Hello list,
I am running an openldap 2.4 server under FreeBSD that was working
well until the config was tweaked by someone on the team without
properly documenting their work
# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)
host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep for ldap account shows ldap account on the ldap server itself succeeds
[root at LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
[root at LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
[root at LBSD2:/usr/local/etc/openldap] #
# /etc/ldap.conf on ldap client (centos 5.5)
host LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {crypt}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep getent passwd for ldap account on the client nothing turns up
after a long pause
[root at LCENT01:~] #getent passwd | grep walbs
[root at LCENT01:~] #
# nsswitch on the client
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap
#hosts: db files nisplus nis dns
hosts: files dns
# this is what's going on in the logs on the ldap server during th
getent from the #client
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 textFeb
22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
IP=192.168.1.42:53811 (IP=192.168.1.44:389)
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 textFeb
22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed
#ldap search from the client as the pam services account is able to
locate the ldap user info
[root at LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D
'cn=pam_ldap
,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b
'dc=summitnjhome,dc=com'
'(uid=walbs)'
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (uid=walbs)
# requesting: ALL
#
# walbs, People, summitnjhome.com
dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
uid: walbs
cn: Walkiria Soares
givenName: Walkiria
sn: Soares
mail: walbs at example.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 1003
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#pam_ldap services account in the ldap directory
3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}secret
I have also tried doing anonymous binds on the client as well as using
plain text passwords. I get the same tag=97 err=49 messages on the
client either way.
Some advice is sorely needed here. Thank you very kindly in advance!
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-------------- next part --------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_hdb
# moduleload back_ldap
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
access to attrs=userPassword by self write
by anonymous auth
access to * by self write
by dn.children="ou=staff,dc=summitnjhome,dc=com" write
by users read
by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=summitnjhome,dc=com"
rootdn "cn=Manager,dc=summitnjhome,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SHA}IbITBYGVYI9Gk9EPAQEB5Fw+B4k=
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/summitnjhome.com
# Indices to maintain
index objectClass eq