From owner-freebsd-ports@FreeBSD.ORG Sun Nov 4 21:48:46 2007 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4F7416A417 for ; Sun, 4 Nov 2007 21:48:46 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.189]) by mx1.freebsd.org (Postfix) with ESMTP id 1F61213C4AA for ; Sun, 4 Nov 2007 21:48:45 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: by mu-out-0910.google.com with SMTP id i10so1601754mue for ; Sun, 04 Nov 2007 13:48:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=iy9Jo/bxcbeWvGZUUMu5cZMdJYqSDkDyU8p3jCgLCRU=; b=muXu5XfZPiwO9L7Y5iaYurgDC8zmrxh+3kmLvANJumO0DT+M4SK2Qx42oS06n65kHmp05gVw6QCgn34VswM067Ge9UejJ+PqHTqJHFYWI263I7iXJFLFzBuI/49vqknyBP2tRtj5fngr+P1fccrojdwX9CgSk1sUy/PB1CKmMQo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:cc:subject:message-id:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=OmZd9epdqIV86+qHyrl1R/I1Rh1jjXx+4MJK+rn2+6S6Oec8iC7wJmnt4/+NNXqc0gl+0lWc9yEk7/WqQD5a33jtjifecLgZVIUOS/Rj5o83MpY13+niMdSSxysoH/crFWT0z5W9iFToe4ye1GWC4MZzx9pTKJKfSpOV1BgXw/k= Received: by 10.86.65.11 with SMTP id n11mr2841452fga.1194212917924; Sun, 04 Nov 2007 13:48:37 -0800 (PST) Received: from roadrunner.spoerlein.net ( [85.180.178.10]) by mx.google.com with ESMTPS id j2sm13049857mue.2007.11.04.13.48.36 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 04 Nov 2007 13:48:36 -0800 (PST) Received: from roadrunner.spoerlein.net (localhost [127.0.0.1]) by roadrunner.spoerlein.net (8.14.1/8.14.1) with ESMTP id lA4LmVnZ010418; Sun, 4 Nov 2007 22:48:31 +0100 (CET) (envelope-from uspoerlein@gmail.com) Received: (from q@localhost) by roadrunner.spoerlein.net (8.14.1/8.14.1/Submit) id lA4LmUSk010417; Sun, 4 Nov 2007 22:48:30 +0100 (CET) (envelope-from uspoerlein@gmail.com) Date: Sun, 4 Nov 2007 22:48:29 +0100 From: Ulrich Spoerlein To: "O. Hartmann" Message-ID: <20071104214829.GA1527@roadrunner.spoerlein.net> Mail-Followup-To: "O. Hartmann" , "O. Hartmann" , freebsd-questions@freebsd.org, freebsd-ports@freebsd.org References: <471B7DCF.2020709@mail.zedat.fu-berlin.de> <20071025214852.GB1458@roadrunner.spoerlein.net> <47222F0D.70802@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47222F0D.70802@zedat.fu-berlin.de> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: "O. Hartmann" , freebsd-questions@freebsd.org, freebsd-ports@freebsd.org Subject: Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE! X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Nov 2007 21:48:46 -0000 Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: > All right, here I am. nss_ldap.conf and ldap.conf are located in > /usr/local/etc and are identical (link). I copied all tags I use and deleted > commented out tags: Seems ok to me, though I don't claim to be an expert. > The slapd.conf is this, comments roped: > > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > # additional schema > include /usr/local/share/examples/samba/LDAP/samba.schema > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > logfile /var/log/slapd.log > loglevel 512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log > sizelimit unlimited > allow bind_v2 > modulepath /usr/local/libexec/openldap > moduleload back_bdb > everse-lookup off typo I guess? > NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. > group: cache ldap[ unavail=continue notfound=continue ] files > passwd: cache ldap [ unavail=continue notfound=continue ] files > #group_compat: nis > hosts: compat > networks: files > #passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > And I changed some lines in /etc/pam.d/sshd,login,system,other like this > *commented out due to system gets stuck forever when enab;ed > nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) > Some errors from console: > > (At boot time) > Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: > could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken & Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. > Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: > could not search LDAP server - Server is unavailable > Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could > not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? > One point: what is about compile time options of OpenLDAP? Does LDAP forces > itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. > nss_ldap-1.257 <<=== > openldap-client-2.3.38 > openldap-server-2.3.38 > pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt.