|
»
»
»
id: cannot find name for user ID #
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
id: cannot find name for user ID #
by Squeezer99
::
Rate this Message:
I'm trying to set up nss_ldap to work with my openldap 2.3.39
installation on Fedora 8. When I su -l adamtest (an account in openldap), I get the following error: [root@roark etc]# su -l adamtest id: cannot find name for user ID 773 [I have no name!@roark ~]$ id uid=773 gid=100(users) groups=100(users) and I think its something with the nss_ldap id resolution, because here is the id command from me in /etc/passwd, notice the uid=511(awilliam) is shown correctly here versus adamtest in openldap. [awilliam@roark ~]$ id uid=511(awilliam) gid=513(awilliam) groups=100(users),102(is),500(admin),513(awilliam),630(pers),631(pubinfo),743(executive),754(hankandcheri) adamtest is in openldap, here's his info: [root@roark ldap]# ldapsearch -D 'cn=Manager,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxx -x # extended LDIF # # LDAPv3 # base <uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL # # adamtest, People, mdah.state.ms.us dn: uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us uid: adamtest cn: adamtest sn: adamtest mail: adamtest@... objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx shadowLastChange: 13902 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 773 gidNumber: 100 homeDirectory: /home/adamtest # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and my /etc/ldap.conf is: base dc=mdah,dc=state,dc=ms,dc=us binddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us bindpw xxxxxxxx rootbinddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us nss_base_passwd ou=People,dc=mdah,dc=state,dc=ms,dc=us?one nss_base_shadow ou=People,dc=mdah,dc=state,dc=ms,dc=us?one nss_base_group ou=Group,dc=mdah,dc=state,dc=ms,dc=us?one ssl no pam_password md5 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon logdir /var/log/nss_ldap debug 256 uri ldap://roark.mdah.state.ms.us/ tls_cacertdir /etc/openldap/cacerts bind_timelimit 10 bind_policy soft nss_initgroups_ignoreusers root,ldap,named,tonni and my slapd.conf is: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid database bdb suffix "dc=mdah,dc=state,dc=ms,dc=us" rootdn "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx directory /var/lib/ldap index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID sub,eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default pres,eq,sub access to dn="ou=People,dc=mdah,dc=state,dc=ms,dc=us" by self write by users auth by anonymous read access to dn.base="" by self write by * auth access to attrs=userPassword,sambaLMPassword,sambaNTPassword,uid,cn,sn by self write by anonymous auth by * none access to attrs=shadowLastChange by self write by * auth access to * by self write by dn.base="cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" write by * read anyone see why i'm getting the "id: cannot find name for user ID 773 [I have no name!@roark ~]$ id" error? any ideas? |
|
|
Re: id: cannot find name for user ID #
by Squeezer99
::
Rate this Message:
nevermind, I think i figured it out, had to change
/etc/openldap/slapd.conf to: access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * read by * none access to * by * read |
|
|
Re: id: cannot find name for user ID #
by Dave Lewney
::
Rate this Message:
Adam Williams wrote:
> I'm trying to set up nss_ldap to work with my openldap 2.3.39 > installation on Fedora 8. When I su -l adamtest (an account in > openldap), I get the following error: > > [root@roark etc]# su -l adamtest > id: cannot find name for user ID 773 > [I have no name!@roark ~]$ id > uid=773 gid=100(users) groups=100(users) > > > and I think its something with the nss_ldap id resolution, because here > is the id command from me in /etc/passwd, notice the uid=511(awilliam) > is shown correctly here versus adamtest in openldap. > > [awilliam@roark ~]$ id > uid=511(awilliam) gid=513(awilliam) > groups=100(users),102(is),500(admin),513(awilliam),630(pers),631(pubinfo),743(executive),754(hankandcheri) > > > adamtest is in openldap, here's his info: > > [root@roark ldap]# ldapsearch -D > 'cn=Manager,dc=mdah,dc=state,dc=ms,dc=us' -b > "uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxx > -x # extended LDIF > # > # LDAPv3 > # base <uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # adamtest, People, mdah.state.ms.us > dn: uid=adamtest,ou=People,dc=mdah,dc=state,dc=ms,dc=us > uid: adamtest > cn: adamtest > sn: adamtest > mail: adamtest@... > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > shadowLastChange: 13902 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 773 > gidNumber: 100 > homeDirectory: /home/adamtest > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > and my /etc/ldap.conf is: > > base dc=mdah,dc=state,dc=ms,dc=us > binddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us > bindpw xxxxxxxx > rootbinddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us > nss_base_passwd ou=People,dc=mdah,dc=state,dc=ms,dc=us?one > nss_base_shadow ou=People,dc=mdah,dc=state,dc=ms,dc=us?one > nss_base_group ou=Group,dc=mdah,dc=state,dc=ms,dc=us?one > ssl no > pam_password md5 > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon > logdir /var/log/nss_ldap > debug 256 > uri ldap://roark.mdah.state.ms.us/ > tls_cacertdir /etc/openldap/cacerts > bind_timelimit 10 > bind_policy soft > nss_initgroups_ignoreusers root,ldap,named,tonni > > and my slapd.conf is: > > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > allow bind_v2 > pidfile /var/run/openldap/slapd.pid > database bdb > suffix "dc=mdah,dc=state,dc=ms,dc=us" > rootdn "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" > rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx > directory /var/lib/ldap > index objectClass eq > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index memberUID eq > index sambaSID sub,eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index default pres,eq,sub > access to dn="ou=People,dc=mdah,dc=state,dc=ms,dc=us" > by self write > by users auth > by anonymous read > > access to dn.base="" > by self write > by * auth > > access to attrs=userPassword,sambaLMPassword,sambaNTPassword,uid,cn,sn > by self write > by anonymous auth > by * none > > access to attrs=shadowLastChange > by self write > by * auth > > access to * > by self write > by dn.base="cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" write > by * read > > anyone see why i'm getting the "id: cannot find name for user ID 773 [I > have no name!@roark ~]$ id" error? any ideas? > What does the slapd.log say? Can you see the search initiated by the nss libs? NB. Note that you'll also have a log entry resulting from your manual search. Dave --- Dave Lewney IT Services, University of Sussex, Brighton BN1 9QT |
|
|
Re: id: cannot find name for user ID #
by Tony Earnshaw-4
::
Rate this Message:
Adam Williams skrev, on 25-01-2008 15:23:
> I'm trying to set up nss_ldap to work with my openldap 2.3.39 > installation on Fedora 8. When I su -l adamtest (an account in > openldap), I get the following error: > > [root@roark etc]# su -l adamtest > id: cannot find name for user ID 773 > [I have no name!@roark ~]$ id > uid=773 gid=100(users) groups=100(users) [...] > anyone see why i'm getting the "id: cannot find name for user ID 773 [I > have no name!@roark ~]$ id" error? any ideas? Surely many who, panting at the leash at establishing (half) tight ACLs have had this. I know I have. Without going through your ACLs with a fine tooth comb, you're cutting out the binddn from reading the salient parts of posixAccount that are normally to be found in /etc/passwd. Begin by cutting out all your present ACLs and substituting 'access to * by * write' as only ACL; that will work. Work back from that to what you hope to establish of ACLs. ACLs are tricky and do not necessarily do what you might imagine at first sight. This is one large area where OL needs a whole lot of reading up on, and practice. Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
|
|
Re: id: cannot find name for user ID #
by Tony Earnshaw-4
::
Rate this Message:
Adam Williams skrev, on 25-01-2008 17:37:
> nevermind, I think i figured it out, had to change > /etc/openldap/slapd.conf to: > > access to attrs=userPassword,sambaLMPassword,sambaNTPassword > by self write > by anonymous auth > by * read > by * none > > > access to * > by * read This all will later land you up in all kinds of trouble. Please do read up on the Admin guide and don't go inventing things for yourself. --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
|
|
Re: id: cannot find name for user ID #
by Buchan Milne-2
::
Rate this Message:
On Friday 25 January 2008 16:23:46 Adam Williams wrote:
> I'm trying to set up nss_ldap to work with my openldap 2.3.39 > installation on Fedora 8. When I su -l adamtest (an account in > openldap), I get the following error: > > [root@roark etc]# su -l adamtest > id: cannot find name for user ID 773 > [I have no name!@roark ~]$ id > uid=773 gid=100(users) groups=100(users) > > > and I think its something with the nss_ldap id resolution, because here > is the id command from me in /etc/passwd, notice the uid=511(awilliam) > is shown correctly here versus adamtest in openldap. Well, it seems non-root processes have no problem, but processes running as root do ... [...] > and my /etc/ldap.conf is: [...] > binddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us > bindpw xxxxxxxx > rootbinddn cn=Manager,dc=mdah,dc=state,dc=ms,dc=us So, you have two DNs, and one password. Where is the other password? It needs to go in /etc/ldap.secret (yes, in the clear, but the permissions can be stricter than /etc/ldap.conf). The rootbinddn, if present, is used, in conjunction with the password from /etc/ldap.secret, when nss_ldap is invoked by a process running as root. This is covered in the nss_ldap man page. [...] > and my slapd.conf is: > database bdb > suffix "dc=mdah,dc=state,dc=ms,dc=us" > rootdn "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" Right, bad idea to use your rootdn in a world-readable config file. You may want to consider creating a dedicated DN (commonly referred to as a proxy DN), or use a method to provide each server with individual access to the LDAP server (e.g. SASL-GSSAPI - Kerberos) sufficient to search/list users. It is not necessary to expose the majority of your directory contents (unless you want to save the most effort at the greatest risk and avoid using a binddn at all). > rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx [...] > access to dn="ou=People,dc=mdah,dc=state,dc=ms,dc=us" > by self write > by users auth > by anonymous read In OpenLDAP 2.2 or later (IIRC), you are probably missing the .subtree qualifier (to dn.subtree=), which would also have fixed your problem. Regards, Buchan |
|
|
|
|
|
Re: id: cannot find name for user ID #
by Squeezer99
::
Rate this Message:
Buchan Milne wrote:
So, you have two DNs, and one password. Where is the other password? It needs Yes I have manager's password in /etc/ldap.secret with permission 600. ok so if I set up a proxy user named proxy, that user will need an account in openldap like any other linux shell user? so if I create proxy, my ACL would be? access to dn.subtree="ou=People,dc=mdah,dc=state,dc=ms,dc=us" attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid,userPassword,sambaLMPassword,sambaNTPassword
by self write
by dn="uid=proxy,ou=People,dc=mdah,dc=ms,dc=us" read
by anonymous auth
by * none
and of course, uid=proxy,ou=People,dc=mdah,dc=ms,dc=us becomes by
binddn and its bindpw in /etc/ldap.conf |
|
|
Re: id: cannot find name for user ID #
by Buchan Milne-2
::
Rate this Message:
On Monday 28 January 2008 21:48:43 Adam Williams wrote:
> Buchan Milne wrote: > > So, you have two DNs, and one password. Where is the other password? > > It needs > > to go in /etc/ldap.secret (yes, in the clear, but the permissions can be > > stricter than /etc/ldap.conf). The rootbinddn, if present, is used, in > > conjunction with the password from /etc/ldap.secret, when nss_ldap is > > invoked by a process running as root. > > > > This is covered in the nss_ldap man page. > > > > > > Right, bad idea to use your rootdn in a world-readable config file. You > > may want to consider creating a dedicated DN (commonly referred to as a > > proxy DN), or use a method to provide each server with individual access > > to the LDAP server (e.g. SASL-GSSAPI - Kerberos) sufficient to > > search/list users. > > > > It is not necessary to expose the majority of your directory contents > > (unless you want to save the most effort at the greatest risk and avoid > > using a binddn at all). > > > > > > In OpenLDAP 2.2 or later (IIRC), you are probably missing the .subtree > > qualifier (to dn.subtree=), which would also have fixed your problem. > > > Yes I have manager's password in /etc/ldap.secret with permission 600. Then you should check whether nss_ldap was failing to bind to the directory ... the file is sensitive to white space, blank lines etc. > ok so if I set up a proxy user named proxy, that user will need an > account in openldap like any other linux shell user? so if I create > proxy, my ACL would be? This depends on what you want other DNs (e.g. real users) to be able to see. Since they would most likely be able to run 'getent passwd' to retrieve this information, I don't think it makes sense to prevent them from seeing it via LDAP. So, the proxy user shouldn't need any specific ACL, since authentication does not rely upon being able to read any password attributes. Authentication is typically done with pam_ldap, which performs a bind as the DN of the user that is "logging in" (pam_ldap may require the proxy DN to be able to determine the DN of the user from their username, and nss_ldap needs to determine all the info for 'getent passwd user' and 'id user' with the proxy DN). > access to dn.subtree="ou=People,dc=mdah,dc=state,dc=ms,dc=us" > attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid,user >Password,sambaLMPassword,sambaNTPassword by self write > by dn="uid=proxy,ou=People,dc=mdah,dc=ms,dc=us" read > by anonymous auth > by * none There's no need to expose the passwords to the proxy DN, and I don't see much utility in hiding attributes that are easily visible on any of your servers. I also wouldn't give users write access to their uidNumber or gidNumer. So, something like this would be more sensible as a start: access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by * auth (auth access to sambaLMPassword and sambaNTPassword does't make sense, but I prefer to group password attributes together rather than risk exposing them by mistake) # let users write to "safe" attributes they might want to have control over access to attrs=gecos,loginShell,.... by self write by users read by * none access to * by users read by * none Although I typically have more complex ones that provide for a group of replicator DNs, and a group for samba Domain Controllers which have access to create accounts. You may want to look at the design Mandriva uses: http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT > and of course, uid=proxy,ou=People,dc=mdah,dc=ms,dc=us becomes by binddn > and its bindpw in /etc/ldap.conf Yes, and then remove rootbinddn and empty /etc/ldap.secret, unless you have a very specific reason to use it. Regards, Buchan |
| Free Forum Powered by Nabble | Forum Help |