From owner-freebsd-questions@FreeBSD.ORG  Wed Feb  2 13:51:20 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D62D916A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 13:51:20 +0000 (GMT)
Received: from www.EnableIT.dk (213.237.54.63.adsl.suoe.worldonline.dk
	[213.237.54.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 336F543D48
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 13:51:20 +0000 (GMT)	(envelope-from kl@vsen.dk)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by www.EnableIT.dk (Postfix) with ESMTP id F1802BD9A
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Feb 2005 14:51:18 +0100 (CET)
Received: from [192.168.11.26] (gw02.telmore.dk [62.242.232.132])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by www.EnableIT.dk (Postfix) with ESMTP
	id F37E4BC80; Wed,  2 Feb 2005 14:51:16 +0100 (CET)
Message-ID: <4200DAF4.9040408@vsen.dk>
Date: Wed, 02 Feb 2005 14:51:48 +0100
From: Klavs Klavsen <kl@vsen.dk>
User-Agent: Mozilla Thunderbird 1.0 (X11/20041208)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Klavs Klavsen <kl@vsen.dk>
References: <4200A8ED.9030200@vsen.dk> <4200D350.1000600@vsen.dk>
In-Reply-To: <4200D350.1000600@vsen.dk>
X-Enigmail-Version: 0.89.5.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at enableit.dk
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re:(solved) nsswitch ldap lookup problems
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2005 13:51:21 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Embarressing..

Once I actually installed nss_ldap - it worked :)

on 02-02-2005 14:19 Klavs Klavsen wrote:
| Has anyone gotten nsswitch ldap lookup working on a FreeBSD-5.x?
|
| I tried this exact config on a linux-client (to the same ldap-server)
| and it worked fine - I could do:
| getent passwd - and it also returned the users only on the ldap server.
|
| I try to do the equivalent (I think - there's no getent for freebsd :( )
| - by doing an(on FreeBSD-5.3):
| # id ktk
| id: ktk: no such user
|
| in linux it gives me:
| # id ktk
| uid=5042(ktk) gid=5001(drift) groups=5001(drift)
|
| (the ktk user only exists in ldap)
|
| the /etc/ldap.conf, /usr/local/etc/ldap.conf and
| /usr/local/etc/openldap/ldap.conf files are exactly alike on Linux and
| FreeBSD and now look like this:
|
| ssl start_tls
| ssl on
| suffix          "dc=vsen,dc=dk"
|
| uri ldaps://auth.vsen.dk/
| #pam_password exop
|
| ldap_version 3
| pam_filter objectclass=posixAccount
| pam_login_attribute uid
| pam_member_attribute memberuid
| nss_base_passwd ou=People,dc=vsen,dc=dk
| nss_base_shadow ou=People,dc=vsen,dc=dk
| nss_base_group  ou=Group,dc=vsen,dc=dk
| nss_base_hosts  ou=Hosts,dc=vsen,dc=dk
|
| scope one
|
|
| on 02-02-2005 11:18 Klavs Klavsen wrote:
|
|> Hi guys,
|>
|> I've gotten my kerberos and openldap up and running on FreeBSD 5.3 - and
|> can login with my user (because he has been created in kerberos and pam
|> looks in that), but nsswitch can't find the user in ldap for some reason.
|>
|> All help will be greatly appreciated
|>
|> When I login with ssh I get this in debug.log:
|> Feb  2 11:06:06 auth01 sshd[771]: NSSWITCH(nss_method_lookup): ldap,
|> passwd, endpwent, not found
|> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
|> group, setgrent, not found
|> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
|> group, getgrent_r, not found
|> Feb  2 11:06:06 auth01 sshd[770]: NSSWITCH(nss_method_lookup): ldap,
|> group, endgrent, not found
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 fd=12 ACCEPT from
|> IP=172.21.1.109:56828 (IP=0.0.0.0:636)
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=0 BIND dn="" method=128
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=0 RESULT tag=97 err=0 text=
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=1 SRCH
|> base="ou=People,dc=vsen,dc=dk" scope=1 deref=0
|> filter="(&(objectClass=posixAccount)(uid=ktk))"
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 op=1 SEARCH RESULT tag=101
|> err=0 nentries=1 text=
|> Feb  2 11:06:09 auth01 slapd[604]: conn=2 fd=12 closed
|> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
|> group, setgrent, not found
|> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
|> group, getgrent_r, not found
|> Feb  2 11:06:09 auth01 sshd[773]: NSSWITCH(nss_method_lookup): ldap,
|> group, endgrent, not found
|> Feb  2 11:06:09 auth01 sshd[774]: NSSWITCH(nss_method_lookup): ldap,
|> passwd, endpwent, not found
|>
|> if I try to do an ldapsearch for the same:
|> # ldapsearch "(&(objectClass=posixAccount)(uid=ktk))" -b
|> "ou=People,dc=vsen,dc=dk"  -Y gssapi
|>
|> It seems to work fine:
|> [SNIP - cut SASL talk]
|> # extended LDIF
|> #
|> # LDAPv3
|> # base <> with scope sub
|> # filter: (&(objectClass=posixAccount)(uid=ktk))
|> # requesting: -b ou=People,dc=vsen,dc=dk -Y gssapi
|> #
|>
|> # ktk, People, telmore.dk
|> dn: uid=ktk,ou=People,dc=vsen,dc=dk
|>
|> # search result
|> search: 5
|> result: 0 Success
|>
|> # numResponses: 2
|> # numEntries: 1
|>
|> my /usr/local/etc/ldap.conf (on freebsd 5.3) looks like this:
|> BASE    dc=vsen, dc=dk
|> URI          ldaps://auth.vsen.dk:636/
|> TLS_REQCERT  allow
|>
|>
|> #SIZELIMIT      12
|> #TIMELIMIT      15
|> #DEREF          never
|>
|> scope sub
|> port 389
|> pam_password md5
|> ldap_version 3
|> pam_filter objectclass=posixAccount
|> pam_login_attribute uid
|> pam_member_attribute memberUid
|> nss_base_passwd ou=People,dc=vsen,dc=dk?one
|> nss_base_group ou=Groups,dc=vsen,dc=dk?one
|> nss_base_shadow ou=People,dc=vsen,dc=dk?one
|> #debug testing
|> logdir /var/log
|> debug 9
|>
|>
| _______________________________________________
| freebsd-questions@freebsd.org mailing list
| http://lists.freebsd.org/mailman/listinfo/freebsd-questions
| To unsubscribe, send any mail to
| "freebsd-questions-unsubscribe@freebsd.org"
|

- --
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
~  --Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCANr0PToLeX4GPGIRAt6lAJ9cRo6Lj6dbF34uoIr5FnOJtcNEBQCgnz0G
/SCbfhShS5ZJaIGvP4J04fY=
=1NPq
-----END PGP SIGNATURE-----