Tay, Gary
2005-Aug-25 04:54 UTC
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
0) As mentioned in previous email, use "ldapclient -i", not "ldapclient -P". Make sure you have the following TWO ACLs assigned to the baseDN, dc=comosers,dc=foo,dc=com, actually FIRST ONE is needed, SECOND ONE is to secure naming service. Note that these two ACLs are NOT my creation, they exist in any normal installation of SUN ONE DS5.2, for the FIRST ONE, it was "allow (compare,read,search)", I removed "read" so that userPasswords WILL BE MASKED OFF while running "ldaplist" or "ldapaddent -D" commands. 1) (target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPassword") (version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn "ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";) 2) (targetattr "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag|| memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) 3) Also I noticed you have: ==dn: cn=default,ou=profile,dc=foo,dc=com ... defaultSearchBase: dc=foo,dc=com ... == IIRC it should be set to: dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com ... defaultSearchBase: dc=composers,dc=foo,dc=com ... 4) Don''t forget to add IP address for cnyitlin02.composers.foo.com in /etc/hosts, on top of DNS, or replace it with IP address in the default profile. HTH. Gary -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor Sent: Thursday, August 25, 2005 1:18 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS --- Justin Albstmeijer <justin@VLAMea.nl> wrote:> > My 2 cents > > - test with: ldapsearch -h ldapserver.domain.nl -s > base -b "" > "objectclass=*" , to see if you can queuery the > server.I went ahead and got the ldapsearch. It worked. ldaplist is just busted, I guess.> - make sure the posix account has the > "shadowAccount" attributeAdded it. I went to user, properties, posixAccount, advanced, add value -> shadowAccount. Not sure if that''s the right way of doing it or not...> - SSHA is default used by FDS for password > encyption.. this should be CRYPT.Done -- thank you!> - make sure to use "simple" instead of "tls:simple" > for your initial tests > - use : ldapclient -v -P default -D > "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w > proxy_password {ipnumber_ldap_server} , to create the ldap_file & > ldap_cred filesYea -- that''s where I hit another problem: Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: Stopping ldap findBaseDN: calling __ns_ldap_default_config() found 2 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))" rootDN[0] dc=foo,dc=com found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile ''default''. Perhaps it does not exist or you don''t have sufficient rights to read it. However, from the FDS server itself, ldapsearch -x shows this: (snipped) # default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: default defaultSearchScope: one So, the profile is there but what''s this about the rights???> - make sure you run te latest recommended patch > cluster.Did that already. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Justin Albstmeijer
2005-Aug-25 13:25 UTC
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
you will see that "ldaplist -l passwd {username}" will not show the
password field..
the proxyagent user needs read access to all userPassword fields.. this
can be done with the controlpanel of FDS..
> So, looks like it worked but I can''t authenticate any users. id
testdba
> produces traffic
> on the FDS server, so it''s definitely trying to query it but
can''t resolve
> anything.
>
> Also, I have two profiles:
>
> # default, profile, foo.com
> dn: cn=default,ou=profile,dc=foo,dc=com
> defaultSearchBase: dc=foo,dc=com
> authenticationMethod: simple
> followReferrals: TRUE
> bindTimeLimit: 2
> profileTTL: 43200
> searchTimeLimit: 30
> objectClass: top
> objectClass: DUAConfigProfile
> defaultServerList: 149.85.70.17
> credentialLevel: proxy
> cn: default
> defaultSearchScope: one
>
> # tls_profile, profile, foo.com
> dn: cn=tls_profile,ou=profile,dc=foo,dc=com
> defaultSearchBase: dc=foo,dc=com
> authenticationMethod: tls:simple
> followReferrals: FALSE
> bindTimeLimit: 10
> profileTTL: 43200
> searchTimeLimit: 30
> objectClass: top
> objectClass: DUAConfigProfile
> defaultServerList: cnyitlin02.composers.foo.com
> credentialLevel: proxy
> cn: tls_profile
> serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com
> serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
> serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com
> defaultSearchScope: one
>
> My default profile doesn''t have those 3 searchDescriptors. Or we
are not
> using profiles
> anymore? Just curious...
>
> Do you still think I need to change my defaultSearchDN? Also, must those
> ACLs be added
> still? Because it looks like you''re doing a manual config, right?
>
> Thank you for your help, Gary.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
Justin Albstmeijer
2005-Aug-25 13:36 UTC
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
>> serviceSearchDescriptor: group: ou=group,dc=foo,dc=comDid you create this "ou=group,dc=foo,dc=com", because default FDS has a "ou=Groups,dc=foo,dc=com". I used that one, by adding the "posixgroup" object to "ou=Groups,dc=foo,dc=com" and adding the following attribute to the profile. NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=foo,dc=com
Justin Albstmeijer
2005-Aug-25 13:38 UTC
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
> I did. It kept failing until I got rid of "-a default""-a" is the authentication method... I think you wanted to use "-P default". In your case no problem, because it defaults to it.. but in case you want to use a different profile...
Gary, thank you for the replies. (I do have the patch you mentioned:) bash-2.03# showrev -p | grep "^Patch: 108993-48" Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0 [...] --- "Tay, Gary" <Gary_Tay@platts.com> wrote:> 0) As mentioned in previous email, use "ldapclient -i", not "ldapclient > -P". >I did. It kept failing until I got rid of "-a default" Handling manual option Unable to set value: invalid authenticationMethod (default) Getting rid of -a default: bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dccom?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17 Arguments parsed: defaultSearchBase: dc=foo,dc=com credentialLevel: proxy proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com serviceSearchDescriptor: arg[0]: passwd: ou=People,dc=foo,dc=com?one arg[1]: shadow: ou=People,dc=foo,dc=com?one arg[2]: group: ou=group,dc=foo,dc=com?one arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one proxyPassword: password defaultServerList: 149.85.70.17 Handling manual option Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com Proxy password: {NS1}ecfa88f3a945c411 Credential level: 1 Authentication method: 0 Authentication method: 0 No proxyDN/proxyPassword required About to modify this machines configuration by writing the files Stopping network services Stopping sendmail Stopping nscd Stopping autofs Stopping ldap nisd not running nis_cache not running nispasswd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "composers.foo.com" file_backup: stat(/var/yp/binding/composers.foo.com)=-1 file_backup: No /var/yp/binding/composers.foo.com directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname composers.foo.com... success start: /usr/lib/ldap/ldap_cachemgr... success start: /etc/init.d/autofs start... success start: /etc/init.d/nscd start... success System successfully configured bash-2.03# id testdba id: invalid user name: "testdba" bash-2.03# So, looks like it worked but I can''t authenticate any users. id testdba produces traffic on the FDS server, so it''s definitely trying to query it but can''t resolve anything. Also, I have two profiles: # default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one # tls_profile, profile, foo.com dn: cn=tls_profile,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com defaultSearchScope: one My default profile doesn''t have those 3 searchDescriptors. Or we are not using profiles anymore? Just curious... Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you''re doing a manual config, right? Thank you for your help, Gary. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Justin Albstmeijer
2005-Aug-25 14:18 UTC
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
Just looked at my test solris client.. and got the same error.. It seems "ldapclient -P..." will even complete with the wrong proxyagent password.. (only uses this to create the NS1 password) and fetches the profile anonymous.. so do you get: libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials in /var/adm/messages ?> Still, I get this: > > bash-2.03# ldaplist -l passwd > ldaplist: Object not found (LDAP ERROR (50): Insufficient access.) > bash-2.03#
--- Justin Albstmeijer <justin@VLAMea.nl> wrote:> > you will see that "ldaplist -l passwd {username}" will not show the > password field.. > > the proxyagent user needs read access to all userPassword fields.. this > can be done with the controlpanel of FDS..Alright. This the aci I added: (targetattr = "*") (version 3.0; acl "Allow proxyAgent read access"; allow (read,compare) (userdn = "ldap:///uid=proxyAgent,ou=profile,dc=foo,dc=com") ;) Still, I get this: bash-2.03# ldaplist -l passwd ldaplist: Object not found (LDAP ERROR (50): Insufficient access.) bash-2.03# ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
--- Justin Albstmeijer <justin@VLAMea.nl> wrote:> > Just looked at my test solris client.. and got the same error.. > It seems "ldapclient -P..." will even complete with the wrong proxyagent > password.. (only uses this to create the NS1 password) and fetches the > profile anonymous.. > > so do you get: > > libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid > credentials > > in /var/adm/messages ?nah, I get this: Aug 25 11:28:26 unknown ldaplist[2747]: [ID 293258 user.error] libsldap: Status: 7 Mesg: LDAP ERROR (50): Insufficient access. Sigh. Well, I guess I''ll reinstall FDS then.. No progress for 3 days, how much longer can I dick around with it... I''ll post my results once I reinstall FDS. Thank you guys. __________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html