Nabble - LDAP NIS

Re: ldap_sasl_interactive_bind_s: Invalid credentials

2007-12-17T17:49:20Z

BJP schrieb:

> I have a NIS server that authenticates its users against a central LDAP
> server. To verify that it uses DIGEST-MD5 authentication, I ran the
> following command:
>
> [snip]
> $ ldapsearch -Y DIGEST-MD5 -h ids.mot.com -b
> ou=people,ou=intranet,dc=motorola,dc=com -D
> motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v motguid=XJC864
> ldap_init( ids.mot.com, 0 )
> Enter LDAP Password:
> SASL/DIGEST-MD5 authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials
> additional info: SASL(-1): generic failure: unable canonify user and
> get auxprops
> $
> [snap]
>
> As you can see, it starts MD5 authentication but get this error (even though
> I enter the correct password). Has anyone encountered and fixed such an
> error? Does anyone know how to troubleshoot this error? Any assistance would
> be appreciated.
>
> Thank you,
> BJP
>
>

add the '-x' switch to above ldapsearch command, this will force it to
use simple auth instead of SASL.

Hope that helps,

--
Helmut

ldap_sasl_interactive_bind_s: Invalid credentials

2007-12-17T10:23:53Z

I have a NIS server that authenticates its users against a central LDAP server. To verify that it uses DIGEST-MD5 authentication, I ran the following command:

[snip]
$ ldapsearch -Y DIGEST-MD5 -h ids.mot.com -b ou=people,ou=intranet,dc=motorola,dc=com -D motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com -W -v motguid=XJC864
ldap_init( ids.mot.com, 0 )
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
additional info: SASL(-1): generic failure: unable canonify user and get auxprops
$
[snap]

As you can see, it starts MD5 authentication but get this error (even though I enter the correct password). Has anyone encountered and fixed such an error? Does anyone know how to troubleshoot this error? Any assistance would be appreciated.

Thank you,
BJP

Re: Scalability problem

2007-10-13T14:51:46Z

Wow, I didn't even know this list was still around.

> I am using pam ldap module to interface to a directory service
> containing identity information. My directory contains an very big
> number of groups, in the order of some thousands. Sniffing the network
> i see that a lot of gloabal searches ( reqeusts for all the groups in
> the directory ) are sent toward the directory. This causes a lot of

Yes, this is the braindead manner in which NSS enumerates groups; it is
really horrible but it is also the long standing behavior of libc/glibc.
So in UNIX-land we are stuck with it.

> network traffic and poses some awkard scalability problems. Is there
> any way to avoid this kind of queries, or is there any way to solve
> this scalability problem???

To ameliorate this issue you can (a) use access control to limit what
groups a host sees, removing groups not relevant to a host, (b) use a
local partial replicant [easy with sync-repl] to maintain a copy of the
groups branch of the Dit, (c) use an alternative to nss_ldapd such as
nss-ldapd [http://ch.tudelft.nl/~arthur/nss-ldapd/] possibly in
conjunction with nss_updatedb
[http://www.padl.com/OSS/nss_updatedb.html]

Scalability problem

2007-10-12T06:51:23Z

I am using pam ldap module to interface to a directory service
containing identity information. My directory contains an very big
number of groups, in the order of some thousands. Sniffing the network
i see that a lot of gloabal searches ( reqeusts for all the groups in
the directory ) are sent toward the directory. This causes a lot of
network traffic and poses some awkard scalability problems. Is there
any way to avoid this kind of queries, or is there any way to solve
this scalability problem???
Thanks in advance,
Luca Regini.

chsh

2007-04-17T01:02:16Z

Can the user change the loginShell on openldap by oneself?
I want to know if there is a method.

I did not succeed though I tested the script "chsh" that existed in
pam_ldap.

% pam_ldap-182/chsh
Password:
Enter the new value, or press return for the default

Login Shell [/bin/tcsh]: /bin/csh
failed: modifications require authentication

my slapd.conf
----
...
access to attrs=userPassword
by self write
by users read
by anonymous auth

access to *
by self write
by users read
by anonymous read

----

thank you.

Issues with migrate_netgroup_byuser.pl and migrate_netgroup_byhost.pl

2007-03-02T10:26:45Z

Hi,

I have used the PADL migration toos migrate_netgroup.pl,
migrate_netgrou_byuser.pl and migrate_netgroup_byhost.pl to move NIS
information to LDAP on my RHEL 4 systems. I see entry of

nss_base_netgroup ou=Netgroup,dc=example,dc=com?one

but nothing for netgroup.byuser or netgroup.byhost entries in /etc/
ldap.conf file.
I have searched around the net and I didn't find any specific
information concerning how I would effectively using these two maps
in an LDAP environment. I didn't see any queries in the openldap log
files using these maps either.

Do we need these netgroup.byuser and netgroup.byhost entries in an
LDAP environment?
I will appreciate if anyone can give me advices concerning with this
issue.

Thank you very much.

Zhi-Wei Lu
Institue for Data Analysis and Visualization (IDAV)
UC Davis Phone: (530) 752-0494
Davis, CA 95616 Fax: (530) 752-8894

Re: Multivalued attributes with nss_ldap

2007-02-22T09:48:53Z

> Is it possible to use multivalued attributes in nss_ldap?
> For example if I changed the schema of one of the posixAccount
> attributes, lets say loginShell

Don't change standard schemas.

> so that it would accept multivalued entries, would I be able to map the
> correct attribute on the host?
> from the ldif entry...
> loginShell:/bin/bash;/bin/sh; etc etc
> on the host in ldap.conf
> nss_map_attribute loginShell 2nd Attribute

No, the values in an LDAP attribute are a *SET*; the definition of "set"
is a collection of unique and unordered values. There is no 2nd
attribute, there is only the attribute that happens to be listed after
the first that was listed and before the third that was listed.

Multivalued attributes with nss_ldap

2007-02-21T13:48:51Z

Is it possible to use multivalued attributes in nss_ldap?

For example if I changed the schema of one of the posixAccount
attributes, lets say loginShell
so that it would accept multivalued entries, would I be able to map the
correct attribute on the host?

from the ldif entry...

loginShell:/bin/bash;/bin/sh; etc etc

on the host in ldap.conf

nss_map_attribute loginShell 2nd Attribute

Thanks

Configuration Problem

2006-10-07T16:23:28Z

Hi;
I'm trying to configure ldapprofile on FreeBSD 6.1
(couldn't find a
port, so doing it from source). However, it complains
that it can't find
ldap.h Now, that file's located in /usr/local/include.
I tried throwing
each of the following flags at it:
./configure --oldincludedir=/usr/local/include
./configure --includedir=/usr/local/include
but it didn't like either...same complaint. What do?
TIA,
Ted

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

ypserv hangs when multiple clients connect unless run interactively

2006-09-25T01:31:21Z

Hello,

I recently made a NIS installation with (currently) only one NIS server and 20 NIS clients. They are all running RedHat Enterprise Linux 4.0 update 3.

The clients' yp.conf contains only:

domain GROUP server IP-ADDRESS-OF-SERVER

and nsswitch.conf is set up as follows:

passwd: files nis
shadow: files nis
group: files nis
hosts: files dns nis
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
automount: nis [NOTFOUND=return] files
aliases: files

When I want to run the same command on all NIS clients, I use passwordless ssh to run the command on all machines simultaneously (by backgrounding ssh). However, this almost always causes the NIS server to become unresponsive (hang). This causes the clients to hang as well and start outputting a combination of the following:

do_ypcall: clnt_call: RPC: Timed out
YPBINDPROC_DOMAIN: Domain not bound
do_ypcall: clnt_call: RPC: Unable to receive; errno = Connection refused

Restarting the ypserv daemon (sometimes it is necessary to do so numerous times) allows the commands to complete.

I noticed that if I don't background ssh and run the commands on the clients in series (not simultaneously), the problem occurs much less often. So, I concluded that multiple clients connecting simultaneously to ypserv are causing the NIS server to become unresponsive.

Therefore, I decided to run the NIS server interactively in order to see what the problem is. However, when the server is interactive, the problem does not occur at all! As a work-around, I modified the ypserv init.d script to start ypserv with the "-d" option (in debug interactive mode) and I direct the output to /dev/null.

If anybody has ideas what is causing this, please let me know. Of course, I intend to set up a NIS slave server as well, but didn't think that 20 clients could cause the master to become unresponsive so easily. So, I suspect I'm doing something wrong and want to fix it.

Thanks!
Iordan Iordanov

netgroup problem on AIX 4.3 and 5.1

2006-04-14T03:38:59Z

Hi,

Has anyone here already used netgroups on AIX 4.3 and/or 5.1 clients via
nss_ldap ?

I compiled nss_ldap on AIX 4.3 5.1 and 5.3, and only AIX 5.3 sends
requests related to netgroups (via ng_test() function).

On these 3 AIX flavours the ng_pvtinit() function is called, but
on AIX 4.3 and 5.1, nothing else happens concerning netgroups.

I precise that other LDAP requests perform well, I can resolve users,
groups, and can authenticate LDAP users via nss_ldap. Everything works
but netgroups.

Concerning the conf files:
- nss_ldap netgroup resolution is defined in /etc/irs.conf
- netgroup option is set in /lib/security/methods.cfg for NSS_LDAP
- netgroups to check are declared in /etc/passwd (+@netgroup)
- default user has SYSTEM and registry attributes set to compat

Did I miss configuration tricks needed on AIX 4.3 and 5.1 ?

Best regards.

--
Xavier Lapie