Hi
I have been trying to set up ldap authentication for over a day
and made all the usual mistakes including the current one
which I can't find it although its likely to be connected with:
nss_base_passwd
---------------------------------------------------------------------
While I am asking for help I should explain what I am trying to achieve:
I would like to forward a request for authentication to say
umbrella.psi.net if the user is in ldap but not the password.
so if the [log in to unmask] exists without a password should I
a) configure ldap to forward a request for authentication
b) fall back into the pam stack and use another pam module to talk to
umbrella.psi.net
so that 'account required' is satisfied
and authentication is satisfied if the forwarded authentication is
successful?
Which approach requires the least prior knowledge?
I have more experience with RADIUS than LDAP, GSS, PAM
And what is the chance of me being able to demonstrate this by Wednesday
or Thursday?
I previously had non-local users get forwarded to RADIUS using
pam_radius, and successfully authenticated
but the user couldn't ssh because they didn't have a local account.
However, I have now set up local accounts in LDAP if only I could get it
to work.
For the purposes of demonstration I think it be easier for me
fallback into pam_radius and get RADIUS to talk to umbrella
Any advice greatly appreciated...
---------------------------------------------------------------------
extract from ldap.conf:
nss_base_passwd ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
nss_base_shadow ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
nss_base_group ou=Group,dc=testshib1,dc=diamond,dc=ac,dc=uk?one
---------------------------------------------------------------------
tail of auth log:
Nov 8 10:21:47 wcap93-virtual-machine slapd[7429]: DIGEST-MD5 common
mech free
Nov 8 10:24:56 wcap93-virtual-machine getent: nss_ldap: failed to bind
to LDAP server ldap://127.0.0.1: Invalid DN syntax
--------------------------------------------------------
Is it using a totally blank DN because I don't see what it is trying to
use as a DN in the output from getent?
--------------------------------------------------------
This works
ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
and so does this
ldapsearch -x -LLL -H ldap:/// -b ou=Users,
dc=testshib1,dc=diamond,dc=ac,dc=uk dn
I had previously mixed up ou=People and ou=Users but I think I have
fixed those errors now
-----------------------------------------------------------
so my users look like this
ldapsearch -x -LLL -H ldap:/// -b dc=testshib1,dc=diamond,dc=ac,dc=uk dn
dn: dc=testshib1,dc=diamond,dc=ac,dc=uk
dn: cn=admin,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn: ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn: ou=Groups,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn:
[log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn:
[log in to unmask],ou=Users,dc=testshib1,dc=diamond,dc=ac,
dc=uk
dn: uid=fredinldap,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn: uid=mandymd5,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
dn: uid=mandysha512,ou=Users,dc=testshib1,dc=diamond,dc=ac,dc=uk
---------------------------------------------------------------
getent :
ldap_write: want=66, written=66
0000: 30 40 02 01 01 60 3b 02 01 03 04 2e 22 63 6e 3d
0@...`;....."cn=
0010: 61 64 6d 69 6e 2c 64 63 3d 74 65 73 74 73 68 69
admin,dc=testshi
0020: 62 31 2c 64 63 3d 64 69 61 6d 6f 6e 64 2c 64 63
b1,dc=diamond,dc
0030: 3d 61 63 2c 64 63 3d 75 6b 22 80 06 73 65 63 72
=ac,dc=uk"..secr
0040: 65 74 et
ldap_result ld 0x1c5a390 msgid 1
wait4msg ld 0x1c5a390 msgid 1 (timeout 30000000 usec)
wait4msg continue ld 0x1c5a390 msgid 1 all 0
** ld 0x1c5a390 Connections:
* host: 127.0.0.1 port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Nov 8 10:24:56 2011
** ld 0x1c5a390 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1c5a390 request count 1 (abandoned 0)
** ld 0x1c5a390 Response Queue:
Empty
ld 0x1c5a390 response count 0
ldap_chkResponseList ld 0x1c5a390 msgid 1 all 0
ldap_chkResponseList returns ld 0x1c5a390 NULL
ldap_int_select
read1msg: ld 0x1c5a390 msgid 1 all 0
ber_get_next
ldap_read: want=8, got=8
0000: 30 16 02 01 01 61 11 0a 0....a..
ldap_read: want=16, got=16
0000: 01 22 04 00 04 0a 69 6e 76 61 6c 69 64 20 44 4e
."....invalid DN
ber_get_next: tag 0x30 len 22 contents:
ber_dump: buf=0x1c63ce0 ptr=0x1c63ce0 end=0x1c63cf6 len=22
0000: 02 01 01 61 11 0a 01 22 04 00 04 0a 69 6e 76 61
...a..."....inva
0010: 6c 69 64 20 44 4e lid DN
read1msg: ld 0x1c5a390 msgid 1 message type bind
|