You are not logged in.
Pages: 1
Hi,
I've installed arch + openldap (v2.4.18). I can login on console and in ssh using LDAP server to auth my user. It works.
But the group handling doesn't work correctly. When user logs in, user gets his guid (Group ID) from LDAP and (it seems) the group name is searched in local file (/etc/group). If it doesn't exist, user group-name will be a number. How can I solve this?
The other problem is user adding: if i add a user, the new user is created in system files not in LDAP server. Why, how can i solve it?
Thanks,
szilsan
Offline
Hi.
revise your nsswitch.conf there you can specify the order and systems for account, groups and shadow lookup
also revise your pam settings and /etc/ldap.conf (used by pam and passwd )
-
Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram
Offline
nsswitch.conf:
passwd: ldap [NOTFOUND=continue] files
group: ldap [NOTFOUND=continue] files
shadow: ldap [NOTFOUND=continue] files
anything else comes from files.
I think it is OK.
The /etc/openldap/ldap.conf contains only the BASE and URI. What else should it contain?
Which file should I watch in /etc/pam.d/ ? Login works (so I think login file is ok), sshd too.
Offline
Hi.
nsswitch.conf:
passwd: ldap [NOTFOUND=continue] files
group: ldap [NOTFOUND=continue] files
shadow: ldap [NOTFOUND=continue] files
the [NOTFOUND=continue] is a new option for me (never seen before), but if getent passwd , getent group and getent shadow is working for you with ldap, this should be ok
anything else comes from files.
I think it is OK.
The /etc/openldap/ldap.conf contains only the BASE and URI. What else should it contain?
I specify /etc/ldap.conf /etc/openldap/ldap.conf is used by other software, but pam and passwd uses /etc/ldap.conf
It should look like this (here is mine)
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1
# The distinguished name of the search base.
base dc=yourdomain,dc=com
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password MD5
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=yourdomain,dc=com
nss_base_shadow dc=yourdomain,dc=com
nss_base_group dc=yourdomain,dc=com
#ssl on
#Don't try forever if the LDAP server is not reacheable
bind_policy soft
tls_checkpeer no
Which file should I watch in /etc/pam.d/ ? Login works (so I think login file is ok), sshd too.
if login works, it should be ok. I think the problem could come from the /etc/ldap.conf there you specify the subtree for looking at group info
HTH
Last edited by clmates (2009-10-01 11:46:22)
-
Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram
Offline
Now, I can see groups. So I can execute 'chown' for group existing only in LDAP. Thanks
Only one things is missing: hogy can I add user to LDAP? Can I do it with useradd/adduser? I tried it, and I get 'invalid group' message or it created locally in /etc/passwd.
Otherwise my ldap conf file is /etc/pam_ldap.conf
thanks,
szilsan
Offline
Adding users to an LDAP-dir is something I'm also interested in. Until now I didn't think there was some other way to do this besides using 'ldapadd' (or a GUI)...
Zl.
Offline
Hi.
Well, my LDAP experiences are only with SLES and Opensuse, still not tried in Arch, and in both versions of suse, I always add users with YaST, so I had not tested with useradd, but I will test this and comment back if it is working or not.
-
Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram
Offline
Yes, I know only 'addldap' way too. But I think (hope) there is a better (more elegant) way to solve it using useradd.
Offline
Well.
Try with this
useradd newusername --service ldap -D "cn=administrator,dc=yourdomain,dc=com" -G groups -g maingroup -m -s /bin/bash
for me it is working
also
userdel oldusername --service ldap -r -D "cn=Administrator,dc=yourdomain,dc=com"
the trick is the --service ldap and the -D "administrator bind den"
-
Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram
Offline
I have no switch called 'service' for useradd in my arch What kind of arch do you use?
Offline
Hi.
I have no switch called 'service' for useradd in my arch What kind of arch do you use?
Sorry, you are right, the Arch version of useradd has not LDAP supoport (cited in the man page), so it has not this option nor the -D option as bin dn
I have not setup ldap in my arch box, I tested in my company (is an SLES box)
what you can do is a little script that makes the work for you creates a ldiff and call ldapadd to add the user, and finaly creates the homedir and copy the /etc/skel files into
We can add this as a feature request for the useradd arch maintainer as perhaps is only a compile option or something, I don't know
-
Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram
Offline
Yes... write a small script... I don't know any other way. But it would be so nice to solve it with a simple useradd....
So, let's make a request for it
Offline
Pages: 1