Date: Wed, 02 Feb 2005 14:51:48 +0100 From: Klavs Klavsen <kl@vsen.dk> To: Klavs Klavsen <kl@vsen.dk> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re:(solved) nsswitch ldap lookup problems Message-ID: <4200DAF4.9040408@vsen.dk> In-Reply-To: <4200D350.1000600@vsen.dk> References: <4200A8ED.9030200@vsen.dk> <4200D350.1000600@vsen.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Embarressing.. Once I actually installed nss_ldap - it worked :) on 02-02-2005 14:19 Klavs Klavsen wrote: | Has anyone gotten nsswitch ldap lookup working on a FreeBSD-5.x? | | I tried this exact config on a linux-client (to the same ldap-server) | and it worked fine - I could do: | getent passwd - and it also returned the users only on the ldap server. | | I try to do the equivalent (I think - there's no getent for freebsd :( ) | - by doing an(on FreeBSD-5.3): | # id ktk | id: ktk: no such user | | in linux it gives me: | # id ktk | uid=5042(ktk) gid=5001(drift) groups=5001(drift) | | (the ktk user only exists in ldap) | | the /etc/ldap.conf, /usr/local/etc/ldap.conf and | /usr/local/etc/openldap/ldap.conf files are exactly alike on Linux and | FreeBSD and now look like this: | | ssl start_tls | ssl on | suffix "dc=vsen,dc=dk" | | uri ldaps://auth.vsen.dk/ | #pam_password exop | | ldap_version 3 | pam_filter objectclass=posixAccount | pam_login_attribute uid | pam_member_attribute memberuid | nss_base_passwd ou=People,dc=vsen,dc=dk | nss_base_shadow ou=People,dc=vsen,dc=dk | nss_base_group ou=Group,dc=vsen,dc=dk | nss_base_hosts ou=Hosts,dc=vsen,dc=dk | | scope one | | | on 02-02-2005 11:18 Klavs Klavsen wrote: | |> Hi guys, |> |> I've gotten my kerberos and openldap up and running on FreeBSD 5.3 - and |> can login with my user (because he has been created in kerberos and pam |> looks in that), but nsswitch can't find the user in ldap for some reason. |> |> All help will be greatly appreciated |> |> When I login with ssh I get this in debug.log: |> Feb 2 11:06:06 auth01 sshd[771]: NSSWITCH(nss_method_lookup): ldap, |> passwd, endpwent, not found |> Feb 2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap, |> group, setgrent, not found |> Feb 2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap, |> group, getgrent_r, not found |> Feb 2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap, |> group, endgrent, not found |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 fd=12 ACCEPT from |> IP=172.21.1.109:56828 (IP=0.0.0.0:636) |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 op=0 BIND dn="" method=128 |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 op=0 RESULT tag=97 err=0 text= |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 op=1 SRCH |> base="ou=People,dc=vsen,dc=dk" scope=1 deref=0 |> filter="(&(objectClass=posixAccount)(uid=ktk))" |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 op=1 SEARCH RESULT tag=101 |> err=0 nentries=1 text= |> Feb 2 11:06:09 auth01 slapd[604]: conn=2 fd=12 closed |> Feb 2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap, |> group, setgrent, not found |> Feb 2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap, |> group, getgrent_r, not found |> Feb 2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap, |> group, endgrent, not found |> Feb 2 11:06:09 auth01 sshd[774]: NSSWITCH(nss_method_lookup): ldap, |> passwd, endpwent, not found |> |> if I try to do an ldapsearch for the same: |> # ldapsearch "(&(objectClass=posixAccount)(uid=ktk))" -b |> "ou=People,dc=vsen,dc=dk" -Y gssapi |> |> It seems to work fine: |> [SNIP - cut SASL talk] |> # extended LDIF |> # |> # LDAPv3 |> # base <> with scope sub |> # filter: (&(objectClass=posixAccount)(uid=ktk)) |> # requesting: -b ou=People,dc=vsen,dc=dk -Y gssapi |> # |> |> # ktk, People, telmore.dk |> dn: uid=ktk,ou=People,dc=vsen,dc=dk |> |> # search result |> search: 5 |> result: 0 Success |> |> # numResponses: 2 |> # numEntries: 1 |> |> my /usr/local/etc/ldap.conf (on freebsd 5.3) looks like this: |> BASE dc=vsen, dc=dk |> URI ldaps://auth.vsen.dk:636/ |> TLS_REQCERT allow |> |> |> #SIZELIMIT 12 |> #TIMELIMIT 15 |> #DEREF never |> |> scope sub |> port 389 |> pam_password md5 |> ldap_version 3 |> pam_filter objectclass=posixAccount |> pam_login_attribute uid |> pam_member_attribute memberUid |> nss_base_passwd ou=People,dc=vsen,dc=dk?one |> nss_base_group ou=Groups,dc=vsen,dc=dk?one |> nss_base_shadow ou=People,dc=vsen,dc=dk?one |> #debug testing |> logdir /var/log |> debug 9 |> |> | _______________________________________________ | freebsd-questions@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-questions | To unsubscribe, send any mail to | "freebsd-questions-unsubscribe@freebsd.org" | - -- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Those who do not understand Unix are condemned to reinvent it, poorly." ~ --Henry Spencer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCANr0PToLeX4GPGIRAt6lAJ9cRo6Lj6dbF34uoIr5FnOJtcNEBQCgnz0G /SCbfhShS5ZJaIGvP4J04fY= =1NPq -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4200DAF4.9040408>