Roberto C. Sanchez wrote:
Would you mind providing your ldap configuration files and/or some
pointers to whatever resources you used. I started last night setting
up an LDAP server by reading the LDAP-HOWTO and a 4 part column by Carla
Schroeder (I think) an setting up LDAP.
I have slapd running and I can search the database as long as I am root
on the box running slapd. If I am not root, or I try connecting from a
remote client or I try logging in to phpldapadmin, then I either get an
"unable to bind" error or a bad username/passowrd error.
-Roberto
Sure.
I mainly used the "LDAP linux how-to" from Malere:
http://www.tldp.org/HOWTO/LDAP-HOWTO/
and some chapters from the book written by Gerald Carter, LDAP System
administration (which I borrowed from my university).
As of today, I don't have direct access to the computer I'm working on
(turned off during WE, eeek :/ ), but still, I have all the main conf
files.
/etc/ldap.conf (necessary for all request information to the ldap
server, client side):
host 192.168.1.225
base dc=bde,dc=espci,dc=fr
ldap_version 3
scope sub
timelimit 30
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password crypt
nss_base_passwd ou=promos,dc=bde,dc=espci,dc=fr?sub
nss_base_shadow ou=promos,dc=bde,dc=espci,dc=fr?sub
nss_base_group ou=groups,dc=bde,dc=espci,dc=fr?sub
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
/etc/ldap/slapd.conf (sadly, I still have the old version one -
basically, it doesn't differ from the new one, except for the ACLs,
which are quite unsafe here):
# This is the main slapd configuration file. See
slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 296
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
database bdb
suffix "dc=bde,dc=espci,dc=fr"
rootdn "cn=root,dc=bde,dc=espci,dc=fr"
rootpw {SSHA}PtJ9RObW3cfCSTuZHNPbXE9nWGeb85KV
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,mail approx,eq
index sambaSID,sambaDomainName eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
cachesize 800
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
#access to attrs=userPassword
# by dn="cn=root,dc=bde,dc=espci,dc=fr" write
# by self write
# by * read
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
# access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=root,dc=bde,dc=espci,dc=fr" write
by self write
by * read
Samba schema was found in /usr/share/doc/samba/examples/ , (not sure
of that though, but it should be anyway in samba docs, or findable with
some googling).
/etc/nsswitch.conf (necessary if you need ldap entries in C libraries,
like /etc/passwd, and shadow)
# Example configuration of GNU Name Service Switch
functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Oh, just forgot, if you do not want to "start from scratch" the ldap
directory, or accounts, you can use some of the migration tools from
PADL software, and adapt it to your needs:
http://www.padl.com/OSS/MigrationTools.html
Finally, all the client and server side errors you could get when
trying ldapsearch and the likes:
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
Concerning your problem: binding errors often occur when the client
doesn't get the information requested to the ldap server. There can be
many reasons (strong ACLs , HOST attribute not correct in ldap.conf
file, etc...). First, be sure that root can see all the users in ldap
directory ("getent passwd"), and check, if client side, you have some
connection on the port you defined for ldap.
Actually, try turning off the nscd (cache daemon for NSS), as it could
mess up all the real time changes you're making to your configuration
files, since by default the cache has a 10 min lifetime before renewal.
Both server and client side, just turn it back on when you're finished
with your ldap system.
Hope that helps.
Regards,
Jean-Yves Migeon.
|