physically stored
directory "/var/lib/ldap"
# Indices to maintain
index objectClass pres,eq
index cn,sn,ou pres,eq,sub
index uid pres,eq,sub
index groupType eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index default eq
#for some clients, even if not used
index givenname eq
index displayName eq
index telephoneNumber eq
#samba index
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index sambaSIDList eq
# PowerDNS index
index associatedDomain pres,eq,sub
# Save the time that the entry gets modified
lastmod on
# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#
access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
by * none break
access to *
by group/lisAclGroup/member="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
by * none break
access to dn.base="cn=nextID,ou=Variables,dc=skole,dc=skolelinux,dc=no"
attrs=gidNumber
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * read
# Don not give jradmins access to the userPassword attribute of the higher privileged
access to dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
attrs=userPassword
by self ssf=128 =wx
by anonymous ssf=128 auth
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
by * none
access to dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
attrs=userPassword
by self ssf=128 =wx
by anonymous ssf=128 auth
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
by * none
access to attrs=userPassword
by self ssf=128 =wx
by anonymous ssf=128 auth
by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
by * none
access to attrs=shadowLastChange
by self ssf=128 =w
by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
by * none
#
# Allow samba to add groupmap information to existing groups.
#
access to dn.subtree="ou=Group,dc=skole,dc=skolelinux,dc=no"
attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * none break
#
# Ensure samba password hashes.
#
# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
# Restricted jradmin from accessing the attributes of the higher privileged
access to attrs=sambaLMPassword,sambaNTPassword
by self ssf=128 =w
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
by * none
access to attrs=sambaPwdLastSet,sambaPwdCanChange
by self ssf=128 =wr
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
by * read
# Access to samba attributs
access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read
access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read
# We store machine-accounts for samba in a private ou
access to dn.sub="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
by * read
# Defaultaccess
access to *
by * read
# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
database monitor
# End of ldapd configuration file
Reply to: