You are not logged in.

#1 2009-10-01 09:27:04

szilsan
Member
Registered: 2009-10-01
Posts: 6

LDAP + OS group

Hi,

I've installed arch + openldap (v2.4.18). I can login on console and in ssh using LDAP server to auth my user. It works.
But the group handling doesn't work correctly. When user logs in, user gets his guid (Group ID) from LDAP and (it seems) the group name is searched in local file (/etc/group). If it doesn't exist, user group-name will be a number. How can I solve this?

The other problem is user adding: if i add a user, the new user is created in system files not in LDAP server. Why, how can i solve it?

Thanks,
szilsan

Offline

#2 2009-10-01 10:29:42

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: LDAP + OS group

Hi.

revise your nsswitch.conf  there you can specify the order and systems for account, groups and shadow lookup

also revise your pam settings and /etc/ldap.conf (used by pam and passwd )


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#3 2009-10-01 10:38:35

szilsan
Member
Registered: 2009-10-01
Posts: 6

Re: LDAP + OS group

nsswitch.conf:
passwd: ldap [NOTFOUND=continue] files
group: ldap [NOTFOUND=continue] files
shadow: ldap [NOTFOUND=continue] files

anything else comes from files.

I think it is OK.

The /etc/openldap/ldap.conf contains only the BASE and URI. What else should it contain?

Which file should I watch in  /etc/pam.d/ ? Login works (so I think login file is ok), sshd too.

Offline

#4 2009-10-01 11:41:05

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: LDAP + OS group

Hi.

szilsan wrote:

nsswitch.conf:
passwd: ldap [NOTFOUND=continue] files
group: ldap [NOTFOUND=continue] files
shadow: ldap [NOTFOUND=continue] files

the [NOTFOUND=continue] is a new option for me (never seen before), but if getent passwd , getent group and getent shadow is working for you with ldap, this should be ok

szilsan wrote:

anything else comes from files.

I think it is OK.

The /etc/openldap/ldap.conf contains only the BASE and URI. What else should it contain?

I specify /etc/ldap.conf  /etc/openldap/ldap.conf is used by other software, but pam and passwd uses /etc/ldap.conf

It should look like this (here is mine)

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host    127.0.0.1

# The distinguished name of the search base.
base    dc=yourdomain,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version    3


# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password    MD5

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop


# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl    start_tls
nss_map_attribute    uniqueMember member
pam_filter    objectclass=posixAccount
nss_base_passwd    dc=yourdomain,dc=com
nss_base_shadow    dc=yourdomain,dc=com
nss_base_group     dc=yourdomain,dc=com
#ssl on

#Don't try forever if the LDAP server is not reacheable
bind_policy    soft
tls_checkpeer    no

szilsan wrote:

Which file should I watch in  /etc/pam.d/ ? Login works (so I think login file is ok), sshd too.

if login works, it should be ok. I think the problem could come from the /etc/ldap.conf there you specify the subtree for looking at group info


HTH

Last edited by clmates (2009-10-01 11:46:22)


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#5 2009-10-01 12:15:18

szilsan
Member
Registered: 2009-10-01
Posts: 6

Re: LDAP + OS group

Now, I can see groups. So I can execute 'chown' for group existing only in LDAP. Thanks smile
Only one things is missing: hogy can I add user to LDAP? Can I do it with useradd/adduser? I tried it, and I get 'invalid group' message or it created locally in /etc/passwd.

Otherwise my ldap conf file is /etc/pam_ldap.conf

thanks,
szilsan

Offline

#6 2009-10-01 16:08:24

zenlord
Member
From: Belgium
Registered: 2006-05-24
Posts: 1,221
Website

Re: LDAP + OS group

Adding users to an LDAP-dir is something I'm also interested in. Until now I didn't think there was some other way to do this besides using 'ldapadd' (or a GUI)...

Zl.

Offline

#7 2009-10-02 07:39:17

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: LDAP + OS group

Hi.

Well, my LDAP experiences are only with SLES and Opensuse, still not tried in Arch, and in both versions of suse, I always add users with YaST, so I had not tested with useradd, but I will test this and comment back if it is working or not.


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#8 2009-10-02 08:00:33

szilsan
Member
Registered: 2009-10-01
Posts: 6

Re: LDAP + OS group

Yes, I know only 'addldap' way too. But I think (hope) there is a better (more elegant) way to solve it using useradd.

Offline

#9 2009-10-02 08:13:14

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: LDAP + OS group

Well.

Try with this

useradd newusername --service ldap -D "cn=administrator,dc=yourdomain,dc=com" -G groups -g maingroup -m -s /bin/bash

for me it is working


also

userdel oldusername --service ldap -r -D "cn=Administrator,dc=yourdomain,dc=com"

the trick is the --service ldap and the -D "administrator bind den"


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#10 2009-10-02 08:17:23

szilsan
Member
Registered: 2009-10-01
Posts: 6

Re: LDAP + OS group

I have no switch called 'service' for useradd in my arch sad  What kind of arch do you use?

Offline

#11 2009-10-02 08:54:32

clmates
Member
From: A Coruña - España
Registered: 2009-04-25
Posts: 79

Re: LDAP + OS group

Hi.


szilsan wrote:

I have no switch called 'service' for useradd in my arch sad  What kind of arch do you use?

Sorry, you are right, the Arch version of useradd has not LDAP supoport (cited in the man page), so it has not this option nor the -D option as bin dn
I have not setup ldap in my arch box, I tested in my company (is an SLES box)


what you can do is a little script that makes the work for you creates a ldiff and call ldapadd to add the user, and finaly creates the homedir and copy the /etc/skel files into


We can add this as a feature request for the useradd arch maintainer as perhaps is only a compile option or something, I don't know


-

Arch64 - Acer AX3950 - i5-650 3.2 GHz - 8 GB RAM - Nvidia GeForce 320 1 GB Ram
Arch32 - Samsung NC10 - 2 GB Ram

Offline

#12 2009-10-02 09:01:02

szilsan
Member
Registered: 2009-10-01
Posts: 6

Re: LDAP + OS group

Yes... write a small script... I don't know any other way. But it would be so nice to solve it with a simple useradd....
So, let's make a request for it smile

Offline

Board footer

Powered by FluxBB