Hakuna Matata
2009-Jun-17 04:27 UTC
[389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hi, I am new to FDS, i have set this up as per the documentation . It is working fine . Now want that linux client (CentOS 5.3) to authenticate with FDS. hostname of FDS = ldap.fds.local i create a user test01 and fill the posix information on client machine i am using system-config-authentiation 1. check the LDAP box and filled the details as . LDAP search base dn = dc=vfds, dc=local LDAP Server = ldap://ldap.vfds.local then i rebooted the machine and trying to login via user test01. now it is showing error as username or password incorrect. i would really appreciate if someone can give me some pointer or help where i am doing wrong. Many Thanks in advance Best regards --H
Dmitry Amirov
2009-Jun-17 06:51 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hello Is it ldap://ldap.vfds.local correct? Please, try this command: ping ldap.vfds.local If pinging then try to use command getent to check that ldap users are present in your system. getent passwd If not pinging, then you need to use FQDN or ip-address, like this: ldap://1.2.3.4 ldap://example.com Hakuna Matata wrote:> Hi, > > I am new to FDS, i have set this up as per the documentation . It is > working fine . > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > hostname of FDS = ldap.fds.local > > i create a user test01 and fill the posix information > > on client machine i am using system-config-authentiation > 1. check the LDAP box and filled the details as . > LDAP search base dn = dc=vfds, dc=local > LDAP Server = ldap://ldap.vfds.local > > then i rebooted the machine and trying to login via user test01. now > it is showing error as username or password incorrect. > > > i would really appreciate if someone can give me some pointer or help > where i am doing wrong. > > Many Thanks in advance > Best regards > --H > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 07:09 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Yes this is correct. i am able to ping this. getent passwd is just returning the /etc/password users i also trying it by IP as you are suggesting...still no luck... :( is there any other place where i can look --H On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov <amirov@infinet.ru> wrote:> Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Dmitry Amirov
2009-Jun-17 07:25 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Please show your /etc/nsswitch.conf These entries should be: passwd: files ldap shadow: files ldap group: files ldap Hakuna Matata wrote:> Yes this is correct. > i am able to ping this. > > getent passwd is just returning the /etc/password users > > i also trying it by IP as you are suggesting...still no luck... :( > > is there any other place where i can look > > > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov <amirov@infinet.ru > <mailto:amirov@infinet.ru>> wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 <http://1.2.3.4> > ldap://example.com <http://example.com> > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users@redhat.com <mailto:389-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 10:11 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
yes, my nsswitch.conf file is as below. passwd: files ldap shadow: files ldap group: files ldap ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus and /etc/ldap.conf file contains uri ldap://192.168.5.1 ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 ----i am still not able to authenticate....... -best Regards --H On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov <amirov@infinet.ru> wrote:> Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
jean-Noël Chardron
2009-Jun-17 11:03 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
hi, ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) and you have a client (a centos 5.3) with unknow to us ip address. I suppose the nsswitch.conf and /etc/ldap.conf below is on the client so it is correct Then can you show the files /etc/pam.d/system-auth and /etc/pam.d/login that are on the client please then can you tell us what is the uid of the user test01 in the FDS Hakuna Matata a écrit :> > yes, my nsswitch.conf file is as below. > passwd: files ldap > shadow: files ldap > group: files ldap > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > > and /etc/ldap.conf file contains > uri ldap://192.168.5.1 <http://192.168.5.1> > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > > > > ----i am still not able to authenticate....... > > > -best Regards > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov <amirov@infinet.ru > <mailto:amirov@infinet.ru>> wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 <http://1.2.3.4> > ldap://example.com <http://example.com> > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users@redhat.com <mailto:389-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 11:31 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Jean Thanks for a quick reply. Client IP address is 192.168.5.4 yes these files are from client only. */etc/pam.d/system-auth * ------------------------------------------------ This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ----------------------------------------------------------------------- and* /etc/pam.d/login * #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke ~ ---------------------------------------------------------------------------------- what is the *uid of the user test01 in the FDS* uid is t01 and under Posix user uid numbe =2223 (i manually gave this) gid number=2223 home dire = /home/test login shell=/bin/test and then i create a directory with name "test" under /home ...........eg. mkdir /home/test Best Regards --H On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron < Jean-Noel.Chardron@dr15.cnrs.fr> wrote:> hi, > > ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > and you have a client (a centos 5.3) with unknow to us ip address. > > I suppose the nsswitch.conf and /etc/ldap.conf below is on the client so it > is correct > > Then can you show the files /etc/pam.d/system-auth and /etc/pam.d/login > that are on the client please > > then can you tell us what is the uid of the user test01 in the FDS > > > > Hakuna Matata a écrit : > >> >> yes, my nsswitch.conf file is as below. >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files >> >> netgroup: files ldap >> >> publickey: nisplus >> >> automount: files ldap >> aliases: files nisplus >> >> >> and /etc/ldap.conf file contains >> uri ldap://192.168.5.1 <http://192.168.5.1> >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> >> >> >> ----i am still not able to authenticate....... >> >> >> -best Regards >> --H >> >> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov <amirov@infinet.ru<mailto: >> amirov@infinet.ru>> wrote: >> >> Hello >> >> Is it ldap://ldap.vfds.local correct? >> Please, try this command: >> >> ping ldap.vfds.local >> >> If pinging then try to use command getent to check that ldap users are >> present in your system. >> getent passwd >> >> If not pinging, then you need to use FQDN or ip-address, like this: >> >> ldap://1.2.3.4 <http://1.2.3.4> >> ldap://example.com <http://example.com> >> >> >> Hakuna Matata wrote: >> > Hi, >> > >> > I am new to FDS, i have set this up as per the documentation . It is >> > working fine . >> > Now want that linux client (CentOS 5.3) to authenticate with FDS. >> > >> > hostname of FDS = ldap.fds.local >> > >> > i create a user test01 and fill the posix information >> > >> > on client machine i am using system-config-authentiation >> > 1. check the LDAP box and filled the details as . >> > LDAP search base dn = dc=vfds, dc=local >> > LDAP Server >> ldap://ldap.vfds.local >> > >> > then i rebooted the machine and trying to login via user test01. now >> > it is showing error as username or password incorrect. >> > >> > >> > i would really appreciate if someone can give me some pointer or >> help >> > where i am doing wrong. >> > >> > Many Thanks in advance >> > Best regards >> > --H >> > >> > -- >> > 389 users mailing list >> > 389-users@redhat.com <mailto:389-users@redhat.com> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> 389 users mailing list >> 389-users@redhat.com <mailto:389-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
jean-Noël Chardron
2009-Jun-17 12:45 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hakuna Matata a écrit :> Jean > Thanks for a quick reply. > > Client IP address is 192.168.5.4 > yes these files are from client only. >all files seem correct , (in system-auth the interresting line are with pam_ldap.so) So may be, the base to search in the tree are misconfigured in the /etc/ldap.conf you previously show the /etc/ldap.conf : uri ldap://192.168.5.1 <http://192.168.5.1> ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 can you show the ouptut of the command : grep base /etc/ldap.conf with only the line that are uncommented , normaly this will show the distinguished name of the search base. and this must correspond with the tree in your FDS> > */etc/pam.d/system-auth * > ------------------------------------------------ > This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > ----------------------------------------------------------------------- > > and* /etc/pam.d/login * > > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > pam_securetty.so > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session include system-auth > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be > executed in the user context > session required pam_selinux.so open > session optional pam_keyinit.so force revoke > ~ > ---------------------------------------------------------------------------------- > > what is the *uid of the user test01 in the FDS* > > uid is t01 > > and under Posix user > > uid numbe =2223 (i manually gave this) > gid number=2223 > home dire = /home/test > login shell=/bin/test > > > and then i create a directory with name "test" under /home > ...........eg. mkdir /home/test > > > > > Best Regards > --H > > > > > > > On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron > <Jean-Noel.Chardron@dr15.cnrs.fr > <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> wrote: > > hi, > > ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > and you have a client (a centos 5.3) with unknow to us ip address. > > I suppose the nsswitch.conf and /etc/ldap.conf below is on the > client so it is correct > > Then can you show the files /etc/pam.d/system-auth and > /etc/pam.d/login that are on the client please > > then can you tell us what is the uid of the user test01 in the FDS > > > > Hakuna Matata a écrit : > > > yes, my nsswitch.conf file is as below. > passwd: files ldap > shadow: files ldap > group: files ldap > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > > and /etc/ldap.conf file contains > uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> > > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > > > > ----i am still not able to authenticate....... > > > -best Regards > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > <amirov@infinet.ru <mailto:amirov@infinet.ru> > <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that > ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, > like this: > > ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> > ldap://example.com <http://example.com> <http://example.com> > > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the > documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate > with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, > dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user > test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some > pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users@redhat.com <mailto:389-users@redhat.com> > <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users@redhat.com <mailto:389-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- Jean-Noel Chardron
Andrew Kerr
2009-Jun-17 14:26 UTC
[389-users] Unable to connect to Admin or DS from management console
I recently added a new fedora ds replica (1.2.0) to my master (1.0.4). I was able to add the new machine, and replicate to it. I set up the replication via the console, and everything was working fine. Today when I launch the console on the master and connect to the replica running 1.2.0 I get an error: "Failed to install a local copy of fedora-admin-1.1.jar or one of its components" "Can not connect to http://0.0.0.0:9830". 9830 is the correct port of the remote machine, but 0.0.0.0 isn''t the correct ip. The local admin console is running on a different port. I can do a wget on the remote machine http://<remote machine>:9830 and I am able to connect and get the "download" page that has the quick console. So it isn''t a network issue. The only change I''ve made is to add another replica, running 1.0.4. I can connect to that one just fine, and all of the others. I just can''t get to the one I added a few days ago that is running the newer version. I''d suspect java, or something along those lines, except that it worked yesterday and nothing (verified by the yum logs) has been installed or changed on the server. My guess is that maybe the 1.0.4 ones work ok because they''re running the same version, and no additional jar files are needed. I looked in the .fedora-console/jars and I don''t see the new one. I tried removing that directory and letting it create a new one, also with no luck. I tried adding another 1.2.0 installation, and same problem. Any ideas would be greatly appreciated! This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp
jean-Noël Chardron
2009-Jun-17 14:43 UTC
Re: [389-users] Unable to connect to Admin or DS from management console
*Don''t hijack threads*. Don''t post a new message by replying to an existing message and just changing the subject. The message will still have an In-Reply-To header, which messes up message threading. Andrew Kerr a écrit :
Hakuna Matata
2009-Jun-17 16:14 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
>>>>grep base /etc/ldap.conf---------------------------------- #scope base # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # nss_base_passwd ou=People, # to append the default base DN but this #nss_base_passwd ou=People,dc=example,dc=com?one #nss_base_shadow ou=People,dc=example,dc=com?one #nss_base_group ou=Group,dc=example,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one #nss_base_networks ou=Networks,dc=example,dc=com?one #nss_base_protocols ou=Protocols,dc=example,dc=com?one #nss_base_rpc ou=Rpc,dc=example,dc=com?one #nss_base_ethers ou=Ethers,dc=example,dc=com?one #nss_base_netmasks ou=Networks,dc=example,dc=com?ne #nss_base_bootparams ou=Ethers,dc=example,dc=com?one #nss_base_aliases ou=Aliases,dc=example,dc=com?one #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one #nss_base_passwd ou=aixaccount,?one #nss_base_group ou=aixgroup,?one --------------------------------------------------------------------------- OK, so i was expecting some base which are binding it to FDS.....but did not find here any such thing...which gives an impression that system-config-authentication is not working proberly in CentOS5.3. My assumption may be wrong.... so if i put some entry in this like (base dc=vfds,dc=local)...and then boot the client machine... can i expect it workin then..... waiting for the advise....in the mean time i am rebooting the machine.... many thanks in advance... --H On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron < Jean-Noel.Chardron@dr15.cnrs.fr> wrote:> > Hakuna Matata a écrit : > >> Jean >> Thanks for a quick reply. >> >> Client IP address is 192.168.5.4 >> yes these files are from client only. >> >> all files seem correct , (in system-auth the interresting line are with > pam_ldap.so) > So may be, the base to search in the tree are misconfigured in the > /etc/ldap.conf > > you previously show the /etc/ldap.conf : > uri ldap://192.168.5.1 <http://192.168.5.1> > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > can you show the ouptut of the command : > grep base /etc/ldap.conf > with only the line that are uncommented , normaly this will show the > distinguished name of the search base. > and this must correspond with the tree in your FDS > > > > >> */etc/pam.d/system-auth * >> >> ------------------------------------------------ >> This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> ----------------------------------------------------------------------- >> >> and* /etc/pam.d/login * >> >> #%PAM-1.0 >> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >> pam_securetty.so >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> # pam_selinux.so close should be the first session rule >> session required pam_selinux.so close >> session include system-auth >> session required pam_loginuid.so >> session optional pam_console.so >> # pam_selinux.so open should only be followed by sessions to be executed >> in the user context >> session required pam_selinux.so open >> session optional pam_keyinit.so force revoke >> ~ >> ---------------------------------------------------------------------------------- >> >> what is the *uid of the user test01 in the FDS* >> >> uid is t01 >> >> and under Posix user >> >> uid numbe =2223 (i manually gave this) >> gid number=2223 >> home dire = /home/test >> login shell=/bin/test >> >> >> and then i create a directory with name "test" under /home ...........eg. >> mkdir /home/test >> >> >> >> >> Best Regards >> --H >> >> >> >> >> >> >> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron < >> Jean-Noel.Chardron@dr15.cnrs.fr <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >> wrote: >> >> hi, >> >> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >> and you have a client (a centos 5.3) with unknow to us ip address. >> >> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >> client so it is correct >> >> Then can you show the files /etc/pam.d/system-auth and >> /etc/pam.d/login that are on the client please >> >> then can you tell us what is the uid of the user test01 in the FDS >> >> >> >> Hakuna Matata a écrit : >> >> >> yes, my nsswitch.conf file is as below. >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files >> >> netgroup: files ldap >> >> publickey: nisplus >> >> automount: files ldap >> aliases: files nisplus >> >> >> and /etc/ldap.conf file contains >> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >> >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> >> >> >> ----i am still not able to authenticate....... >> >> >> -best Regards >> --H >> >> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >> <amirov@infinet.ru <mailto:amirov@infinet.ru> >> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >> >> Hello >> >> Is it ldap://ldap.vfds.local correct? >> Please, try this command: >> >> ping ldap.vfds.local >> >> If pinging then try to use command getent to check that >> ldap users are >> present in your system. >> getent passwd >> >> If not pinging, then you need to use FQDN or ip-address, >> like this: >> >> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >> ldap://example.com <http://example.com> <http://example.com> >> >> >> >> >> Hakuna Matata wrote: >> > Hi, >> > >> > I am new to FDS, i have set this up as per the >> documentation . It is >> > working fine . >> > Now want that linux client (CentOS 5.3) to authenticate >> with FDS. >> > >> > hostname of FDS = ldap.fds.local >> > >> > i create a user test01 and fill the posix information >> > >> > on client machine i am using system-config-authentiation >> > 1. check the LDAP box and filled the details as . >> > LDAP search base dn = dc=vfds, >> dc=local >> > LDAP Server >> ldap://ldap.vfds.local >> > >> > then i rebooted the machine and trying to login via user >> test01. now >> > it is showing error as username or password incorrect. >> > >> > >> > i would really appreciate if someone can give me some >> pointer or >> help >> > where i am doing wrong. >> > >> > Many Thanks in advance >> > Best regards >> > --H >> > >> > -- >> > 389 users mailing list >> > 389-users@redhat.com <mailto:389-users@redhat.com> >> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >> >> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> 389 users mailing list >> 389-users@redhat.com <mailto:389-users@redhat.com> >> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users@redhat.com <mailto:389-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> 389 users mailing list >> 389-users@redhat.com <mailto:389-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Jean-Noel Chardron > > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 17:35 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Still no luck.... i have added the below entry in my ldap.conf file base dc=vfds,dc=local --H On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> wrote:>>>>>grep base /etc/ldap.conf > ---------------------------------- > #scope base > # nss_base_XXX base?scope?filter > # where scope is {base,one,sub} > # nss_base_passwd ou=People, > # to append the default base DN but this > #nss_base_passwd ou=People,dc=example,dc=com?one > #nss_base_shadow ou=People,dc=example,dc=com?one > #nss_base_group ou=Group,dc=example,dc=com?one > #nss_base_hosts ou=Hosts,dc=example,dc=com?one > #nss_base_services ou=Services,dc=example,dc=com?one > #nss_base_networks ou=Networks,dc=example,dc=com?one > #nss_base_protocols ou=Protocols,dc=example,dc=com?one > #nss_base_rpc ou=Rpc,dc=example,dc=com?one > #nss_base_ethers ou=Ethers,dc=example,dc=com?one > #nss_base_netmasks ou=Networks,dc=example,dc=com?ne > #nss_base_bootparams ou=Ethers,dc=example,dc=com?one > #nss_base_aliases ou=Aliases,dc=example,dc=com?one > #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > #nss_base_passwd ou=aixaccount,?one > #nss_base_group ou=aixgroup,?one > --------------------------------------------------------------------------- > > OK, so i was expecting some base which are binding it to FDS.....but did not > find here any such thing...which gives an impression that > system-config-authentication is not working proberly in CentOS5.3. My > assumption may be wrong.... > > so if i put some entry in this like (base dc=vfds,dc=local)...and then boot > the client machine... can i expect it workin then..... > > waiting for the advise....in the mean time i am rebooting the machine.... > > many thanks in advance... > > > --H > > On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron > <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >> >> Hakuna Matata a écrit : >>> >>> Jean >>> Thanks for a quick reply. >>> >>> Client IP address is 192.168.5.4 >>> yes these files are from client only. >>> >> all files seem correct , (in system-auth the interresting line are with >> pam_ldap.so) >> So may be, the base to search in the tree are misconfigured in the >> /etc/ldap.conf >> >> you previously show the /etc/ldap.conf : >> uri ldap://192.168.5.1 <http://192.168.5.1> >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> can you show the ouptut of the command : >> grep base /etc/ldap.conf >> with only the line that are uncommented , normaly this will show the >> distinguished name of the search base. >> and this must correspond with the tree in your FDS >> >> >> >>> >>> */etc/pam.d/system-auth * >>> ------------------------------------------------ >>> This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is run. >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account required pam_permit.so >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in crond >>> quiet use_uid >>> session required pam_unix.so >>> session optional pam_ldap.so >>> ----------------------------------------------------------------------- >>> >>> and* /etc/pam.d/login * >>> >>> #%PAM-1.0 >>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>> pam_securetty.so >>> auth include system-auth >>> account required pam_nologin.so >>> account include system-auth >>> password include system-auth >>> # pam_selinux.so close should be the first session rule >>> session required pam_selinux.so close >>> session include system-auth >>> session required pam_loginuid.so >>> session optional pam_console.so >>> # pam_selinux.so open should only be followed by sessions to be executed >>> in the user context >>> session required pam_selinux.so open >>> session optional pam_keyinit.so force revoke >>> ~ >>> ---------------------------------------------------------------------------------- >>> >>> what is the *uid of the user test01 in the FDS* >>> >>> uid is t01 >>> >>> and under Posix user >>> >>> uid numbe =2223 (i manually gave this) >>> gid number=2223 >>> home dire = /home/test >>> login shell=/bin/test >>> >>> >>> and then i create a directory with name "test" under /home ...........eg. >>> mkdir /home/test >>> >>> >>> >>> >>> Best Regards >>> --H >>> >>> >>> >>> >>> >>> >>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron >>> <Jean-Noel.Chardron@dr15.cnrs.fr <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >>> wrote: >>> >>> hi, >>> >>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>> and you have a client (a centos 5.3) with unknow to us ip address. >>> >>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>> client so it is correct >>> >>> Then can you show the files /etc/pam.d/system-auth and >>> /etc/pam.d/login that are on the client please >>> >>> then can you tell us what is the uid of the user test01 in the FDS >>> >>> >>> >>> Hakuna Matata a écrit : >>> >>> >>> yes, my nsswitch.conf file is as below. >>> passwd: files ldap >>> shadow: files ldap >>> group: files ldap >>> >>> ethers: files >>> netmasks: files >>> networks: files >>> protocols: files >>> rpc: files >>> services: files >>> >>> netgroup: files ldap >>> >>> publickey: nisplus >>> >>> automount: files ldap >>> aliases: files nisplus >>> >>> >>> and /etc/ldap.conf file contains >>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >>> >>> ssl no >>> tls_cacertdir /etc/openldap/cacerts >>> pam_password md5 >>> >>> >>> >>> >>> ----i am still not able to authenticate....... >>> >>> >>> -best Regards >>> --H >>> >>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>> <amirov@infinet.ru <mailto:amirov@infinet.ru> >>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >>> >>> Hello >>> >>> Is it ldap://ldap.vfds.local correct? >>> Please, try this command: >>> >>> ping ldap.vfds.local >>> >>> If pinging then try to use command getent to check that >>> ldap users are >>> present in your system. >>> getent passwd >>> >>> If not pinging, then you need to use FQDN or ip-address, >>> like this: >>> >>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >>> ldap://example.com <http://example.com> <http://example.com> >>> >>> >>> >>> Hakuna Matata wrote: >>> > Hi, >>> > >>> > I am new to FDS, i have set this up as per the >>> documentation . It is >>> > working fine . >>> > Now want that linux client (CentOS 5.3) to authenticate >>> with FDS. >>> > >>> > hostname of FDS = ldap.fds.local >>> > >>> > i create a user test01 and fill the posix information >>> > >>> > on client machine i am using system-config-authentiation >>> > 1. check the LDAP box and filled the details as . >>> > LDAP search base dn = dc=vfds, >>> dc=local >>> > LDAP Server >>> ldap://ldap.vfds.local >>> > >>> > then i rebooted the machine and trying to login via user >>> test01. now >>> > it is showing error as username or password incorrect. >>> > >>> > >>> > i would really appreciate if someone can give me some >>> pointer or >>> help >>> > where i am doing wrong. >>> > >>> > Many Thanks in advance >>> > Best regards >>> > --H >>> > >>> > -- >>> > 389 users mailing list >>> > 389-users@redhat.com <mailto:389-users@redhat.com> >>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>> >>> > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com <mailto:389-users@redhat.com> >>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com <mailto:389-users@redhat.com> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com <mailto:389-users@redhat.com> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Jean-Noel Chardron >> >> >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Jean-Noel Chardron
2009-Jun-17 17:55 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hakuna Matata a écrit :> Still no luck.... > i have added the below entry in my ldap.conf file > base dc=vfds,dc=local > >hum, does your fds answers to a request of ldapsearch ? you can try sommething like this from the server and from the client : without credentials: ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '''' with credentials : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager '''' -W> --H > > On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> wrote: > >>>>>> grep base /etc/ldap.conf >>>>>> >> ---------------------------------- >> #scope base >> # nss_base_XXX base?scope?filter >> # where scope is {base,one,sub} >> # nss_base_passwd ou=People, >> # to append the default base DN but this >> #nss_base_passwd ou=People,dc=example,dc=com?one >> #nss_base_shadow ou=People,dc=example,dc=com?one >> #nss_base_group ou=Group,dc=example,dc=com?one >> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >> #nss_base_services ou=Services,dc=example,dc=com?one >> #nss_base_networks ou=Networks,dc=example,dc=com?one >> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >> #nss_base_passwd ou=aixaccount,?one >> #nss_base_group ou=aixgroup,?one >> --------------------------------------------------------------------------- >> >> OK, so i was expecting some base which are binding it to FDS.....but did not >> find here any such thing...which gives an impression that >> system-config-authentication is not working proberly in CentOS5.3. My >> assumption may be wrong.... >> >> so if i put some entry in this like (base dc=vfds,dc=local)...and then boot >> the client machine... can i expect it workin then..... >> >> waiting for the advise....in the mean time i am rebooting the machine.... >> >> many thanks in advance... >> >> >> --H >> >> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron >> <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >> >>> Hakuna Matata a écrit : >>> >>>> Jean >>>> Thanks for a quick reply. >>>> >>>> Client IP address is 192.168.5.4 >>>> yes these files are from client only. >>>> >>>> >>> all files seem correct , (in system-auth the interresting line are with >>> pam_ldap.so) >>> So may be, the base to search in the tree are misconfigured in the >>> /etc/ldap.conf >>> >>> you previously show the /etc/ldap.conf : >>> uri ldap://192.168.5.1 <http://192.168.5.1> >>> ssl no >>> tls_cacertdir /etc/openldap/cacerts >>> pam_password md5 >>> >>> can you show the ouptut of the command : >>> grep base /etc/ldap.conf >>> with only the line that are uncommented , normaly this will show the >>> distinguished name of the search base. >>> and this must correspond with the tree in your FDS >>> >>> >>> >>> >>>> */etc/pam.d/system-auth * >>>> ------------------------------------------------ >>>> This file is auto-generated. >>>> # User changes will be destroyed the next time authconfig is run. >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so nullok try_first_pass >>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>> auth sufficient pam_ldap.so use_first_pass >>>> auth required pam_deny.so >>>> >>>> account required pam_unix.so broken_shadow >>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>> account required pam_permit.so >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>> use_authtok >>>> password sufficient pam_ldap.so use_authtok >>>> password required pam_deny.so >>>> >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session [success=1 default=ignore] pam_succeed_if.so service in crond >>>> quiet use_uid >>>> session required pam_unix.so >>>> session optional pam_ldap.so >>>> ----------------------------------------------------------------------- >>>> >>>> and* /etc/pam.d/login * >>>> >>>> #%PAM-1.0 >>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>> pam_securetty.so >>>> auth include system-auth >>>> account required pam_nologin.so >>>> account include system-auth >>>> password include system-auth >>>> # pam_selinux.so close should be the first session rule >>>> session required pam_selinux.so close >>>> session include system-auth >>>> session required pam_loginuid.so >>>> session optional pam_console.so >>>> # pam_selinux.so open should only be followed by sessions to be executed >>>> in the user context >>>> session required pam_selinux.so open >>>> session optional pam_keyinit.so force revoke >>>> ~ >>>> ---------------------------------------------------------------------------------- >>>> >>>> what is the *uid of the user test01 in the FDS* >>>> >>>> uid is t01 >>>> >>>> and under Posix user >>>> >>>> uid numbe =2223 (i manually gave this) >>>> gid number=2223 >>>> home dire = /home/test >>>> login shell=/bin/test >>>> >>>> >>>> and then i create a directory with name "test" under /home ...........eg. >>>> mkdir /home/test >>>> >>>> >>>> >>>> >>>> Best Regards >>>> --H >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron >>>> <Jean-Noel.Chardron@dr15.cnrs.fr <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >>>> wrote: >>>> >>>> hi, >>>> >>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>> >>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>> client so it is correct >>>> >>>> Then can you show the files /etc/pam.d/system-auth and >>>> /etc/pam.d/login that are on the client please >>>> >>>> then can you tell us what is the uid of the user test01 in the FDS >>>> >>>> >>>> >>>> Hakuna Matata a écrit : >>>> >>>> >>>> yes, my nsswitch.conf file is as below. >>>> passwd: files ldap >>>> shadow: files ldap >>>> group: files ldap >>>> >>>> ethers: files >>>> netmasks: files >>>> networks: files >>>> protocols: files >>>> rpc: files >>>> services: files >>>> >>>> netgroup: files ldap >>>> >>>> publickey: nisplus >>>> >>>> automount: files ldap >>>> aliases: files nisplus >>>> >>>> >>>> and /etc/ldap.conf file contains >>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >>>> >>>> ssl no >>>> tls_cacertdir /etc/openldap/cacerts >>>> pam_password md5 >>>> >>>> >>>> >>>> >>>> ----i am still not able to authenticate....... >>>> >>>> >>>> -best Regards >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>> <amirov@infinet.ru <mailto:amirov@infinet.ru> >>>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >>>> >>>> Hello >>>> >>>> Is it ldap://ldap.vfds.local correct? >>>> Please, try this command: >>>> >>>> ping ldap.vfds.local >>>> >>>> If pinging then try to use command getent to check that >>>> ldap users are >>>> present in your system. >>>> getent passwd >>>> >>>> If not pinging, then you need to use FQDN or ip-address, >>>> like this: >>>> >>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >>>> ldap://example.com <http://example.com> <http://example.com> >>>> >>>> >>>> >>>> Hakuna Matata wrote: >>>> > Hi, >>>> > >>>> > I am new to FDS, i have set this up as per the >>>> documentation . It is >>>> > working fine . >>>> > Now want that linux client (CentOS 5.3) to authenticate >>>> with FDS. >>>> > >>>> > hostname of FDS = ldap.fds.local >>>> > >>>> > i create a user test01 and fill the posix information >>>> > >>>> > on client machine i am using system-config-authentiation >>>> > 1. check the LDAP box and filled the details as . >>>> > LDAP search base dn = dc=vfds, >>>> dc=local >>>> > LDAP Server >>>> ldap://ldap.vfds.local >>>> > >>>> > then i rebooted the machine and trying to login via user >>>> test01. now >>>> > it is showing error as username or password incorrect. >>>> > >>>> > >>>> > i would really appreciate if someone can give me some >>>> pointer or >>>> help >>>> > where i am doing wrong. >>>> > >>>> > Many Thanks in advance >>>> > Best regards >>>> > --H >>>> > >>>> > -- >>>> > 389 users mailing list >>>> > 389-users@redhat.com <mailto:389-users@redhat.com> >>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>> >>>> > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Jean-Noel Chardron >>> >>> >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 18:25 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
This is what it is returning.... i guess i have to rebuild the client with CentOS 5.2 (though i have no reason but still)..... and really want to give you big thank for helping me ...you are kind...... will keep posted with the results.... [root@client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=vfds,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [root@client ~]# On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel Chardron<Jean-Noel.Chardron@dr15.cnrs.fr> wrote:> Hakuna Matata a écrit : >> >> Still no luck.... >> i have added the below entry in my ldap.conf file >> base dc=vfds,dc=local >> >> > > hum, > does your fds answers to a request of ldapsearch ? > you can try sommething like this from the server and from the client : > without credentials: > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '''' > with credentials : > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager > '''' -W >> >> --H >> >> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> >> wrote: >> >>>>>>> >>>>>>> grep base /etc/ldap.conf >>>>>>> >>> >>> ---------------------------------- >>> #scope base >>> # nss_base_XXX base?scope?filter >>> # where scope is {base,one,sub} >>> # nss_base_passwd ou=People, >>> # to append the default base DN but this >>> #nss_base_passwd ou=People,dc=example,dc=com?one >>> #nss_base_shadow ou=People,dc=example,dc=com?one >>> #nss_base_group ou=Group,dc=example,dc=com?one >>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >>> #nss_base_services ou=Services,dc=example,dc=com?one >>> #nss_base_networks ou=Networks,dc=example,dc=com?one >>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>> #nss_base_passwd ou=aixaccount,?one >>> #nss_base_group ou=aixgroup,?one >>> >>> --------------------------------------------------------------------------- >>> >>> OK, so i was expecting some base which are binding it to FDS.....but did >>> not >>> find here any such thing...which gives an impression that >>> system-config-authentication is not working proberly in CentOS5.3. My >>> assumption may be wrong.... >>> >>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>> boot >>> the client machine... can i expect it workin then..... >>> >>> waiting for the advise....in the mean time i am rebooting the machine.... >>> >>> many thanks in advance... >>> >>> >>> --H >>> >>> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron >>> <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >>> >>>> >>>> Hakuna Matata a écrit : >>>> >>>>> >>>>> Jean >>>>> Thanks for a quick reply. >>>>> >>>>> Client IP address is 192.168.5.4 >>>>> yes these files are from client only. >>>>> >>>>> >>>> >>>> all files seem correct , (in system-auth the interresting line are with >>>> pam_ldap.so) >>>> So may be, the base to search in the tree are misconfigured in the >>>> /etc/ldap.conf >>>> >>>> you previously show the /etc/ldap.conf : >>>> uri ldap://192.168.5.1 <http://192.168.5.1> >>>> ssl no >>>> tls_cacertdir /etc/openldap/cacerts >>>> pam_password md5 >>>> >>>> can you show the ouptut of the command : >>>> grep base /etc/ldap.conf >>>> with only the line that are uncommented , normaly this will show the >>>> distinguished name of the search base. >>>> and this must correspond with the tree in your FDS >>>> >>>> >>>> >>>> >>>>> >>>>> */etc/pam.d/system-auth * >>>>> ------------------------------------------------ >>>>> This file is auto-generated. >>>>> # User changes will be destroyed the next time authconfig is run. >>>>> auth required pam_env.so >>>>> auth sufficient pam_unix.so nullok try_first_pass >>>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>>> auth sufficient pam_ldap.so use_first_pass >>>>> auth required pam_deny.so >>>>> >>>>> account required pam_unix.so broken_shadow >>>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>> account required pam_permit.so >>>>> >>>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>>> use_authtok >>>>> password sufficient pam_ldap.so use_authtok >>>>> password required pam_deny.so >>>>> >>>>> session optional pam_keyinit.so revoke >>>>> session required pam_limits.so >>>>> session optional pam_keyinit.so revoke >>>>> session required pam_limits.so >>>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>>> crond >>>>> quiet use_uid >>>>> session required pam_unix.so >>>>> session optional pam_ldap.so >>>>> ----------------------------------------------------------------------- >>>>> >>>>> and* /etc/pam.d/login * >>>>> >>>>> #%PAM-1.0 >>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>> pam_securetty.so >>>>> auth include system-auth >>>>> account required pam_nologin.so >>>>> account include system-auth >>>>> password include system-auth >>>>> # pam_selinux.so close should be the first session rule >>>>> session required pam_selinux.so close >>>>> session include system-auth >>>>> session required pam_loginuid.so >>>>> session optional pam_console.so >>>>> # pam_selinux.so open should only be followed by sessions to be >>>>> executed >>>>> in the user context >>>>> session required pam_selinux.so open >>>>> session optional pam_keyinit.so force revoke >>>>> ~ >>>>> >>>>> ---------------------------------------------------------------------------------- >>>>> >>>>> what is the *uid of the user test01 in the FDS* >>>>> >>>>> uid is t01 >>>>> >>>>> and under Posix user >>>>> >>>>> uid numbe =2223 (i manually gave this) >>>>> gid number=2223 >>>>> home dire = /home/test >>>>> login shell=/bin/test >>>>> >>>>> >>>>> and then i create a directory with name "test" under /home >>>>> ...........eg. >>>>> mkdir /home/test >>>>> >>>>> >>>>> >>>>> >>>>> Best Regards >>>>> --H >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron >>>>> <Jean-Noel.Chardron@dr15.cnrs.fr >>>>> <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >>>>> wrote: >>>>> >>>>> hi, >>>>> >>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>>> >>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>> client so it is correct >>>>> >>>>> Then can you show the files /etc/pam.d/system-auth and >>>>> /etc/pam.d/login that are on the client please >>>>> >>>>> then can you tell us what is the uid of the user test01 in the FDS >>>>> >>>>> >>>>> >>>>> Hakuna Matata a écrit : >>>>> >>>>> >>>>> yes, my nsswitch.conf file is as below. >>>>> passwd: files ldap >>>>> shadow: files ldap >>>>> group: files ldap >>>>> >>>>> ethers: files >>>>> netmasks: files >>>>> networks: files >>>>> protocols: files >>>>> rpc: files >>>>> services: files >>>>> >>>>> netgroup: files ldap >>>>> >>>>> publickey: nisplus >>>>> >>>>> automount: files ldap >>>>> aliases: files nisplus >>>>> >>>>> >>>>> and /etc/ldap.conf file contains >>>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >>>>> >>>>> ssl no >>>>> tls_cacertdir /etc/openldap/cacerts >>>>> pam_password md5 >>>>> >>>>> >>>>> >>>>> >>>>> ----i am still not able to authenticate....... >>>>> >>>>> >>>>> -best Regards >>>>> --H >>>>> >>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>> <amirov@infinet.ru <mailto:amirov@infinet.ru> >>>>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >>>>> >>>>> Hello >>>>> >>>>> Is it ldap://ldap.vfds.local correct? >>>>> Please, try this command: >>>>> >>>>> ping ldap.vfds.local >>>>> >>>>> If pinging then try to use command getent to check that >>>>> ldap users are >>>>> present in your system. >>>>> getent passwd >>>>> >>>>> If not pinging, then you need to use FQDN or ip-address, >>>>> like this: >>>>> >>>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >>>>> ldap://example.com <http://example.com> <http://example.com> >>>>> >>>>> >>>>> >>>>> Hakuna Matata wrote: >>>>> > Hi, >>>>> > >>>>> > I am new to FDS, i have set this up as per the >>>>> documentation . It is >>>>> > working fine . >>>>> > Now want that linux client (CentOS 5.3) to authenticate >>>>> with FDS. >>>>> > >>>>> > hostname of FDS = ldap.fds.local >>>>> > >>>>> > i create a user test01 and fill the posix information >>>>> > >>>>> > on client machine i am using system-config-authentiation >>>>> > 1. check the LDAP box and filled the details as . >>>>> > LDAP search base dn = dc=vfds, >>>>> dc=local >>>>> > LDAP Server >>>>> ldap://ldap.vfds.local >>>>> > >>>>> > then i rebooted the machine and trying to login via user >>>>> test01. now >>>>> > it is showing error as username or password incorrect. >>>>> > >>>>> > >>>>> > i would really appreciate if someone can give me some >>>>> pointer or >>>>> help >>>>> > where i am doing wrong. >>>>> > >>>>> > Many Thanks in advance >>>>> > Best regards >>>>> > --H >>>>> > >>>>> > -- >>>>> > 389 users mailing list >>>>> > 389-users@redhat.com <mailto:389-users@redhat.com> >>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>> >>>>> > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> >>>> -- >>>> Jean-Noel Chardron >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hakuna Matata
2009-Jun-17 18:32 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
just one more file contents ---authconfig , [root@client ~]# authconfig --test caching is enabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.5.1" LDAP base DN = "dc=vfds,dc=local" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is disabled krb5 realm = "VFDS.VAD.COM" krb5 realm via dns is enabled krb5 kdc = "kerberos.vfds.vad.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.vfds.vad.com:749" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.5.1" LDAP base DN = "dc=vfds,dc=local" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_smb_auth is disabled SMB workgroup = "MYGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled ------------------------------------ On Wed, Jun 17, 2009 at 11:55 PM, Hakuna Matata<narender.hooda@gmail.com> wrote:> This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root@client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=vfds,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > [root@client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron<Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >> Hakuna Matata a écrit : >>> >>> Still no luck.... >>> i have added the below entry in my ldap.conf file >>> base dc=vfds,dc=local >>> >>> >> >> hum, >> does your fds answers to a request of ldapsearch ? >> you can try sommething like this from the server and from the client : >> without credentials: >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '''' >> with credentials : >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager >> '''' -W >>> >>> --H >>> >>> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> >>> wrote: >>> >>>>>>>> >>>>>>>> grep base /etc/ldap.conf >>>>>>>> >>>> >>>> ---------------------------------- >>>> #scope base >>>> # nss_base_XXX base?scope?filter >>>> # where scope is {base,one,sub} >>>> # nss_base_passwd ou=People, >>>> # to append the default base DN but this >>>> #nss_base_passwd ou=People,dc=example,dc=com?one >>>> #nss_base_shadow ou=People,dc=example,dc=com?one >>>> #nss_base_group ou=Group,dc=example,dc=com?one >>>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >>>> #nss_base_services ou=Services,dc=example,dc=com?one >>>> #nss_base_networks ou=Networks,dc=example,dc=com?one >>>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >>>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >>>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >>>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >>>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >>>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >>>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>>> #nss_base_passwd ou=aixaccount,?one >>>> #nss_base_group ou=aixgroup,?one >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> OK, so i was expecting some base which are binding it to FDS.....but did >>>> not >>>> find here any such thing...which gives an impression that >>>> system-config-authentication is not working proberly in CentOS5.3. My >>>> assumption may be wrong.... >>>> >>>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>>> boot >>>> the client machine... can i expect it workin then..... >>>> >>>> waiting for the advise....in the mean time i am rebooting the machine.... >>>> >>>> many thanks in advance... >>>> >>>> >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron >>>> <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >>>> >>>>> >>>>> Hakuna Matata a écrit : >>>>> >>>>>> >>>>>> Jean >>>>>> Thanks for a quick reply. >>>>>> >>>>>> Client IP address is 192.168.5.4 >>>>>> yes these files are from client only. >>>>>> >>>>>> >>>>> >>>>> all files seem correct , (in system-auth the interresting line are with >>>>> pam_ldap.so) >>>>> So may be, the base to search in the tree are misconfigured in the >>>>> /etc/ldap.conf >>>>> >>>>> you previously show the /etc/ldap.conf : >>>>> uri ldap://192.168.5.1 <http://192.168.5.1> >>>>> ssl no >>>>> tls_cacertdir /etc/openldap/cacerts >>>>> pam_password md5 >>>>> >>>>> can you show the ouptut of the command : >>>>> grep base /etc/ldap.conf >>>>> with only the line that are uncommented , normaly this will show the >>>>> distinguished name of the search base. >>>>> and this must correspond with the tree in your FDS >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> */etc/pam.d/system-auth * >>>>>> ------------------------------------------------ >>>>>> This file is auto-generated. >>>>>> # User changes will be destroyed the next time authconfig is run. >>>>>> auth required pam_env.so >>>>>> auth sufficient pam_unix.so nullok try_first_pass >>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>>>> auth sufficient pam_ldap.so use_first_pass >>>>>> auth required pam_deny.so >>>>>> >>>>>> account required pam_unix.so broken_shadow >>>>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>>> account required pam_permit.so >>>>>> >>>>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>>>> use_authtok >>>>>> password sufficient pam_ldap.so use_authtok >>>>>> password required pam_deny.so >>>>>> >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>>>> crond >>>>>> quiet use_uid >>>>>> session required pam_unix.so >>>>>> session optional pam_ldap.so >>>>>> ----------------------------------------------------------------------- >>>>>> >>>>>> and* /etc/pam.d/login * >>>>>> >>>>>> #%PAM-1.0 >>>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>>> pam_securetty.so >>>>>> auth include system-auth >>>>>> account required pam_nologin.so >>>>>> account include system-auth >>>>>> password include system-auth >>>>>> # pam_selinux.so close should be the first session rule >>>>>> session required pam_selinux.so close >>>>>> session include system-auth >>>>>> session required pam_loginuid.so >>>>>> session optional pam_console.so >>>>>> # pam_selinux.so open should only be followed by sessions to be >>>>>> executed >>>>>> in the user context >>>>>> session required pam_selinux.so open >>>>>> session optional pam_keyinit.so force revoke >>>>>> ~ >>>>>> >>>>>> ---------------------------------------------------------------------------------- >>>>>> >>>>>> what is the *uid of the user test01 in the FDS* >>>>>> >>>>>> uid is t01 >>>>>> >>>>>> and under Posix user >>>>>> >>>>>> uid numbe =2223 (i manually gave this) >>>>>> gid number=2223 >>>>>> home dire = /home/test >>>>>> login shell=/bin/test >>>>>> >>>>>> >>>>>> and then i create a directory with name "test" under /home >>>>>> ...........eg. >>>>>> mkdir /home/test >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Best Regards >>>>>> --H >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron >>>>>> <Jean-Noel.Chardron@dr15.cnrs.fr >>>>>> <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >>>>>> wrote: >>>>>> >>>>>> hi, >>>>>> >>>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>>>> >>>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>>> client so it is correct >>>>>> >>>>>> Then can you show the files /etc/pam.d/system-auth and >>>>>> /etc/pam.d/login that are on the client please >>>>>> >>>>>> then can you tell us what is the uid of the user test01 in the FDS >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata a écrit : >>>>>> >>>>>> >>>>>> yes, my nsswitch.conf file is as below. >>>>>> passwd: files ldap >>>>>> shadow: files ldap >>>>>> group: files ldap >>>>>> >>>>>> ethers: files >>>>>> netmasks: files >>>>>> networks: files >>>>>> protocols: files >>>>>> rpc: files >>>>>> services: files >>>>>> >>>>>> netgroup: files ldap >>>>>> >>>>>> publickey: nisplus >>>>>> >>>>>> automount: files ldap >>>>>> aliases: files nisplus >>>>>> >>>>>> >>>>>> and /etc/ldap.conf file contains >>>>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >>>>>> >>>>>> ssl no >>>>>> tls_cacertdir /etc/openldap/cacerts >>>>>> pam_password md5 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ----i am still not able to authenticate....... >>>>>> >>>>>> >>>>>> -best Regards >>>>>> --H >>>>>> >>>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>>> <amirov@infinet.ru <mailto:amirov@infinet.ru> >>>>>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >>>>>> >>>>>> Hello >>>>>> >>>>>> Is it ldap://ldap.vfds.local correct? >>>>>> Please, try this command: >>>>>> >>>>>> ping ldap.vfds.local >>>>>> >>>>>> If pinging then try to use command getent to check that >>>>>> ldap users are >>>>>> present in your system. >>>>>> getent passwd >>>>>> >>>>>> If not pinging, then you need to use FQDN or ip-address, >>>>>> like this: >>>>>> >>>>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >>>>>> ldap://example.com <http://example.com> <http://example.com> >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata wrote: >>>>>> > Hi, >>>>>> > >>>>>> > I am new to FDS, i have set this up as per the >>>>>> documentation . It is >>>>>> > working fine . >>>>>> > Now want that linux client (CentOS 5.3) to authenticate >>>>>> with FDS. >>>>>> > >>>>>> > hostname of FDS = ldap.fds.local >>>>>> > >>>>>> > i create a user test01 and fill the posix information >>>>>> > >>>>>> > on client machine i am using system-config-authentiation >>>>>> > 1. check the LDAP box and filled the details as . >>>>>> > LDAP search base dn = dc=vfds, >>>>>> dc=local >>>>>> > LDAP Server >>>>>> ldap://ldap.vfds.local >>>>>> > >>>>>> > then i rebooted the machine and trying to login via user >>>>>> test01. now >>>>>> > it is showing error as username or password incorrect. >>>>>> > >>>>>> > >>>>>> > i would really appreciate if someone can give me some >>>>>> pointer or >>>>>> help >>>>>> > where i am doing wrong. >>>>>> > >>>>>> > Many Thanks in advance >>>>>> > Best regards >>>>>> > --H >>>>>> > >>>>>> > -- >>>>>> > 389 users mailing list >>>>>> > 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>>> >>>>>> > >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> > >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Jean-Noel Chardron >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >
John A. Sullivan III
2009-Jun-17 19:04 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
I''ve not been following this thread very closely but we are using CentOS 5.3 very happily - John On Wed, 2009-06-17 at 23:55 +0530, Hakuna Matata wrote:> This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root@client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=vfds,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > [root@client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron<Jean-Noel.Chardron@dr15.cnrs.fr> wrote: > > Hakuna Matata a écrit : > >> > >> Still no luck.... > >> i have added the below entry in my ldap.conf file > >> base dc=vfds,dc=local > >> > >> > > > > hum, > > does your fds answers to a request of ldapsearch ? > > you can try sommething like this from the server and from the client : > > without credentials: > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '''' > > with credentials : > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager > > '''' -W > >> > >> --H > >> > >> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> > >> wrote: > >> > >>>>>>> > >>>>>>> grep base /etc/ldap.conf > >>>>>>> > >>> > >>> ---------------------------------- > >>> #scope base > >>> # nss_base_XXX base?scope?filter > >>> # where scope is {base,one,sub} > >>> # nss_base_passwd ou=People, > >>> # to append the default base DN but this > >>> #nss_base_passwd ou=People,dc=example,dc=com?one > >>> #nss_base_shadow ou=People,dc=example,dc=com?one > >>> #nss_base_group ou=Group,dc=example,dc=com?one > >>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one > >>> #nss_base_services ou=Services,dc=example,dc=com?one > >>> #nss_base_networks ou=Networks,dc=example,dc=com?one > >>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one > >>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one > >>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one > >>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne > >>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one > >>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one > >>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > >>> #nss_base_passwd ou=aixaccount,?one > >>> #nss_base_group ou=aixgroup,?one > >>> > >>> --------------------------------------------------------------------------- > >>> > >>> OK, so i was expecting some base which are binding it to FDS.....but did > >>> not > >>> find here any such thing...which gives an impression that > >>> system-config-authentication is not working proberly in CentOS5.3. My > >>> assumption may be wrong.... > >>> > >>> so if i put some entry in this like (base dc=vfds,dc=local)...and then > >>> boot > >>> the client machine... can i expect it workin then..... > >>> > >>> waiting for the advise....in the mean time i am rebooting the machine.... > >>> > >>> many thanks in advance... > >>> > >>> > >>> --H > >>> > >>> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron > >>> <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: > >>> > >>>> > >>>> Hakuna Matata a écrit : > >>>> > >>>>> > >>>>> Jean > >>>>> Thanks for a quick reply. > >>>>> > >>>>> Client IP address is 192.168.5.4 > >>>>> yes these files are from client only. > >>>>> > >>>>> > >>>> > >>>> all files seem correct , (in system-auth the interresting line are with > >>>> pam_ldap.so) > >>>> So may be, the base to search in the tree are misconfigured in the > >>>> /etc/ldap.conf > >>>> > >>>> you previously show the /etc/ldap.conf : > >>>> uri ldap://192.168.5.1 <http://192.168.5.1> > >>>> ssl no > >>>> tls_cacertdir /etc/openldap/cacerts > >>>> pam_password md5 > >>>> > >>>> can you show the ouptut of the command : > >>>> grep base /etc/ldap.conf > >>>> with only the line that are uncommented , normaly this will show the > >>>> distinguished name of the search base. > >>>> and this must correspond with the tree in your FDS > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>> */etc/pam.d/system-auth * > >>>>> ------------------------------------------------ > >>>>> This file is auto-generated. > >>>>> # User changes will be destroyed the next time authconfig is run. > >>>>> auth required pam_env.so > >>>>> auth sufficient pam_unix.so nullok try_first_pass > >>>>> auth requisite pam_succeed_if.so uid >= 500 quiet > >>>>> auth sufficient pam_ldap.so use_first_pass > >>>>> auth required pam_deny.so > >>>>> > >>>>> account required pam_unix.so broken_shadow > >>>>> account sufficient pam_succeed_if.so uid < 500 quiet > >>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so > >>>>> account required pam_permit.so > >>>>> > >>>>> password requisite pam_cracklib.so try_first_pass retry=3 > >>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass > >>>>> use_authtok > >>>>> password sufficient pam_ldap.so use_authtok > >>>>> password required pam_deny.so > >>>>> > >>>>> session optional pam_keyinit.so revoke > >>>>> session required pam_limits.so > >>>>> session optional pam_keyinit.so revoke > >>>>> session required pam_limits.so > >>>>> session [success=1 default=ignore] pam_succeed_if.so service in > >>>>> crond > >>>>> quiet use_uid > >>>>> session required pam_unix.so > >>>>> session optional pam_ldap.so > >>>>> ----------------------------------------------------------------------- > >>>>> > >>>>> and* /etc/pam.d/login * > >>>>> > >>>>> #%PAM-1.0 > >>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] > >>>>> pam_securetty.so > >>>>> auth include system-auth > >>>>> account required pam_nologin.so > >>>>> account include system-auth > >>>>> password include system-auth > >>>>> # pam_selinux.so close should be the first session rule > >>>>> session required pam_selinux.so close > >>>>> session include system-auth > >>>>> session required pam_loginuid.so > >>>>> session optional pam_console.so > >>>>> # pam_selinux.so open should only be followed by sessions to be > >>>>> executed > >>>>> in the user context > >>>>> session required pam_selinux.so open > >>>>> session optional pam_keyinit.so force revoke > >>>>> ~ > >>>>> > >>>>> ---------------------------------------------------------------------------------- > >>>>> > >>>>> what is the *uid of the user test01 in the FDS* > >>>>> > >>>>> uid is t01 > >>>>> > >>>>> and under Posix user > >>>>> > >>>>> uid numbe =2223 (i manually gave this) > >>>>> gid number=2223 > >>>>> home dire = /home/test > >>>>> login shell=/bin/test > >>>>> > >>>>> > >>>>> and then i create a directory with name "test" under /home > >>>>> ...........eg. > >>>>> mkdir /home/test > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Best Regards > >>>>> --H > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron > >>>>> <Jean-Noel.Chardron@dr15.cnrs.fr > >>>>> <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> > >>>>> wrote: > >>>>> > >>>>> hi, > >>>>> > >>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > >>>>> and you have a client (a centos 5.3) with unknow to us ip address. > >>>>> > >>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the > >>>>> client so it is correct > >>>>> > >>>>> Then can you show the files /etc/pam.d/system-auth and > >>>>> /etc/pam.d/login that are on the client please > >>>>> > >>>>> then can you tell us what is the uid of the user test01 in the FDS > >>>>> > >>>>> > >>>>> > >>>>> Hakuna Matata a écrit : > >>>>> > >>>>> > >>>>> yes, my nsswitch.conf file is as below. > >>>>> passwd: files ldap > >>>>> shadow: files ldap > >>>>> group: files ldap > >>>>> > >>>>> ethers: files > >>>>> netmasks: files > >>>>> networks: files > >>>>> protocols: files > >>>>> rpc: files > >>>>> services: files > >>>>> > >>>>> netgroup: files ldap > >>>>> > >>>>> publickey: nisplus > >>>>> > >>>>> automount: files ldap > >>>>> aliases: files nisplus > >>>>> > >>>>> > >>>>> and /etc/ldap.conf file contains > >>>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> > >>>>> > >>>>> ssl no > >>>>> tls_cacertdir /etc/openldap/cacerts > >>>>> pam_password md5 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ----i am still not able to authenticate....... > >>>>> > >>>>> > >>>>> -best Regards > >>>>> --H > >>>>> > >>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > >>>>> <amirov@infinet.ru <mailto:amirov@infinet.ru> > >>>>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: > >>>>> > >>>>> Hello > >>>>> > >>>>> Is it ldap://ldap.vfds.local correct? > >>>>> Please, try this command: > >>>>> > >>>>> ping ldap.vfds.local > >>>>> > >>>>> If pinging then try to use command getent to check that > >>>>> ldap users are > >>>>> present in your system. > >>>>> getent passwd > >>>>> > >>>>> If not pinging, then you need to use FQDN or ip-address, > >>>>> like this: > >>>>> > >>>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> > >>>>> ldap://example.com <http://example.com> <http://example.com> > >>>>> > >>>>> > >>>>> > >>>>> Hakuna Matata wrote: > >>>>> > Hi, > >>>>> > > >>>>> > I am new to FDS, i have set this up as per the > >>>>> documentation . It is > >>>>> > working fine . > >>>>> > Now want that linux client (CentOS 5.3) to authenticate > >>>>> with FDS. > >>>>> > > >>>>> > hostname of FDS = ldap.fds.local > >>>>> > > >>>>> > i create a user test01 and fill the posix information > >>>>> > > >>>>> > on client machine i am using system-config-authentiation > >>>>> > 1. check the LDAP box and filled the details as . > >>>>> > LDAP search base dn = dc=vfds, > >>>>> dc=local > >>>>> > LDAP Server > >>>>> ldap://ldap.vfds.local > >>>>> > > >>>>> > then i rebooted the machine and trying to login via user > >>>>> test01. now > >>>>> > it is showing error as username or password incorrect. > >>>>> > > >>>>> > > >>>>> > i would really appreciate if someone can give me some > >>>>> pointer or > >>>>> help > >>>>> > where i am doing wrong. > >>>>> > > >>>>> > Many Thanks in advance > >>>>> > Best regards > >>>>> > --H > >>>>> > > >>>>> > -- > >>>>> > 389 users mailing list > >>>>> > 389-users@redhat.com <mailto:389-users@redhat.com> > >>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> > >>>>> > >>>>> > > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> > >>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> > >>>>> > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users@redhat.com <mailto:389-users@redhat.com> > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users@redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>> > >>>> -- > >>>> Jean-Noel Chardron > >>>> > >>>> > >>>> > >>>> -- > >>>> 389 users mailing list > >>>> 389-users@redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>> > >>> > >> > >> -- > >> 389 users mailing list > >> 389-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Jean-Noel Chardron
2009-Jun-17 19:58 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hakuna Matata a écrit :> This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root@client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=vfds,dc=local> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 >I don''t know exactly the syntax of ldapsearch but I can say that the request is not correct, you forget the quote at the end of the line to have the full answer (see man ldapsearch). and what else if you try without bind the dn : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" ''''> [root@client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron<Jean-Noel.Chardron@dr15.cnrs.fr> wrote: > >> Hakuna Matata a écrit : >> >>> Still no luck.... >>> i have added the below entry in my ldap.conf file >>> base dc=vfds,dc=local >>> >>> >>> >> hum, >> does your fds answers to a request of ldapsearch ? >> you can try sommething like this from the server and from the client : >> without credentials: >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '''' >> with credentials : >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager >> '''' -W >> >>> --H >>> >>> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda@gmail.com> >>> wrote: >>> >>> >>>>>>>> grep base /etc/ldap.conf >>>>>>>> >>>>>>>> >>>> ---------------------------------- >>>> #scope base >>>> # nss_base_XXX base?scope?filter >>>> # where scope is {base,one,sub} >>>> # nss_base_passwd ou=People, >>>> # to append the default base DN but this >>>> #nss_base_passwd ou=People,dc=example,dc=com?one >>>> #nss_base_shadow ou=People,dc=example,dc=com?one >>>> #nss_base_group ou=Group,dc=example,dc=com?one >>>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >>>> #nss_base_services ou=Services,dc=example,dc=com?one >>>> #nss_base_networks ou=Networks,dc=example,dc=com?one >>>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >>>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >>>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >>>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >>>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >>>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >>>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>>> #nss_base_passwd ou=aixaccount,?one >>>> #nss_base_group ou=aixgroup,?one >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> OK, so i was expecting some base which are binding it to FDS.....but did >>>> not >>>> find here any such thing...which gives an impression that >>>> system-config-authentication is not working proberly in CentOS5.3. My >>>> assumption may be wrong.... >>>> >>>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>>> boot >>>> the client machine... can i expect it workin then..... >>>> >>>> waiting for the advise....in the mean time i am rebooting the machine.... >>>> >>>> many thanks in advance... >>>> >>>> >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron >>>> <Jean-Noel.Chardron@dr15.cnrs.fr> wrote: >>>> >>>> >>>>> Hakuna Matata a écrit : >>>>> >>>>> >>>>>> Jean >>>>>> Thanks for a quick reply. >>>>>> >>>>>> Client IP address is 192.168.5.4 >>>>>> yes these files are from client only. >>>>>> >>>>>> >>>>>> >>>>> all files seem correct , (in system-auth the interresting line are with >>>>> pam_ldap.so) >>>>> So may be, the base to search in the tree are misconfigured in the >>>>> /etc/ldap.conf >>>>> >>>>> you previously show the /etc/ldap.conf : >>>>> uri ldap://192.168.5.1 <http://192.168.5.1> >>>>> ssl no >>>>> tls_cacertdir /etc/openldap/cacerts >>>>> pam_password md5 >>>>> >>>>> can you show the ouptut of the command : >>>>> grep base /etc/ldap.conf >>>>> with only the line that are uncommented , normaly this will show the >>>>> distinguished name of the search base. >>>>> and this must correspond with the tree in your FDS >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> */etc/pam.d/system-auth * >>>>>> ------------------------------------------------ >>>>>> This file is auto-generated. >>>>>> # User changes will be destroyed the next time authconfig is run. >>>>>> auth required pam_env.so >>>>>> auth sufficient pam_unix.so nullok try_first_pass >>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>>>> auth sufficient pam_ldap.so use_first_pass >>>>>> auth required pam_deny.so >>>>>> >>>>>> account required pam_unix.so broken_shadow >>>>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>>> account required pam_permit.so >>>>>> >>>>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>>>> use_authtok >>>>>> password sufficient pam_ldap.so use_authtok >>>>>> password required pam_deny.so >>>>>> >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>>>> crond >>>>>> quiet use_uid >>>>>> session required pam_unix.so >>>>>> session optional pam_ldap.so >>>>>> ----------------------------------------------------------------------- >>>>>> >>>>>> and* /etc/pam.d/login * >>>>>> >>>>>> #%PAM-1.0 >>>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>>> pam_securetty.so >>>>>> auth include system-auth >>>>>> account required pam_nologin.so >>>>>> account include system-auth >>>>>> password include system-auth >>>>>> # pam_selinux.so close should be the first session rule >>>>>> session required pam_selinux.so close >>>>>> session include system-auth >>>>>> session required pam_loginuid.so >>>>>> session optional pam_console.so >>>>>> # pam_selinux.so open should only be followed by sessions to be >>>>>> executed >>>>>> in the user context >>>>>> session required pam_selinux.so open >>>>>> session optional pam_keyinit.so force revoke >>>>>> ~ >>>>>> >>>>>> ---------------------------------------------------------------------------------- >>>>>> >>>>>> what is the *uid of the user test01 in the FDS* >>>>>> >>>>>> uid is t01 >>>>>> >>>>>> and under Posix user >>>>>> >>>>>> uid numbe =2223 (i manually gave this) >>>>>> gid number=2223 >>>>>> home dire = /home/test >>>>>> login shell=/bin/test >>>>>> >>>>>> >>>>>> and then i create a directory with name "test" under /home >>>>>> ...........eg. >>>>>> mkdir /home/test >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Best Regards >>>>>> --H >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron >>>>>> <Jean-Noel.Chardron@dr15.cnrs.fr >>>>>> <mailto:Jean-Noel.Chardron@dr15.cnrs.fr>> >>>>>> wrote: >>>>>> >>>>>> hi, >>>>>> >>>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>>>> >>>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>>> client so it is correct >>>>>> >>>>>> Then can you show the files /etc/pam.d/system-auth and >>>>>> /etc/pam.d/login that are on the client please >>>>>> >>>>>> then can you tell us what is the uid of the user test01 in the FDS >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata a écrit : >>>>>> >>>>>> >>>>>> yes, my nsswitch.conf file is as below. >>>>>> passwd: files ldap >>>>>> shadow: files ldap >>>>>> group: files ldap >>>>>> >>>>>> ethers: files >>>>>> netmasks: files >>>>>> networks: files >>>>>> protocols: files >>>>>> rpc: files >>>>>> services: files >>>>>> >>>>>> netgroup: files ldap >>>>>> >>>>>> publickey: nisplus >>>>>> >>>>>> automount: files ldap >>>>>> aliases: files nisplus >>>>>> >>>>>> >>>>>> and /etc/ldap.conf file contains >>>>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1> >>>>>> >>>>>> ssl no >>>>>> tls_cacertdir /etc/openldap/cacerts >>>>>> pam_password md5 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ----i am still not able to authenticate....... >>>>>> >>>>>> >>>>>> -best Regards >>>>>> --H >>>>>> >>>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>>> <amirov@infinet.ru <mailto:amirov@infinet.ru> >>>>>> <mailto:amirov@infinet.ru <mailto:amirov@infinet.ru>>> wrote: >>>>>> >>>>>> Hello >>>>>> >>>>>> Is it ldap://ldap.vfds.local correct? >>>>>> Please, try this command: >>>>>> >>>>>> ping ldap.vfds.local >>>>>> >>>>>> If pinging then try to use command getent to check that >>>>>> ldap users are >>>>>> present in your system. >>>>>> getent passwd >>>>>> >>>>>> If not pinging, then you need to use FQDN or ip-address, >>>>>> like this: >>>>>> >>>>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4> >>>>>> ldap://example.com <http://example.com> <http://example.com> >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata wrote: >>>>>> > Hi, >>>>>> > >>>>>> > I am new to FDS, i have set this up as per the >>>>>> documentation . It is >>>>>> > working fine . >>>>>> > Now want that linux client (CentOS 5.3) to authenticate >>>>>> with FDS. >>>>>> > >>>>>> > hostname of FDS = ldap.fds.local >>>>>> > >>>>>> > i create a user test01 and fill the posix information >>>>>> > >>>>>> > on client machine i am using system-config-authentiation >>>>>> > 1. check the LDAP box and filled the details as . >>>>>> > LDAP search base dn = dc=vfds, >>>>>> dc=local >>>>>> > LDAP Server >>>>>> ldap://ldap.vfds.local >>>>>> > >>>>>> > then i rebooted the machine and trying to login via user >>>>>> test01. now >>>>>> > it is showing error as username or password incorrect. >>>>>> > >>>>>> > >>>>>> > i would really appreciate if someone can give me some >>>>>> pointer or >>>>>> help >>>>>> > where i am doing wrong. >>>>>> > >>>>>> > Many Thanks in advance >>>>>> > Best regards >>>>>> > --H >>>>>> > >>>>>> > -- >>>>>> > 389 users mailing list >>>>>> > 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>>> >>>>>> > >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> > >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> <mailto:389-users@redhat.com <mailto:389-users@redhat.com>> >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com <mailto:389-users@redhat.com> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> Jean-Noel Chardron >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
jean-Noël Chardron
2009-Jun-18 11:08 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hakuna Matata a écrit :> This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > >not sure I did a mistake about ldapsearch so I resume the situation : You have a client Centos 5.3 with ip adress : 192.168.5.4 You have a server FDS with ip adress : 192.168.5.1 You have a user in FDS test01 with dn: cn=test01,ou=Users,dc=vfds,dc=local with uid = t01, uid number = 2223, gid = 2223, home dir = /home/test and login shell= /bin/test You want to log in with user test01 on the client station through the FDS server So you check the configuration of the client : /etc/nsswitch is correct /etc/ldap.conf is correct /etc/pam.d/system-auth is correct /etc/pam.d/login is correct you can ping from client to server and vice-versa ok now you have to check the server side, this can be done with the tools ldapsearch, from the client you make a request with ldapsearch to get the information from the FDS server But before this, I didn''t see your misconfiguration of the user test01 in the attribute login shell = /bin/test . I see it just now. This attribute must be a valid shell on the client i.e /bin/bash or /bin/sh or what else you want but a valid shell, I don''t think that /bin/test permit you to log in the client (on centos5.3 the program /bin/test doesn''t exist !!) thus the first thing you can do is to change the attribute login shell from /bin/test to /bin/bash then try to login the station with user t01. For further verification of the server side you can do a request ldapsearch : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" ''uid=t01'' and show the output
Hakuna Matata
2009-Jun-22 06:59 UTC
Re: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Thanks a million , it works now :) really really appreciate all the help. Best regards --H On Thu, Jun 18, 2009 at 4:38 PM, jean-Noël Chardron < Jean-Noel.Chardron@dr15.cnrs.fr> wrote:> Hakuna Matata a écrit : > >> This is what it is returning.... >> >> i guess i have to rebuild the client with CentOS 5.2 (though i have no >> reason but still)..... >> >> >> > not sure > I did a mistake about ldapsearch so I resume the situation : > > You have a client Centos 5.3 with ip adress : 192.168.5.4 > You have a server FDS with ip adress : 192.168.5.1 > You have a user in FDS test01 with dn: cn=test01,ou=Users,dc=vfds,dc=local > with uid = t01, uid number = 2223, gid = 2223, home dir = /home/test and > login shell= /bin/test > > You want to log in with user test01 on the client station through the FDS > server > > So you check the configuration of the client : > /etc/nsswitch is correct > /etc/ldap.conf is correct > /etc/pam.d/system-auth is correct > /etc/pam.d/login is correct > you can ping from client to server and vice-versa > > ok now you have to check the server side, this can be done with the tools > ldapsearch, from the client you make a request with ldapsearch to get the > information from the FDS server > But before this, I didn''t see your misconfiguration of the user test01 in > the attribute login shell = /bin/test . I see it just now. > This attribute must be a valid shell on the client i.e /bin/bash or /bin/sh > or what else you want but a valid shell, I don''t think that /bin/test permit > you to log in the client (on centos5.3 the program /bin/test doesn''t exist > !!) > > thus the first thing you can do is to change the attribute login shell from > /bin/test to /bin/bash > then try to login the station with user t01. > > For further verification of the server side you can do a request ldapsearch > : > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" ''uid=t01'' > and show the output > > > > > > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >