Nabble - PADL Lists

Re: Kerberos Autorenew and Autorefresh

2008-07-08T01:41:15Z

Thomas Glanzmann wrote:

Hallo Howard,

* Howard Wilkinson howard@... [080702 11:37]:

About a year ago I contributed some code to the nss_ldap core which 
appeared in the mainstream for release 258. This code supports auto renew 
and auto refresh of Kerberos tickets using either a previously created 
cache or a keytab. I have been running kstart to get the initial ticket but 
tried to turn this feature off and let the initial ticket be created by the 
code in nss_ldap. This has not worked for me :-[  and I was wondering if 
anybody else has tried and succeeded with this.

So can I get a poll of anybody who is using these features and what sort of 
success they have had with them.

I am going to debug my problem over the next few days but if anybody has a 
working config and would be willing to share I would be grateful


never used it, thought about it, but I saw this morning the following
bugreport including patch, hopefully it helps you get going. Please let
me know if you succeed because I'm heavily thinking about such a setup.

http://bugzilla.padl.com/show_bug.cgi?id=368

        Thomas

I have just posted a patch set again 259 which should make all of this work! I posted it against bug 298 in the bugzilla database. If people could try this out and let me know how they get on I would be grateful.

From forum: NSS LDAP

I am now on Refriendz!

2008-07-06T01:45:04Z

Hi!
I would like to invite you to visit my Refriendz page and see my latest photos.

In order to visit my space, you must go to:
http://www.refriendz.com/?do=Login.Invite&rid=jmaan&email=pamldap@...

(If this link does not work, please copy and paste it into your browser or go to www.refriendz.com and enter 'jmaan' as Invitation ID to Login to the web site.)

P.S. Refriendz is Invitation-Only, so do not miss your chance to visit my page!

Cheers!

jmaan

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unsubscribe: to opt out of ALL future emails from Refriendz, visit:
http://www.refriendz.com/?do=Login.RemoveEntry&email=pamldap@...

Please do not reply directly to this email. This mailbox is not monitored and you will not receive a response.

Refriendz Limited, PO BOX 1184, Luton, Bedfordshire, LU1 9AT, UK.

From forum: PAM LDAP

Re: Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T05:45:09Z

On 04/07/2008, at 9:46 PM, Tim Small wrote:

> Hello,
>
> I was wondering if there had been any progress on this issue? I've
> hit the same thing recently myself.
>
> In particular, would it be possible to manually downgrade to an
> older nscd binary as a workaround, and if so, any ideas what the
> implications of this would be (apart from any future security
> updates etc.)?
>
> It also occurred to me that downloading and compiling the nscd
> source from opensolaris might be a useful debugging route...

I took a look at the OpenSolaris nss_ldap code today. The interface
has changed significantly -- it will be a fair bit of work to support
the new interfaces (not impossible, though).

-- Luke

From forum: NSS LDAP

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T04:46:30Z

Hello,

I was wondering if there had been any progress on this issue? I've hit
the same thing recently myself.

In particular, would it be possible to manually downgrade to an older
nscd binary as a workaround, and if so, any ideas what the implications
of this would be (apart from any future security updates etc.)?

It also occurred to me that downloading and compiling the nscd source
from opensolaris might be a useful debugging route...

Regards,

Tim.

--
South East Open Source Solutions Limited
Registered in England and Wales with company number 06134732.
Registered Office: 71 Tylehurst Drive, Redhill, Surrey, RH1 6EL
VAT number: 900 6633 53 http://seoss.co.uk/ +44-(0)1273-808309

From forum: NSS LDAP

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T03:41:55Z

Hello,

I was wondering if there had been any progress on this issue? I've hit the
same thing recently myself.

In particular, would it be possible to manually downgrade to an older nscd
binary as a workaround, and if so, any ideas what the implications of this
would be?

It also occurred to me that downloading and compiling the nscd source from
opensolaris might be a useful debugging route...

Regards,

Tim.
--
View this message in context: http://www.nabble.com/Solaris-10%3A-As-soon-as-nscd-is-running-getpwnam-on-a-ldap-account-fails-tp17713578p18277063.html
Sent from the NSS LDAP mailing list archive at Nabble.com.

From forum: NSS LDAP

Re: pam_ldap and openssh

2008-07-03T11:43:38Z

I think I am getting the same issue. ldapwhoami and apache2+mod_authnz_ldap work fine, but ssh does not. Did you manage to get any further with this?

Neil

Jokke Heikkila wrote:

I found this exact same problem from archives back at 2005-12 but
didn't find the answer. The problem is that i have (Debian) box, which
is set up to authenticate against openldap server for anybody who ssh
in. That doesn't work since for some reason the pam_ldap is suplying
garbage password to ldap server. Below is a tcpdump on a simple bind
with normal ldap tools and next the same when trying to login with ssh.

debianBox:~# ldapwhoami -x -D uid=kopsuopi,cn=users,dc=kuva,dc=fi -w
secret
dn:uid=kopsuopi,cn=users,dc=kuva,dc=fi
Result: Success (0)

0000 00 0a 95 a5 e7 e8 00 13 72 53 67 e9 08 00 45 00 ........
rSg...E.
0010 00 6b 0c 07 40 00 40 06 a9 66 c1 a7 80 eb c1
a7 .k..@.@. .f......
0020 80 e5 e9 79 01 85 2a e3 19 f1 51 17 f6 76 80
18 ...y..*. ..Q..v..
0030 00 2e 85 7d 00 00 01 01 08 0a b6 44 15 f5 14
45 ...}.... ...D...E
0040 0f 5d 30 35 02 01 01 60 30 02 01 03 04 23 75 69 .]05...`
0....#ui
0050 64 3d 6b 6f 70 73 75 6f 70 69 2c 63 6e 3d 75 73 d=kopsuo
pi,cn=us
0060 65 72 73 2c 64 63 3d 6b 75 76 61 2c 64 63 3d 66 ers,dc=k
uva,dc=f
0070 69 80 06 73 65 63 72 65
74 i..secre t <------
PASSWORD SEND CORRECTLY

And the dump with same user trying to ssh in:

0000 00 0a 95 a5 e7 e8 00 13 72 53 67 e9 08 00 45 00 ........
rSg...E.
0010 00 91 6a e9 40 00 40 06 4a 5e c1 a7 80 eb c1 a7 ..j.@.@.
J^......
0020 80 e5 c4 a6 01 85 aa 66 eb 87 ee 86 94 4c 80
18 .......f .....L..
0030 00 5b 85 a3 00 00 01 01 08 0a bc b8 81 ea 14 52 .
[...... .......R
0040 47 2c 30 5b 02 01 03 60 37 02 01 03 04 23 75 69 G,0[...`
7....#ui
0050 64 3d 6b 6f 70 73 75 6f 70 69 2c 63 6e 3d 75 73 d=kopsuo
pi,cn=us
0060 65 72 73 2c 64 63 3d 6b 75 76 61 2c 64 63 3d 66 ers,dc=k
uva,dc=f
0070 69 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 i......I
NCORRECT <------PASSWORD ??
0080 a0 1d 30 1b 04 19 31 2e 33 2e 36 2e 31 2e 34 2e ..0...1.
3.6.1.4.
0090 31 2e 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 1.42.2.2
7.8.5.1

I've been strugling with this some time now and any clarification
where to look on this is greatly appreciated.

Jokke H.

From forum: PAM LDAP

Re: Kerberos Autorenew and Autorefresh

2008-07-02T03:15:30Z

Hallo Howard,

* Howard Wilkinson <howard@...> [080702 11:37]:
> About a year ago I contributed some code to the nss_ldap core which
> appeared in the mainstream for release 258. This code supports auto renew
> and auto refresh of Kerberos tickets using either a previously created
> cache or a keytab. I have been running kstart to get the initial ticket but
> tried to turn this feature off and let the initial ticket be created by the
> code in nss_ldap. This has not worked for me :-[ and I was wondering if
> anybody else has tried and succeeded with this.

> So can I get a poll of anybody who is using these features and what sort of
> success they have had with them.

> I am going to debug my problem over the next few days but if anybody has a
> working config and would be willing to share I would be grateful

never used it, thought about it, but I saw this morning the following
bugreport including patch, hopefully it helps you get going. Please let
me know if you succeed because I'm heavily thinking about such a setup.

http://bugzilla.padl.com/show_bug.cgi?id=368

Thomas

From forum: NSS LDAP

Kerberos Autorenew and Autorefresh

2008-07-01T08:30:15Z

About a year ago I contributed some code to the nss_ldap core which
appeared in the mainstream for release 258. This code supports auto
renew and auto refresh of Kerberos tickets using either a previously
created cache or a keytab. I have been running kstart to get the initial
ticket but tried to turn this feature off and let the initial ticket be
created by the code in nss_ldap. This has not worked for me :-[ and I
was wondering if anybody else has tried and succeeded with this.

So can I get a poll of anybody who is using these features and what sort
of success they have had with them.

I am going to debug my problem over the next few days but if anybody has
a working config and would be willing to share I would be grateful

Howard.

From forum: NSS LDAP

Re: client timeout - update

2008-06-23T13:23:50Z

Buchan Milne wrote:

> On Wednesday 11 June 2008 17:03:23 Eric Ritchie wrote:
>
>> I'm using LDAP for passwd, group, automap and netgroup functions, it is
>> a replacement for NIS. When the OS is using LDAP for these functions,
>> such as id or finger, it uses /lib/libnss_ldap.so and the /etc/ldap.conf
>> file. When I run any of the ldap commands, such as ldapsearch, it uses
>> /usr/lib/libldap and /etc/openldap/ldap.conf. I'm more concerned with
>> the OS hanging when it tries to perform an LDAP lookup than ldapsearch
>> hanging. So I would need a newer libnss_ldap to take advantage of new
>> OpenLDAP features.
>>
>
> Most likely it would be sufficient to install newer OpenLDAP libraries, and
> compile nss_ldap against the newer libraries.
>

OpenLDAP 2.4.10 NETWORK_TIMEOUT feature definitely works much better. I
installed the ldapsearch program and the client libraries. When I
shutdown a server, ldapsearch hangs for just a second and then connects
to the next server, before it would hang for a really long time.
Recompiling nss_ldap is a little over my head. I tried downloading
nss_ldap from PADL and compiling it with the latest LDAP libraries but
its still ignoring the NETWORK_TIMEOUT setting. If I set bind_timelimit
to 1, there is still about a 10 second delay when the OS is querying
LDAP, it doesn't seem to matter if I set bind_policy to soft, getting
nss_ldap to support the new NETWORK_TIMEOUT would really help.

Eric

> However, in my case, bind_policy soft is sufficient to prevent problems when a
> server "fails" (well, more often the client's networking isn't correctly
> configured). But, if the client can't reach the server (bad routing, firewall
> dropping packets instead of denying), then I would expect the behaviour you
> are seeing, or if the LDAP server were to hang on an open connection (but I
> haven't seen that in a few years).
>
> Regards,
> Buchan
>
>
>

--
Eric Ritchie
Interactive Brokers LLC
203-618-5868

From forum: NSS LDAP

SASL DIGEST-MD5?

2008-06-16T11:25:56Z

Greetings,

I'm trying to get DIGEST-MD5 authentication working in my nss_ldap config, but I seem to be having problems. Basically, I have a slapd server proxying to an Active Directory server. With a simple bind, it works just fine. As for the SASL authentication, I know it works through my slapd proxy because I've verified it with ldapsearch/ldapwhoami commands, but it doesn't work through nss_ldap.

[user@host ~]$ ldapsearch -LLL -U ldaptest@company.com "uid=ldaptest" cn
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: ldaptest@company.com
SASL SSF: 128
SASL data security layer installed.
dn: cn=Ldap Test,ou=Users,dc=company,dc=com
cn: Ldap Test

However, when I try to id my user:
[user@host ~]$ id ldaptest
id: ldaptest: No such user

The following is the output from my slap debug logging when I run the 'id' command:
slapd[11329]: conn=22 fd=11 ACCEPT from IP=10.1.0.220:5947 (IP=0.0.0.0:389)
slapd[11329]: conn=22 op=0 BIND dn="" method=128
slapd[11329]: conn=22 op=0 RESULT tag=97 err=0 text=
slapd[11329]: conn=22 op=1 SRCH base="ou=Users,dc=company,dc=com" scope=2 deref=0 filter="(&(?objectClass=user)(?SAMACCOUNTNAME=ldaptest))"
slapd[11329]: conn=22 op=1 SRCH attr=sAMAccountName userPassword uidNumber gidNumber cn unixHomeDirectory loginShell gecos description objectClass
slapd[11329]: conn=22 op=2 UNBIND
slapd[11329]: conn=22 op=1 SEARCH RESULT tag=101 err=48 nentries=0 text=
slapd[11329]: conn=22 fd=11 closed

And, the output when I successfully run the ldapsearch command above:
slapd[11329]: conn=26 fd=11 ACCEPT from IP=10.1.0.220:54539 (IP=0.0.0.0:389)
slapd[11329]: conn=26 op=0 BIND dn="" method=163
slapd[11329]: conn=26 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
slapd[11329]: conn=26 op=1 BIND dn="" method=163
slapd[11329]: conn=26 op=1 BIND authcid="ldaptest@company.com" authzid="ldaptest@company.com"
slapd[11329]: conn=26 op=1 BIND dn="uid=ldaptest@company.com,cn=digest-md5,cn=auth" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
slapd[11329]: conn=26 op=1 RESULT tag=97 err=0 text=
slapd[11329]: conn=26 op=2 SRCH base="ou=Users,dc=company,dc=com" scope=2 deref=0 filter="(uid=ldaptest)"
slapd[11329]: conn=26 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[11329]: conn=26 op=3 UNBIND
slapd[11329]: conn=26 fd=11 closed

From the looks of it to me, nss_ldap is not using the correct 'method' when it's doing the search, as indicated in bold above. My /etc/ldap.conf looks like this:

host ldaphost.company.com
base ou=Users,dc=company,dc=com
scope sub
timelimit 120
bind_timelimit 1200
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=Users,dc=company,dc=com?sub
nss_base_shadow ou=Users,dc=company,dc=com?sub
nss_base_group ou=Groups,dc=company,dc=com?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
pam_sasl_mech DIGEST-MD5
sasl_secprops maxssf=0
sasl_authid ldaptest@company.com

Am I using the wrong options in ldap.conf (pam_sasl_mech, etc.)? I've tried enabling the "use_sasl on" feature, but it seems to cause a "local error" in the logs when I try to search with that. Do I need to recompile with some special options enabled?

I'm using nss_ldap 2.53 -> openldap 2.4.9 -> AD (Windows 2K3 R2).

Any help is greatly appreciated. Thanks.

From forum: NSS LDAP

release 0.6.3 of nss-ldapd

2008-06-15T07:48:23Z

A new release of nss-ldapd was made which fixes a number of bugs in the
0.6.2 release and tries to focus in stabillity. This release is
available from:
http://ch.tudelft.nl/~arthur/nss-ldapd/

Some more improvements to the retry and fail-over mechanism have been
made and support for groups with up to around 150000 members has been
added. The nslcd daemon can now be run under a separate user and group
and SASL authentication has been improved.

For more information and changes in this release, please see the URL
above. Any feedback is greatly appreciated. Thanks for all the feedback
already provided.

--
-- arthur - arthur@... - http://ch.tudelft.nl/~arthur --

signature.asc (204 bytes) Download Attachment

From forum: NSS LDAP

Re: client timeout

2008-06-11T08:03:23Z

I'm using LDAP for passwd, group, automap and netgroup functions, it is
a replacement for NIS. When the OS is using LDAP for these functions,
such as id or finger, it uses /lib/libnss_ldap.so and the /etc/ldap.conf
file. When I run any of the ldap commands, such as ldapsearch, it uses
/usr/lib/libldap and /etc/openldap/ldap.conf. I'm more concerned with
the OS hanging when it tries to perform an LDAP lookup than ldapsearch
hanging. So I would need a newer libnss_ldap to take advantage of new
OpenLDAP features.

Thanks

Eric

Howard Chu wrote:

> Eric Ritchie wrote:
>> I'm having an issue with client response when a server fails. This may
>> be the same issue discussed in the thread "No timeout for nss ldap". I
>> have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
>> I configured the uri line with the 3 servers on each client:
>> uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6
>>
>> If I go to the first ldap server and stop slapd, there is no noticeable
>> effect on the clients. If I shut down the server, or disable the
>> network, the clients will hang. I have experimented with bind_timelimit
>> and bind_policy. Changing the bind_policy did not seem to have any
>> effect. Setting the bind_timelimit to 1 and running nscd seem to help
>> clients the most. Is there any way I can configure the clients to better
>> handle an LDAP server shutdown?
>
> Upgrade to OpenLDAP 2.4; the ldap.conf syntax has been extended to
> allow you to configure connection timeouts.
>

--
Eric Ritchie
Interactive Brokers LLC
203-618-5868

From forum: NSS LDAP

Re: client timeout

2008-06-10T12:14:12Z

Eric Ritchie wrote:

> I'm having an issue with client response when a server fails. This may
> be the same issue discussed in the thread "No timeout for nss ldap". I
> have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
> I configured the uri line with the 3 servers on each client:
> uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6
>
> If I go to the first ldap server and stop slapd, there is no noticeable
> effect on the clients. If I shut down the server, or disable the
> network, the clients will hang. I have experimented with bind_timelimit
> and bind_policy. Changing the bind_policy did not seem to have any
> effect. Setting the bind_timelimit to 1 and running nscd seem to help
> clients the most. Is there any way I can configure the clients to better
> handle an LDAP server shutdown?

Upgrade to OpenLDAP 2.4; the ldap.conf syntax has been extended to allow you
to configure connection timeouts.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

From forum: NSS LDAP

client timeout

2008-06-10T10:51:35Z

I'm having an issue with client response when a server fails. This may
be the same issue discussed in the thread "No timeout for nss ldap". I
have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
I configured the uri line with the 3 servers on each client:
uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6

If I go to the first ldap server and stop slapd, there is no noticeable
effect on the clients. If I shut down the server, or disable the
network, the clients will hang. I have experimented with bind_timelimit
and bind_policy. Changing the bind_policy did not seem to have any
effect. Setting the bind_timelimit to 1 and running nscd seem to help
clients the most. Is there any way I can configure the clients to better
handle an LDAP server shutdown?

Thanks

--
Eric Ritchie

From forum: NSS LDAP

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-08T09:06:11Z

Hello,
I used the opensolaris source browser to find some information about the
missing symbols:

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/mapfile-vers

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getauuser.c

nss_backend_t *
_nss_ldap_audit_user_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(auuser_ops,
sizeof (auuser_ops)/sizeof (auuser_ops[0]), _AUUSER,
auuser_attrs, _nss_ldap_au2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/gethostent6.c

nss_backend_t *
_nss_ldap_ipnodes_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(ipnodes_ops,
sizeof (ipnodes_ops)/sizeof (ipnodes_ops[0]), _HOSTS6,
ipnodes_attrs, _nss_ldap_hosts2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getnetmasks.c

nss_backend_t *
_nss_ldap_netmasks_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(netmasks_ops,
sizeof (netmasks_ops)/sizeof (netmasks_ops[0]), _NETMASKS,
netmasks_attrs, _nss_ldap_netmasks2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprinter.c

nss_backend_t *
_nss_ldap_printers_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(printers_ops,
sizeof (printers_ops)/sizeof (printers_ops[0]), _PRINTERS,
printer_attrs, _nss_ldap_printers2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprofattr.c

nss_backend_t *
_nss_ldap_prof_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(profattr_ops,
sizeof (profattr_ops)/sizeof (profattr_ops[0]), _PROFATTR,
prof_attrs, _nss_ldap_prof2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprojent.c

nss_backend_t *
_nss_ldap_project_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{
return (_nss_ldap_constr(project_ops,
sizeof (project_ops) / sizeof (project_ops[0]),
_PROJECT, project_attrs, _nss_ldap_proj2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getkeyent.c

nss_backend_t *
_nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(keys_ops,
sizeof (keys_ops)/sizeof (keys_ops[0]),
_PUBLICKEY, keys_attrs, _nss_ldap_key2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/tsol_getrhent.c

nss_backend_t *
_nss_ldap_tnrhdb_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(tnrhdb_ops,
sizeof (tnrhdb_ops)/sizeof (tnrhdb_ops[0]), _TNRHDB,
tnrhdb_attrs, _nss_ldap_tnrhdb2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/tsol_gettpent.c

nss_backend_t *
_nss_ldap_tnrhtp_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(tnrhtp_ops,
sizeof (tnrhtp_ops)/sizeof (tnrhtp_ops[0]), _TNRHTP,
tnrhtp_attrs, _nss_ldap_tnrhtp2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getuserattr.c

nss_backend_t *
_nss_ldap_user_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(userattr_ops,
sizeof (userattr_ops)/sizeof (userattr_ops[0]), _USERATTR,
user_attrs, _nss_ldap_user2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getexecattr.c

nss_backend_t *
_nss_ldap_exec_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5,
const char *dummy6,
const char *dummy7)
{
#ifdef DEBUG
(void) fprintf(stdout,
"\n[getexecattr.c: _nss_ldap_exec_attr_constr]\n");
#endif
return ((nss_backend_t *)_nss_ldap_constr(execattr_ops,
sizeof (execattr_ops)/sizeof (execattr_ops[0]), _EXECATTR,
exec_attrs, _nss_ldap_exec2str));
}

after that I tried to implement the stubs, all returning ,,NULL'' however this
did not make nscd work. Here is my patch if someone want's to build up on top
of it.

Thomas

diff --git a/Makefile.am b/Makefile.am
index 4b05f13..dcb883e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,7 +21,7 @@ man_MANS = nss_ldap.5
nss_ldap_so_SOURCES = ldap-nss.c ldap-pwd.c ldap-grp.c ldap-netgrp.c ldap-rpc.c \
ldap-hosts.c ldap-network.c ldap-proto.c ldap-spwd.c \
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
- ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
+ ldap-bp.c stubs.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c

nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@
diff --git a/Makefile.in b/Makefile.in
index c5c098f..0c68864 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -68,7 +68,7 @@ am_nss_ldap_so_OBJECTS = ldap-nss.$(OBJEXT) ldap-pwd.$(OBJEXT) \
ldap-hosts.$(OBJEXT) ldap-network.$(OBJEXT) \
ldap-proto.$(OBJEXT) ldap-spwd.$(OBJEXT) ldap-alias.$(OBJEXT) \
ldap-service.$(OBJEXT) ldap-schema.$(OBJEXT) \
- ldap-ethers.$(OBJEXT) ldap-bp.$(OBJEXT) \
+ ldap-ethers.$(OBJEXT) ldap-bp.$(OBJEXT) stubs.$(OBJEXT) \
ldap-automount.$(OBJEXT) util.$(OBJEXT) ltf.$(OBJEXT) \
snprintf.$(OBJEXT) resolve.$(OBJEXT) dnsconfig.$(OBJEXT) \
irs-nss.$(OBJEXT) pagectrl.$(OBJEXT) ldap-sldap.$(OBJEXT) \
@@ -211,7 +211,7 @@ man_MANS = nss_ldap.5
nss_ldap_so_SOURCES = ldap-nss.c ldap-pwd.c ldap-grp.c ldap-netgrp.c ldap-rpc.c \
ldap-hosts.c ldap-network.c ldap-proto.c ldap-spwd.c \
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
- ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
+ ldap-bp.c stubs.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c

NSS_LDAP_SOURCES = ldap-nss.c ldap-grp.c ldap-pwd.c ldap-netgrp.c ldap-schema.c \
@@ -308,6 +308,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-alias.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-automount.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-bp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stubs.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-ethers.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-grp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-hosts.Po@am__quote@
diff --git a/exports.solaris b/exports.solaris
index 3ad3bd4..0dcd056 100644
--- a/exports.solaris
+++ b/exports.solaris
@@ -13,6 +13,16 @@ nss_ldap.so.1 {
_nss_ldap_services_constr;
_nss_ldap_shadow_constr;
_nss_ldap_netgroup_constr;
+ _nss_ldap_exec_attr_constr;
+ _nss_ldap_ipnodes_constr;
+ _nss_ldap_netmasks_constr;
+ _nss_ldap_printers_constr;
+ _nss_ldap_prof_attr_constr;
+ _nss_ldap_project_constr;
+ _nss_ldap_publickey_constr;
+ _nss_ldap_tnrhdb_constr;
+ _nss_ldap_tnrhtp_constr;
+ _nss_ldap_user_attr_constr;
# libsldap library interfaces
__ns_ldap_getMappedAttributes;
__ns_ldap_getMappedObjectClass;
diff --git a/ldap-sldap.c b/ldap-sldap.c
index 5f8f85f..0af8b67 100644
--- a/ldap-sldap.c
+++ b/ldap-sldap.c
@@ -247,7 +247,9 @@ __ns_ldap_getParam (const ParamIndexType type, void ***data,
break;
}

+#if 0
debug ("<== __ns_ldap_getParam (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -566,8 +568,10 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,
{
__ns_ldap_freeEntry (&entry);
cookie->ret = ret;
+#if 0
debug ("<== __ns_ldap_parseEntry (failed to init result: %s)",
NS_LDAP_ERR2STR (ret));
+#endif
return __ns_ldap_mapError (ret);
}
cookie->result->entry = entry;
@@ -597,7 +601,9 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,

cookie->ret = ret;

+#if 0
debug ("<== __ns_ldap_parseEntry (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return __ns_ldap_mapError (ret);
}
@@ -1150,8 +1156,10 @@ __ns_ldap_firstEntry (const char *service,

*pCookie = cookie;

+#if 0
debug ("<== __ns_ldap_firstEntry ret=%s cookie=%p", NS_LDAP_ERR2STR (ret),
cookie);
+#endif

return ret;
}
@@ -1185,7 +1193,9 @@ __ns_ldap_nextEntry (void *_cookie,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_nextEntry ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -1273,7 +1283,9 @@ __ns_ldap_list (const char *map,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_list ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
diff --git a/stubs.c b/stubs.c
new file mode 100644
index 0000000..f1b5127
--- /dev/null
+++ b/stubs.c
@@ -0,0 +1,136 @@
+#include "config.h"
+
+#ifdef HAVE_PORT_BEFORE_H
+#include <port_before.h>
+#endif
+
+#if defined(HAVE_THREAD_H) && !defined(_AIX)
+#include <thread.h>
+#elif defined(HAVE_PTHREAD_H)
+#include <pthread.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#ifdef HAVE_LBER_H
+#include <lber.h>
+#endif
+#ifdef HAVE_LDAP_H
+#include <ldap.h>
+#endif
+
+#include "ldap-nss.h"
+#include "ldap-bp.h"
+#include "util.h"
+
+#ifdef HAVE_PORT_AFTER_H
+#include <port_after.h>
+#endif
+
+#ifdef HAVE_NSS_H
+static ent_context_t *bp_context = NULL;
+#endif
+
+nss_backend_t *
+_nss_ldap_audit_user_constr(const char *dummy1,
+const char *dummy2,
+const char *dummy3,
+const char *dummy4,
+const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_ipnodes_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_netmasks_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_printers_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_prof_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_project_constr(const char *dummy1, const char *dummy2,
+const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_tnrhdb_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_tnrhtp_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_user_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_exec_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5,
+ const char *dummy6,
+ const char *dummy7)
+{
+ return NULL;
+}
+
diff --git a/stubs.h b/stubs.h
new file mode 100644
index 0000000..903dd56
--- /dev/null
+++ b/stubs.h
@@ -0,0 +1,65 @@
+#ifndef _LDAP_NSS_LDAP_STUBS_H
+#define _LDAP_NSS_LDAP_STUBS_H
+
+nss_backend_t *
+_nss_ldap_audit_user_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_ipnodes_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_netmasks_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_printers_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_prof_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_project_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_publickey_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+
+nss_backend_t *
+_nss_ldap_tnrhdb_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_tnrhtp_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_user_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+#endif /* _LDAP_NSS_LDAP_STUBS_H */

From forum: NSS LDAP

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-08T08:00:13Z

Hello,
I managed today to build an omnipotent nss_ldap and pam_krb5_310 that works with
Solaris 10 U5 (still without nscd). I wonder why noone published howto to do
that before. (Deps: libnet, openssl, krb5, sasl2, openldap).

http://git.informatik.uni-erlangen.de/?p=blastwave;a=blob;f=specs/nss-ldap;h=35348abd4e3c2d1cc858326b1d229ac066c7b6a6;hb=a314b8093d40a66eec8d3af4afc03176ad2897a0

However, I'm still stuck with nscd. So I called nm on the original
nss_ldap.so.1 which Solaris provied on Update 5 with the latest
patchset.

-bash-3.00$ /usr/ccs/bin/nm nss_ldap.so.1.off | grep GLOB | grep -v UNDEF
[330] | 0| 0|OBJT |GLOB |0 |ABS |SUNWprivate_1.1
[324] | 114904| 0|OBJT |GLOB |0 |16 |_DYNAMIC
[350] | 114688| 0|OBJT |GLOB |0 |15 |_GLOBAL_OFFSET_TABLE_
[361] | 6252| 0|OBJT |GLOB |0 |9 |_PROCEDURE_LINKAGE_TABLE_
[368] | 118033| 0|OBJT |GLOB |0 |19 |_edata
[333] | 118033| 0|OBJT |GLOB |0 |20 |_end
[363] | 45422| 0|OBJT |GLOB |0 |14 |_etext
[385] | 8615| 59|FUNC |GLOB |0 |10 |_nss_ldap_audit_user_constr
[369] | 7918| 59|FUNC |GLOB |0 |10 |_nss_ldap_auth_attr_constr
[380] | 9324| 59|FUNC |GLOB |0 |10 |_nss_ldap_bootparams_constr
[373] | 10090| 59|FUNC |GLOB |0 |10 |_nss_ldap_ethers_constr
[359] | 13171| 59|FUNC |GLOB |0 |10 |_nss_ldap_exec_attr_constr
[384] | 14820| 59|FUNC |GLOB |0 |10 |_nss_ldap_group_constr
[331] | 17097| 59|FUNC |GLOB |0 |10 |_nss_ldap_hosts_constr
[326] | 18177| 59|FUNC |GLOB |0 |10 |_nss_ldap_ipnodes_constr
[376] | 24569| 54|FUNC |GLOB |0 |10 |_nss_ldap_netgroup_constr
[362] | 25031| 59|FUNC |GLOB |0 |10 |_nss_ldap_netmasks_constr
[374] | 20303| 59|FUNC |GLOB |0 |10 |_nss_ldap_networks_constr
[398] | 29054| 59|FUNC |GLOB |0 |10 |_nss_ldap_passwd_constr
[390] | 30181| 58|FUNC |GLOB |0 |10 |_nss_ldap_printers_constr
[321] | 25878| 59|FUNC |GLOB |0 |10 |_nss_ldap_prof_attr_constr
[358] | 26822| 59|FUNC |GLOB |0 |10 |_nss_ldap_project_constr
[356] | 27998| 59|FUNC |GLOB |0 |10 |_nss_ldap_protocols_constr
[395] | 19021| 59|FUNC |GLOB |0 |10 |_nss_ldap_publickey_constr
[341] | 31104| 59|FUNC |GLOB |0 |10 |_nss_ldap_rpc_constr
[367] | 33019| 59|FUNC |GLOB |0 |10 |_nss_ldap_services_constr
[387] | 33807| 59|FUNC |GLOB |0 |10 |_nss_ldap_shadow_constr
[349] | 35389| 59|FUNC |GLOB |0 |10 |_nss_ldap_tnrhdb_constr
[377] | 35924| 59|FUNC |GLOB |0 |10 |_nss_ldap_tnrhtp_constr
[364] | 34654| 59|FUNC |GLOB |0 |10 |_nss_ldap_user_attr_constr

After that I look at the exported symbols of nss_ldap (see also export.solaris
in the nss_ldap distribution):

-bash-3.00$ /usr/ccs/bin/nm nss_ldap.so.1 | grep GLOB | grep -v UNDEF
[16346] | 3863200| 0|OBJT |GLOB |0 |22 |_DYNAMIC
[16403] | 3862036| 0|OBJT |GLOB |0 |21 |_GLOBAL_OFFSET_TABLE_
[16364] | 430276| 0|OBJT |GLOB |0 |15 |_PROCEDURE_LINKAGE_TABLE_
[16428] | 519264| 121|FUNC |GLOB |0 |16 |__ns_ldap_endEntry
[16314] | 519776| 205|FUNC |GLOB |0 |16 |__ns_ldap_err2str
[16373] | 518864| 237|FUNC |GLOB |0 |16 |__ns_ldap_firstEntry
[16309] | 512432| 153|FUNC |GLOB |0 |16 |__ns_ldap_freeEntry
[16318] | 511872| 129|FUNC |GLOB |0 |16 |__ns_ldap_freeError
[16445] | 512592| 157|FUNC |GLOB |0 |16 |__ns_ldap_freeResult
[16282] | 511408| 85|FUNC |GLOB |0 |16 |__ns_ldap_getMappedAttributes
[16278] | 511504| 85|FUNC |GLOB |0 |16 |__ns_ldap_getMappedObjectClass
[16394] | 512160| 109|FUNC |GLOB |0 |16 |__ns_ldap_getParam
[16411] | 519392| 369|FUNC |GLOB |0 |16 |__ns_ldap_list
[16261] | 519104| 153|FUNC |GLOB |0 |16 |__ns_ldap_nextEntry
[16473] | 3978888| 0|OBJT |GLOB |0 |26 |_edata
[16315] | 4034680| 0|OBJT |GLOB |0 |27 |_end
[16376] | 3796500| 0|OBJT |GLOB |0 |20 |_etext
[16323] | 491712| 25|FUNC |GLOB |0 |16 |_nss_ldap_bootparams_constr
[16281] | 491168| 109|FUNC |GLOB |0 |16 |_nss_ldap_ethers_constr
[16361] | 470240| 109|FUNC |GLOB |0 |16 |_nss_ldap_group_constr
[16272] | 478544| 109|FUNC |GLOB |0 |16 |_nss_ldap_hosts_constr
[16420] | 475520| 141|FUNC |GLOB |0 |16 |_nss_ldap_netgroup_constr
[16412] | 480208| 109|FUNC |GLOB |0 |16 |_nss_ldap_networks_constr
[16363] | 463440| 109|FUNC |GLOB |0 |16 |_nss_ldap_passwd_constr
[16434] | 481328| 109|FUNC |GLOB |0 |16 |_nss_ldap_protocols_constr
[16444] | 476672| 109|FUNC |GLOB |0 |16 |_nss_ldap_rpc_constr
[16273] | 484624| 109|FUNC |GLOB |0 |16 |_nss_ldap_services_constr
[16407] | 482832| 109|FUNC |GLOB |0 |16 |_nss_ldap_shadow_constr
[16418] | 0| 0|OBJT |GLOB |0 |ABS |nss_ldap.so.1

What you can see here is, that a few symbols are gone and a few new are in. Has
someone already had a look at this?

(u5) [/var/tmp/sithglan-pkg/nss_ldap-260] gdiff -ruN padl sun
--- padl 2008-06-08 16:51:53.390905000 +0200
+++ sun 2008-06-08 16:47:01.055021000 +0200
@@ -1,22 +1,23 @@
-__ns_ldap_endEntry
-__ns_ldap_err2str
-__ns_ldap_firstEntry
-__ns_ldap_freeEntry
-__ns_ldap_freeError
-__ns_ldap_freeResult
-__ns_ldap_getMappedAttributes
-__ns_ldap_getMappedObjectClass
-__ns_ldap_getParam
-__ns_ldap_list
-__ns_ldap_nextEntry
+_nss_ldap_audit_user_constr
+_nss_ldap_auth_attr_constr
_nss_ldap_bootparams_constr
_nss_ldap_ethers_constr
+_nss_ldap_exec_attr_constr
_nss_ldap_group_constr
_nss_ldap_hosts_constr
+_nss_ldap_ipnodes_constr
_nss_ldap_netgroup_constr
+_nss_ldap_netmasks_constr
_nss_ldap_networks_constr
_nss_ldap_passwd_constr
+_nss_ldap_printers_constr
+_nss_ldap_prof_attr_constr
+_nss_ldap_project_constr
_nss_ldap_protocols_constr
+_nss_ldap_publickey_constr
_nss_ldap_rpc_constr
_nss_ldap_services_constr
_nss_ldap_shadow_constr
+_nss_ldap_tnrhdb_constr
+_nss_ldap_tnrhtp_constr
+_nss_ldap_user_attr_constr

So, I guess the following symbols are missing and this is why my nscd keeps
failing on me:

_nss_ldap_exec_attr_constr
_nss_ldap_ipnodes_constr
_nss_ldap_netmasks_constr
_nss_ldap_printers_constr
_nss_ldap_prof_attr_constr
_nss_ldap_project_constr
_nss_ldap_publickey_constr
_nss_ldap_tnrhdb_constr
_nss_ldap_tnrhtp_constr
_nss_ldap_user_attr_constr

I'm also wondering if I am the only one who is needs this patch to get
nss_ldap working _without_ debugging enabled under Solaris 10 using gcc,
forte11 and forte12:

http://git.informatik.uni-erlangen.de/?p=blastwave;a=blob;f=sources/nss_ldap.patch;h=c1371d22b1c691d3106c105a95bb8264f9368b55;hb=a314b8093d40a66eec8d3af4afc03176ad2897a0

Thomas

From forum: NSS LDAP

Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-07T13:43:02Z

Hello,
I have Solaris 10 Update 5 authenticating against a Windows 2003 R2 Active
Directory. I used the Blastwave Packages (openldap, openssl, libnet, krb5) and
Sun Studio 12 to compile nss_ldap. I also had to apply the attached patch
otherwise no information at all are retrieved from the Active Directory.

I'm able to retrieve information from the AD and log in via kerberos
(using a kerberos token and keyboard interactive using my _windows_
password). I have no crypt/md5 password set.

However I'm facing a strange problem. As soon as I start nscd, getpwnam
fails for me:

(mini) [~] ssh -l root 192.168.0.73
Password:
Last login: Sat Jun 7 22:08:29 2008 from u5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have new mail.
# id testldap
uid=10000(testldap) gid=10000(gruppe)
# /etc/init.d/nscd start
# id testldap
id: invalid user name: "testldap"
# /etc/init.d/nscd stop
# id testldap
uid=10000(testldap) gid=10000(gruppe)

Thomas

From forum: NSS LDAP

NSS overlay for slapd

2008-06-03T12:19:37Z

For anyone interested, I've released an NSS overlay for slapd in OpenLDAP's
contrib/slapd-modules/nssov directory. This overlay uses the same protocol as
Arthur de Jong's nss-ldapd, but uses slapd to answer the requests directly
instead of going thru some other intermediate daemon. Since the overlay is
configured inside slapd, more of your LDAP configuration is centralized in a
single place, making overall administration simpler. It offers most of the
advantages of nss-ldapd, and also provides the possibility for local caching
of remotely mastered LDAP credentials (just use back-ldap+pcache), full
synchronization for disconnected operation (just use syncrepl), etc. etc.

Feedback welcome, here or on the openldap-technical mailing list. Currently it
is only in CVS HEAD; may be released in 2.4.11.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

From forum: NSS LDAP

How to configure netgroup with nss_ldap

2008-05-12T12:53:38Z

Hi,

I have a Suse setup which uses nss_ldap for passwd and group and uses
pam_krb5 for authentication, which works fine.

Now I am trying to setup netgroups, but I don't get it to work. The user mm
is defined in ldap and should only be able to login from a machine called
test, but the user can login with ssh from anywhere.

My nsswitch.conf is:

passwd: files ldap
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files
aliases: files
shadow: files ldap

and passwd is:

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:106:107:User for Avahi:/var/run/avahi-daemon:/bin/false
beagleindex:x:107:108:User for Beagle indexing:/var/cache/beagle:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dhcpd:x:102:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
fetchmail:x:103:2:mail retrieval daemon:/var/lib/fetchmail:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:103:MySQL database admin:/var/lib/mysql:/bin/false
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
quagga:x:104:105:Quagga routing daemon:/var/run/quagga:/usr/bin/false
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:108:109:Novell Customer Center
User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
markus:x:1000:100:Markus Moeller:/home/markus:/bin/bash
+@test::::::

#getent netgroup test
test (test, mm, )

#getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:106:107:User for Avahi:/var/run/avahi-daemon:/bin/false
beagleindex:x:107:108:User for Beagle indexing:/var/cache/beagle:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dhcpd:x:102:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
fetchmail:x:103:2:mail retrieval daemon:/var/lib/fetchmail:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:103:MySQL database admin:/var/lib/mysql:/bin/false
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
quagga:x:104:105:Quagga routing daemon:/var/run/quagga:/usr/bin/false
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:108:109:Novell Customer Center
User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
markus:x:1000:100:Markus Moeller:/home/markus:/bin/bash
+@test::0:0:::
mm:*:500:10000:Markus Moeller:/export/home/mm:/bin/ksh

Thank you
Markus

From forum: NSS LDAP

Re: openldap authentication

2008-05-02T07:27:33Z

Jyotishmaan Ray wrote:
> Hello List,
>
> Recently I had been exploring the authentication types- Weak and
> Strong type of authentication mainly!!
>
> Can you plz give some pointers in that direction as such to classify
> the openldap authentication-weak or strong. Please justify??

Weak authentication is single- factor, e.g. password only. Strong
authentication incorporates more than one factor, e.g. knowledge of a
PIN and possession of the ATM card. Typically, strong authentication is
not handled by the ldap store, but rather a dedicated authentication
system often via SASL.

HTH,

Nick

--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

From forum: PAM LDAP

openldap authentication

2008-04-30T07:51:48Z

Hello List,

Recently I had been exploring the authentication types- Weak and Strong type of authentication mainly!!

Can you plz give some pointers in that direction as such to classify the openldap authentication-weak or strong. Please justify??

Thanks,
Jyotishmaan Ray

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

From forum: PAM LDAP

Re: pam_check_host_attr + PAM configuration

2008-04-19T17:29:39Z

zf wrote:

I'm struggling for the past few days to setup host-based authentication on a CentOS 5 system using pam_check_host_attr directive but i really cannot understand how to make it work. I lack expertise in PAM so i'm trying many configurations found on the net about that subject but still none of these works either.

Damn, sometimes you miss the most obvious thing! Anyway, host-based authentication works as expected, my bad, i was changing a different sshd_config file so ssh didn't cooperate with PAM at all.

Sorry for that!

From forum: PAM LDAP

pam_check_host_attr + PAM configuration

2008-04-19T04:11:22Z

Hi all,

I'm struggling for the past few days to setup host-based authentication on a CentOS 5 system using pam_check_host_attr directive but i really cannot understand how to make it work. I lack expertise in PAM so i'm trying many configurations found on the net about that subject but still none of these works either.

My /etc/ldap.conf is pretty simple and straightforward:
-------------------------
host 127.0.0.1
base dc=people,dc=domain
scope sub
ssl no
pam_check_host_attr yes
-------------------------

partial /etc/nsswitch.conf :

-------------------
passwd: files ldap
shadow: files ldap
group: files ldap
-------------------

partial /etc/ssh/sshd_config:

--------------
UsePAM yes
--------------

If anyone could guide me to setup PAM to support and respect this attribute, would be really appreciated.

TIA

From forum: PAM LDAP

Re: Nested groups

2008-04-18T02:13:42Z

Luke Howard schrieb:

> nss_ldap supports nested groups simply by having a group member being a
> group itself. The group member must be a DN, so the uniqueMember or
> member attribute would typically used (not memberUid).
>
> This isn't actually specified in RFC 2307.
>
> You also need to have rfc2307bis support enabled in nss_ldap, by putting
> nss_schema rfc2307bis in ldap.conf.
>
> -- Luke
>

Hello,

in slapo.conf I have added this line
nss_map_attribute uniqueMember member

and restarted the openldap server

Then I imported this object

dn: cn=atest, ou=groups, dc=sb-brixen,dc=it
gidNumber: 987
member: cn=informatik, ou=groups, dc=sb-brixen,dc=it
userPassword:: e2NyeXB0fXg=
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
description: atest
cn: atest

I restarted ncsd to

The user amoroder ( me ) is member of the group informatik ( and other
groups )

now I tried with "id amoroder"
I get as result all the groups I am mmebr of, but not the group atest(987).

What is wrong here. Are my assumptions wrong that amoroder should also
become member of the group at because "informatik" is member of atest ?

Thanks
Andreas

From forum: NSS LDAP

Re: uri question

2008-04-17T16:28:52Z

You can specify multiple URIs with a space between them.

On 18/04/2008, at 7:21 AM, Adam Williams wrote:
> I have in my ldap.conf uri ldap://10.8.2.3/ for it to query my
> master ldap server for user shell accounts. I now also have a slave
> openldap server, 10.8.2.2, so how can I specify in /etc/ldap.conf to
> also query 10.8.2.2 in the event that 10.8.2.3 is down?
>
>

--
www.padl.com | www.fghr.net

From forum: NSS LDAP

uri question

2008-04-17T14:21:26Z

I have in my ldap.conf uri ldap://10.8.2.3/ for it to query my master
ldap server for user shell accounts. I now also have a slave openldap
server, 10.8.2.2, so how can I specify in /etc/ldap.conf to also query
10.8.2.2 in the event that 10.8.2.3 is down?

From forum: NSS LDAP

Changing password after it has expired

2008-04-17T10:18:55Z

Somebody on this list will know the definitive answer(s) to this question. I have been knocking holes in the wall with my head all day and cannot get an answer that makes sense.

In active directory you can set a password as expired and when the user logs in they get to type their old password to prove they are who they say they are and then new passwords to get the change to happen.

I want to achieve this via the LDAP interface but cannot find any references that say if it is possible. I suspect that what really happens under the cover is that the 'LDAP' code checks that the hash of the presented old password matches the value in the AD and then uses a privileged account rather than the user to do the actual change (I am thinking of the IISADMPWD application here!) What I had hoped I could find would be an options that would allow a bind to succeed using the users credentials (old password/username) that could only change the password. But I have not.

Am I right in that this is done by knowing that the HASH matches or is there a hidden control to the AD LDAP interface I am missing?

--
Signature

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
United Kingdom, EC1V 0HL	Email:	howard@...

From forum: PAM LDAP

Disbling and Eanbling an openldap ACCOUNT

2008-04-16T22:40:25Z

Hello List

Though i can disable a user (with the addition of the attribute- shadowExpire) from successful authentication and hence log on- i am not in a position to enable the same user ?

Can any one suggest a way to delete this attribute ? I see no ways to delete an attribute from the GUI or the command line ?

But then if there is are any other wayz using ACLS , ppolicy etc disable a user account at will and enable it again at a later time whenevr they want.

Please let me tell you that my set up is that of openldap in linux fedora 8.

I am trying since yesterday night.

Please give some pointers!!!

Thanks,

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

From forum: PAM LDAP

Re: Segmentation Faults for Ldap Accounts

2008-04-16T13:57:46Z

Hello All,

I wanted to close this thread.

It was recommended that I try the nscd. Got that activated and now all
is well.

Many thanks to all!

Andrew Morgan wrote:

> On Mon, 14 Apr 2008, Jim Summers wrote:
>
>> I agree with you it still is appearing to be something with TLS/ssl.
>> It is just confusing me that the operating system itself authenticates
>> and can resolve uidNumbers and group info fine.
>>
>> Let me know if you need the whole trace file and I can send that also.
>
> Sure, I'd like to look at both trace files in full.
>
> Andy

--
Jim Summers
Computer Science - University of Oklahoma

From forum: NSS LDAP

Re: binddn vs rootbinddn

2008-04-16T13:25:35Z

On Wed, 16 Apr 2008, Ashley Penney wrote:

> I am having a problem with nss_ldap, and I'm hoping the list can shed some
> light on this.
>
> I previously had rootbinddn set (rootbinddn
> cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking
> my attributes under uid=username, and for getting the gidNumber from my
> group (which is a little bit more complicated due to not using groups!).
>
> So, when logging in it would assign me the gidNumber for isMemberOf:
> cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group
> sftpuser' would return nothing. On advice from IRC, I set my binddn and put
> my password right into the ldap.conf file and now the same search works fine
> (finally).
>
> However, I don't want my password right in plain view. Is there a way I can
> adjust things in nss_ldap or openldap to make it so I can just set
> rootbinddn, and not binddn?

Another alternative is to set your binddn and password in ldap.conf, make
ldap.conf only readable by root, and run nscd. nscd will run as root and
can read the ldap.conf file, while processes will connect to nscd (via a
unix socket) for NSS lookups. We use this method here to hide our bind
credentials yet still require an authenticated LDAP connection for
lookups.

Andy

From forum: NSS LDAP

binddn vs rootbinddn

2008-04-16T11:49:23Z

I am having a problem with nss_ldap, and I'm hoping the list can shed some light on this.

I previously had rootbinddn set (rootbinddn cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking my attributes under uid=username, and for getting the gidNumber from my group (which is a little bit more complicated due to not using groups!).

So, when logging in it would assign me the gidNumber for isMemberOf: cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group sftpuser' would return nothing. On advice from IRC, I set my binddn and put my password right into the ldap.conf file and now the same search works fine (finally).

However, I don't want my password right in plain view. Is there a way I can adjust things in nss_ldap or openldap to make it so I can just set rootbinddn, and not binddn?

Thanks,

From forum: NSS LDAP

RE: LDAP Auth

2008-04-16T09:13:45Z

Hi,

Thanks for the reply but in the meantime I got a response from the OpenLDAP mailing list that nailed the problem for me. For future googlers facing the same problem the problem what that LDAP was being able to answer queries based on cn attribute but not based on uid attribute due to a indexing problem. Stopping OpenLDAP, running slapindex and then starting OpenLDAP again made authentication work again.

For some strange reason "getent passwd" still gets the data, so it must retrieve that information in some other way. I confess I have no intention to look up code to find out :)

A simple way to know if this problem is affecting you is doing a manual search on ldap. In my case searching for "uid=myuser" returned no information while searching for "uid=myuser*" returned the correct information which was what made the problem clear for the OpenLDAP guys.

Regards,
Nuno

-----Original Message-----
From: Andrew Morgan [mailto:morgan@...]
Sent: quarta-feira, 16 de Abril de 2008 17:07
To: Nuno Manuel Martins
Cc: nssldap@...
Subject: Re: [nssldap] LDAP Auth

On Wed, 16 Apr 2008, Nuno Manuel Martins wrote:

> Hello list,
>
> I am having a very strange behaviour from my test with OpenLDAP authentication. I tried to follow the HOWTOs online but I encountered an undocumented problem :)
>
> After configuring nssswitch.conf I tried what they asked and did a getent command which returns successfully:
> getent passwd | grep myuser
> myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash
>
> This means that the system can get the proper data from the LDAP directory. However, even before I try authentication I have this problem:
> su - myuser
> su: user myuser does not exist
>
> So anyone knows where su is getting its information from and why it is different from the information on getent?

It looks like you are starting out as root. Perhaps your ldap.conf file
is only readable by root?

Andy

From forum: NSS LDAP

Re: LDAP Auth

2008-04-16T09:07:25Z

On Wed, 16 Apr 2008, Nuno Manuel Martins wrote:

It looks like you are starting out as root. Perhaps your ldap.conf file
is only readable by root?

Andy

From forum: NSS LDAP

LDAP Auth

2008-04-16T02:55:37Z

Hello list,

I am having a very strange behaviour from my test with OpenLDAP authentication. I tried to follow the HOWTOs online but I encountered an undocumented problem :)

After configuring nssswitch.conf I tried what they asked and did a getent command which returns successfully:
getent passwd | grep myuser
myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash

This means that the system can get the proper data from the LDAP directory. However, even before I try authentication I have this problem:
su - myuser
su: user myuser does not exist

So anyone knows where su is getting its information from and why it is different from the information on getent?

Thanks,
Nuno

From forum: NSS LDAP

Re: How to make it unsuccessful authentication ??

2008-04-15T22:19:03Z

Hello Prakash,

That is fine. Thanks, it serves the purpose. But the thing is that-once i add this attribue to a uid and set its value say 0 (anyinteger) it disables the account and the user gets the message ofexpiry of his password.

But then if there is any way again to enable the same account by deleting this attribute etc.

I am trying since yesterday night.

Please give some pointers!!!

Thanks,

Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise

Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe@...

----- Original Message ----
From: Prakash Velayutham <prakash.velayutham@...>
To: Andrew Morgan <morgan@...>
Cc: pamldap@...
Sent: Monday, April 14, 2008 10:22:19 PM
Subject: Re: [pamldap] How to make it unsuccessful authentication ??

If you use the shadowAccount ObjectClass, I think you can use the
attribute shadowExpire to control this in OpenLDAP.

Prakash

____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

From forum: PAM LDAP