From owner-freebsd-ports@FreeBSD.ORG Fri Oct 26 18:16:35 2007 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D05C16A420; Fri, 26 Oct 2007 18:16:35 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 995EA13C494; Fri, 26 Oct 2007 18:16:34 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.67) with esmtp (envelope-from ) id <1IlTjV-0006J0-B6>; Fri, 26 Oct 2007 20:16:33 +0200 Received: from nugg-ad-r16.pixelpark.net ([77.74.239.6] helo=[192.168.2.178]) by inpost2.zedat.fu-berlin.de (Exim 4.67) with esmtpsa (envelope-from ) id <1IlTjV-0003nu-8q>; Fri, 26 Oct 2007 20:16:33 +0200 Message-ID: <47222F0D.70802@zedat.fu-berlin.de> Date: Fri, 26 Oct 2007 20:16:45 +0200 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.6 (X11/20070803) MIME-Version: 1.0 To: "O. Hartmann" , freebsd-questions@freebsd.org, freebsd-ports@freebsd.org References: <471B7DCF.2020709@mail.zedat.fu-berlin.de> <20071025214852.GB1458@roadrunner.spoerlein.net> In-Reply-To: <20071025214852.GB1458@roadrunner.spoerlein.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 77.74.239.6 Cc: Subject: Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE! X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Oct 2007 18:16:35 -0000 Ulrich Spoerlein wrote: > On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: > >> At this point it seems senseless to try out what's going wrong and I need >> some hints or tipps. I read about others successfully running OpenLDAP on >> FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. >> > > I do. It's working just fine ... > Good to hear, but it doesn't on mine ... :-( > >> P.S. If someone wants me to offer config details and/or log excerpts, please >> contact me. >> > > Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to > ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. > Some actual error messages would be fine too. > All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: host 192.168.2.210 (or 127.0.0.1 alternatively) base dc=office,dc=de # Filter to AND with uid=%s pam_filter objectclass=posixAccount # Specify a minium or maximum UID number allowed pam_min_uid 1000 pam_max_uid 30000 pam_password ssha nss_base_passwd ou=users,dc=office,dc=de?one nss_base_shadow ou=users,dc=office,dc=de?one nss_base_group ou=group,dc=office,dc=de?one pam_filter objectClass=posixAccount The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel 512 sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off access to * by self write by users read by anonymous auth database bdb suffix dc=office,dc=de rootdn cn=admin,dc=office,dc=de rootpw directory /data/openldap-data/nuggad/ index objectClass eq,pres index uid,memberUid pres,eq,sub index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index nisMapName,nisMapEntry eq,pres,sub NSCD is up and running, my nsswitch.conf looks like this: group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): system: # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so #account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok password required pam_unix.so no_warn try_first_pass sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so use_authtok password required pam_unix.so no_warn try_first_pass Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable and this Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable ==>> Oct 26 13:04:00 gauss kernel: Oct 26 13:04:00 gauss sshd[1127]: pam_ldap: ldap_simple_bind Can't contact LDAP server Oct 26 13:14:24 gauss kernel: Oct 26 13:14:24 gauss sshd[41139]: nss_ldap: could not search LDAP server - Server is unavailable When showing up these unavailable messages, sockstat shows that the slad is listening on its ports and I can access the slapd server from a client running LUMA for configuration purposes. I feel helpless because I can not see any mistakes. One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? nss_ldap-1.257 <<=== openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 FreeBSD 7.0=BETA1 from today's buildworld > Your should run tcpdump in some window to actuall see what's going on. > It also helps to turn on massive debugging in slapd.conf and tail(1)ing > /var/log/debug.log > > I'm running the following versions on 7-CURRENT from 30. September > > nss_ldap-1.256 > openldap-sasl-client-2.3.38 > openldap-server-2.3.38 > pam_ldap-1.8.2 > > Cheers, > Ulrich Spoerlein >