LDAP client auth almost working, need help.
Jim Canfield
jcanfield at tshmail.com
Tue Oct 31 16:22:12 UTC 2006
Thanks Zach!
Changing the bind policy to "soft" did the trick for boot. That was huge! I can also log in via gdm now...strange?! Only problem I have now is that I can't sudo as an ldapuser. Have any idea what might be causing this?
Sorry for the top post, I'm having to use a webmail client until I get things set back up.
Jim
----- Original Message -----
From: Zach
Sent: Tue Oct 31 2006 09:46:37 GMT-0600 (CST)
Subject: Re: LDAP client auth almost working, need help.
On 10/31/06, Jim Canfield <jcanfield at tshmail.com> wrote:
> Greetings,
>
> I'm a former gentooer and this is my first post to the ubuntu list. So far,
> I'm very impressed with ubuntu! Great works guys!
>
> ...Anyway, looks like the nss-ldap intigration is not quite what it should
> be. I looked at the Doc for LDAP clinet auth
> (https://help.ubuntu.com/community/LDAPClientAuthentication)
> and it's not correct for edgy. Here's where I am.
>
> Problem 1:
>
> dpackage acts like it's configuring a libnss-ldap.conf (or some type of
> ldap.conf) but it never changes. I had to manually go in and change the
> ldap server settings. After that `getent` seemed to be fine.
>
> Problem 2:
>
> FOOBAR BOOT! For some ungodly reason udevd trys to connect to an ldap
> server before devices have been created. My hunch is that it looking for a
> group name that doesn't exist locally and trying to use ldap to resolve it.
> I've seen a few post on the debian list regarding this looking for the
> ''nogroup" or "nobody"...however ubuntu has these groups. I'm confused.
This sounds like a problem I ran into where nsswitch was tring to
contact the ldap server early in the boot process and failing over and
over again, then only after giving up, does it proceed with booting.
In my case, I set "bind_policy" to "soft" in libnss-ldap.conf. This
causes libnss to return immediately upon server failuer rather than
backing off and trying again. I believe this is a reported bug, but
I'm not sure.
>
> Problem 3:
>
> Can't authticate via gdm. I can "su ldapuser" fine and even switch to a
> virtual console and login, but login through gdm fails miserably.
>
I would try to log in to the ldap server via ssh and run slapd
manually with debugging output turned on:
# /etc/init.d/slapd stop
# slapd -d1
the debug levels are documented in the slapd.conf(5) manpage. They
basically are broken up into 1,2,4...2048. You can add them together
to get specific combinations of debug output.
also have a look at your logs on both the client and server,
particularly auth.log. tail -f is helpful here.
Are you using tls/ssl? If so, might want to disable that first to get
logging in the clear working. Then futz with tls.
When you do get ready to do tls, -d5 or -d7 are helpful.
I've been working with edgy and I've got it working with my dapper
ldap server. Unfortunately I can't get to the edgy machine from here,
so I can't look at my configs.
> Any help would be greatly appreciated...
>
> Jim
>
> Configs:
>
> common-account
>
> account sufficient pam_ldap.so
> account required pam_unix.so
>
> common-auth:
>
> auth sufficient pam_ldap.so
> auth required pam_unix.so nullok_secure use_first_pass
>
> common-password:
>
> password sufficient pam_ldap.so
> password required pam_unix.so nullok obscure min=4 max=8 md5
>
> common-session:
>
> session optional pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel/
> session optional pam_ldap.so
> session optional pam_foreground.so
>
>
>
>
>
>
>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
>
--
If you reply to a message I posted in a mailing list thread,
There's a chance I may not see your response. Feel free to
address me directly in the 'To:', in addition to posting to the list.
More information about the ubuntu-users
mailing list