Re: ldap no debian stable [longo]
caio ferreira escreveu:
...
Depois que eu instalei a biblioteca libnss-ldap eu nao consigo mais
logar no micro, nem localmente e nem remotamente via ssh. Outra coisa
que acontece de estranho eh que eu nao consigo mais descompactar um
reles arquivo .tar.gz. Basta eu remover a biblioteca que tudo volta ao
normal ?!?!? Sera que eh alguma configuracao da bibliteca que esteja
causando esse problema ?!?!?!?!?
...
[e-mail longo CUIDADO ! :) ]
Saudações,
Não se preocupe, instalar o LDAP é sempre uma %#%#%@*! danada no começo,
por isso eu recomendo a você ler calmamente *toda* documentação sobre o LDAP
no endereço: http://www.openldap.org/doc/admin/ sinceramente vale o tempo
gasto.
Com relação ao xabu, já consegui instalar em um Debian woody na minha empresa,
e tenho ele instalado e autenticando todos usuários no meu micro de casa com
um Debian Unstable. Com relação a libnss, é um chute mas é possível que a
configuração do /etc/nsswitch.conf não esteja te ajudando.
A seguir relaciono as configurações dos meus arquivos do meu Debian Unstable,
que deve funcionar no woody também. Preste muita atenção ao arquivos
/etc/pam.d/login passwd ssh e outros do diretório /etc/pam.d note a precedência
de pam_ldap.so nas entradas, a sequencia é importante, indicará a ordem que o
pam irá tomar para autenticar.
Outro detalhe para notar, é o arquivo /etc/nsswitch.conf, se você mencionar o
ldap como o primeiro na sequencia de busca suas autenticações serão sempre
feitas primeiro via ldap (que é o que todos nós queremos não :), mas isso dá
xabu quando o servidor Ldap cair, alguns serviços/comandos poderão demorar
bastante, pois tentarão buscar credenciais de usuário insistindo no Ldap e só
então tentarão o outro meio mencionado no nsswitch.conf, isso você poderá notar
na hora de reiniciar/desligar o micro, os scripts finais poderão ficar mais
lentos para finalizarem.
NOTA: Na minha configuração de nss eu uso o usuário nss, mas é apenas o clone
para o clássico admin (do LDAP) que todos conhecemos, só o utilizo para fins de
depuração do funcionamento do libnss-ldap. Pode substituir pelo admin sem
problemas e usar a senha do admin do LDAP quando oportuno.
NOTA2: Já tentei instalar o LDAP no meu outro micro aqui, com o Slackware 10.0 e
funcionou tudo direito, os procedimentos (e dores-de-cabeça) são os mesmos que
encontramos com o Debian :) Embora eu admita que com o Slackware foi bem mais
rápido para instalar e configurar :P
Espero que ajude, boa sorte.
--
[]s
Pedro
Desenvolvedor, Mestre Jedi, Slackwarrior
Usuário Linux Registro no. 274710
Usuário Debian-BR GNU/Linux no. 606
'E que os fontes estejam com você !'
Seguem alguns arquivos para você poder se orientar:
=== /etc/nsswitch.conf ===
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
#passwd: files ldap
#group: files ldap
#shadow: files ldap
passwd: ldap files
group: ldap files
shadow: ldap files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
#netgroup: nis
netgroup: files winbind nis
=== /etc/nsswitch.conf ===
=== /etc/ldap/ldap.conf ===
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
host vger.docaespacial
base dc=docaespacial,dc=org
rootbinddn cn=admin,dc=docaespacial,dc=org
scope one
#pam_filter objectclass=account
pam_filter objectclass=posixaccount
pam_login_attibute uid
pam_member_attribute gid
pam_password md5
nss_base_passwd ou=People,dc=docaespacial,dc=org?one
nss_base_shadow ou=People,dc=docaespacial,dc=org?one
nss_base_group ou=Group,dc=docaespacial,dc=org?one
binddn cn=admin,dc=docaespacial,dc=org
bindpw SenhaDoMeuUsuarioADMIN...
#pam_groupdn cn=users,ou=Group,dc=docaespacial,dc=org
ssl no
=== /etc/ldap/ldap.conf ===
=== /etc/pam.d/sudo ===
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so
=== /etc/pam.d/sudo ===
=== /etc/pam.d/su ===
#
# The PAM configuration file for the Shadow `su' service
#
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo" to
# to the end of this line if you want to use a group other
# than the default "root".
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
auth sufficient pam_ldap.so
@include common-auth
account sufficient pam_ldap.so
@include common-account
session sufficient pam_ldap.so
@include common-session
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session required pam_limits.so
=== /etc/pam.d/su ===
=== /etc/libnss-ldap.conf ===
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
# @(#)$Id: ldap.conf,v 2.33 2003/06/17 00:23:30 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host vger.docaespacial
# The distinguished name of the search base.
base dc=docaespacial,dc=org
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://vger.docaespacial/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=nss,dc=docaespacial,dc=org
# The credentials to bind with.
# Optional: default is no credential.
bindpw MinhaSenhaDoUsuarioNSSAqui...
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=docaespacial,dc=org
#nss_base_shadow ou=People,dc=padl,dc=com?one
nss_base_group ou=Group,dc=docaespacial,dc=org
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# Alternatively, if you wish to equivalence W2K and POSIX
# groups, change the uniqueMember mapping line to:
#nss_map_attribute uniqueMember member
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
=== /etc/libnss-ldap.conf ===
=== /etc/pam.d/login ===
#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#
auth sufficient pam_ldap.so
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth requisite pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth required pam_env.so
# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Standard Un*x account and session
account sufficient pam_ldap.so
@include common-account
@include common-session
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session required pam_limits.so
# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_motd.so
# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session optional pam_mail.so standard noenv
@include common-password
=== /etc/pam.d/login ===
=== /etc/pam.d/passwd ===
#
# The PAM configuration file for the Shadow `passwd' service
#
password sufficient pam_ldap.so
@include common-password
=== /etc/pam.d/passwd ===
=== /etc/pam.d/ssh ===
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# Disallow non-root logins when /etc/nologin exists.
#auth required pam_nologin.so
auth sufficient pam_ldap.so
# Standard Un*x authentication.
@include common-auth
account sufficient pam_ldap.so
# Standard Un*x authorization.
@include common-account
session sufficient pam_ldap.so
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
password sufficient pam_ldap.so
# Standard Un*x password updating.
@include common-password
=== /etc/pam.d/ssh ===
Reply to: