I am following the instruction in Samba by Example chapter 6 on a RHEL4 server. Everything seems OK until I get to 6.3.5.7, which says to do the following:- root# getent passwd | grep Adminstrator which returns nothing, indicating that the nsswitch (nss_ldap libary) is not working. I cannot find anything in any of the log files to give my a clue nor any hints on how to debug this. Any suggestions? My configuration files are as follows: ***** /etc/openldap/slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/redhat/autofs.schema #include /etc/openldap/schema/redhat/kerberosobject.schema include /etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile /var/run/slapd.args access to dn.base="" by self write by * auth access to attr=userPassword by self write by * auth access to attr=shadowLastChange by self write by * read access to * by * write by anonymous auth loglevel 256 #schemacheck off #idletimeout 30 backend ldbm database ldbm pidfile /var/run/slapd.pid argsfile /var/run/slapd.args access to dn.base="" by self write by * auth access to attr=userPassword by self write by * auth access to attr=shadowLastChange by self write by * read access to * by * write by anonymous auth loglevel 256 #schemacheck off #idletimeout 30 backend ldbm database ldbm #checkpoint 1024 5 #cachesize 10000 suffix "dc=phoenixinteriorsltd,dc=com" rootdn "cn=Manager,dc=phoenixinteriorsltd,dc=com" rootpw xxxxxxxx directory /var/lib/ldap # Indices to maintain #index objectClass eq #index cn pres,sub,eq #index sn pres,sub,eq #index uid pres,sub,eq #index displayName pres,sub,eq #index uidNumber eq #index gidNumber eq #index memberUID eq #index sambaSID eq #index sambaPrimaryGroupSID eq #index sambaDomainName eq #index default sub ***** /etc/ldap.conf SIZELIMIT 12 TIMELIMIT 15 DEREF never host 127.0.0.1 base dc=phoenixinteriorsltd,dc=com binddn cn=Manager,dc=phoenixinteriorsltd,dc=com bindpw xxxxxxxx timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=phoenixinteriorsltd,dc=com?one nss_base_shadow ou=People,dc=phoenixinteriorsltd,dc=com?one nss_base_group ou=Groups,dc=phoenixinteriorsltd,dc=com?one ssl off ***** /etc/nsswitch.conf # # /etc/nsswitch.conf # passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus ***** /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so #auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth account sufficient pam_ldap.so password required pam_stack.so service=system-auth password required pam_ldap.so use_first_pass use_authtok session required pam_stack.so service=system-auth session optional pam_console.so ***** /etc/pam.d/passwd #%PAM-1.0 auth required pam_stack.so service=system-auth auth sufficient pam_ldap.so account required pam_stack.so service=system-auth account sufficient pam_ldap.so password required pam_stack.so service=system-auth password required pam_ldap.so use_first_pass use_authtok ***** /etc/pam.d/samba #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth auth sufficient pam_ldap.so account required pam_stack.so service=system-auth account sufficient pam_ldap.so session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth password required pam_ldap.so use_first_pass use_authtok ***** /etc/sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so Tony
On Fri, 2005-11-18 at 13:32 +0000, Tony Austin wrote:> I am following the instruction in Samba by Example chapter 6 on a RHEL4 > server. Everything seems OK until I get to 6.3.5.7, which says to do the > following:- > > root# getent passwd | grep Adminstrator > > which returns nothing, indicating that the nsswitch (nss_ldap libary) is > not working. > > I cannot find anything in any of the log files to give my a clue nor any > hints on how to debug this. > > Any suggestions? >---- redhat? version? does 'by Example' really suggest using ldbm? can you perform base search from command line? ldapsearch -x -h localhost \ -D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \ -W '(objectclass=*)' and get results? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--------------------------------------------------------------------------> On Fri, 2005-11-18 at 14:05 +0000, Tony Austin wrote: >> > On Fri, 2005-11-18 at 13:32 +0000, Tony Austin wrote: >> >> I am following the instruction in Samba by Example chapter 6 on a >> RHEL4 >> >> server. Everything seems OK until I get to 6.3.5.7, which says todo the>> >> following:- >> >> >> >> root# getent passwd | grep Adminstrator >> >> >> >> which returns nothing, indicating that the nsswitch (nss_ldap libary) >> is >> >> not working. >> >> >> >> I cannot find anything in any of the log files to give my a clue nor >> any >> >> hints on how to debug this. >> >> >> >> Any suggestions? >> >> >> > ---- >> > redhat? version? >> > >> >> Enterprise Linux El version 4 64-bit > ---- > thanks - that helps > ---- >> >> > does 'by Example' really suggest using ldbm? >> > >> >> No. It's my first go with LDAP and I copied it from a working RHEL3config.> ---- > ldbm will probably ultimately make you crazy. Continue playing with ldbmif you wish but consider using bdb instead...> the following changes would need to be made >I am leaving this as it is for the moment using ldbm, I can come back to it later.> > to slapd.conf > ------------- > # just below schema includes... > allow bind_v2 bind_anon_dn > > # at the bottom of the file > # Set the entry cache size to 5000. > # > cachesize 5000 > > # Set transactional checkpoint. > # > checkpoint 512 720 > > create a file called DB_CONFIG and put it into your ldap-data directory(/var/lib/ldap as defined in your supplied information)> > # > # Set the database in memory cache size. > # > set_cachesize 0 52428800 0 > > # Automatically remove log files that are no longer needed. > set_flags DB_LOG_AUTOREMOVE > > # > # Set database flags. > # (for database loading/reindexing) > #set_flags DB_TXN_NOSYNC > #set_flags DB_TXN_NOT_DURABLE > > # Set log values. > # > set_lg_regionmax 1048576 > set_lg_max 10485760 > set_lg_bsize 2097152 > ----- > > and whether you use ldbm or bdb...make sure that /etc/openldap/ldap.confhas at the very least...> > HOST 127.0.0.1 > BASE dc=phoenixinteriorsltd,dc=com > ----- >this was in place already> you need to be able to at least perform the search as I showed you.ldapsearch -x -h localhost \> -D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \ > -W '(objectclass=*)' > > and get results? >having followed your next suggestion this now produces results!> > did you set rootdn password properly? > > from command line... > # slappasswd -s my_password > {SSHA}e+sgS1WyGdXLEd7K+rVK3H/swmsS81Sg > > and copy/paste that into slapd.conf > > rootpw {SSHA}e+sgS1WyGdXLEd7K+rVK3H/swmsS81Sg >I had not done this (can't see any mention of slappasswd in 'by Example'). Having done this, your ldapsearch command now works but root#getent passwd | grep Administrator still does not.> OK - either an authentication problem or a lack of data problem...let'sset up ldap logging.> > **** add these two lines to /etc/syslog.conf **** > > local4.* /var/log/slapd.log >you say two lines here but I only see one, did it and logging occurs in slapd.log> # service syslog restart > > **** change loglevel in slapd.conf to 256 **** > ( I see you've already set it to 256 ) > > # service ldap restart > > Now ldap stuff logs to /var/log/slapd.log > > Now you can try to connect and review slapd logs to see what it's doing. >root#ldapsearch -x -h localhost \ -D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \ -W '(objectclass=*)' logs as:- Nov 18 09:41:09 localhost slapd[12149]: conn=1 fd=8 ACCEPT from IP=127.0.0.1:33899 (IP=0.0.0.0:389) Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 BIND dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" method=128 Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 BIND dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" mech=SIMPLE ssf=0 Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 RESULT tag=97 err=0 text= Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=1 SRCH base="dc=phoenixinteriorsltd,dc=com" scope=2 deref=0 filter="(objectClass=*)" Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=1 SEARCH RESULT tag=101 err=4 nentries=12 textNov 18 09:41:09 localhost slapd[12149]: conn=1 op=2 UNBIND Nov 18 09:41:09 localhost slapd[12149]: conn=1 fd=8 closed root#getent passwd logs as:- Nov 18 09:41:52 localhost slapd[12149]: conn=2 fd=8 ACCEPT from IP=127.0.0.1:33902 (IP=0.0.0.0:389) Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 BIND dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" method=128 Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 BIND dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" mech=SIMPLE ssf=0 Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 RESULT tag=97 err=0 text= Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SRCH base="ou=People,dc=phoenixinteriorsltd,dc=com" scope=1 deref=0 filter="(objectClass=posixAccount)" Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=0 textNov 18 09:41:52 localhost slapd[12149]: conn=2 fd=8 closed Tony