[CentOS] {Disarmed} Re: Problems with nss_ldap - where to start?

Peter Serwe peter.serwe at gmail.com
Wed Dec 16 21:10:46 UTC 2009


I just had those users in there because I didn't want to attempt to hit ldap
for known local users.

Peter

On Wed, Dec 16, 2009 at 12:58 PM, Craig White <craigwhite at azapple.com>wrote:

> On Wed, 2009-12-16 at 13:44 -0700, Craig White wrote:
> > On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> > > I think not as well.  The tactest user has been blown back out.  I can
> > > re-add it from ldif again.
> > >
> > > [root at ldap home]# getent passwd | grep example
> > > [root at ldap home]#
> > >
> > > [root at ldap home]# cat /etc/nsswitch.conf | grep -v \#
> > >
> > >
> > > passwd:     files ldap
> > > shadow:     files ldap
> > > group:      files ldap
> > >
> > > hosts:      files dns
> > >
> > >
> > > bootparams: nisplus [NOTFOUND=return] files
> > >
> > > ethers:     files
> > > netmasks:   files
> > > networks:   files
> > > protocols:  files
> > > rpc:        files
> > > services:   files
> > >
> > > netgroup:   nisplus
> > >
> > > publickey:  nisplus
> > >
> > > automount:  files nisplus
> > > aliases:    files nisplus
> > >
> > > [root at ldap home]# cat /etc/pam.d/system-auth
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth        required      pam_env.so
> > > auth        sufficient    pam_unix.so nullok try_first_pass
> > > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > > auth        sufficient    pam_ldap.so use_first_pass
> > > auth        required      pam_deny.so
> > >
> > > account     required      pam_unix.so broken_shadow
> > > account     sufficient    pam_localuser.so
> > > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > > account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> > > account     required      pam_permit.so
> > >
> > > password    requisite     pam_cracklib.so try_first_pass retry=3
> > > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > > use_authtok
> > > password    sufficient    pam_ldap.so use_authtok
> > > password    required      pam_deny.so
> > >
> > > session     optional      pam_keyinit.so revoke
> > > session     required      pam_limits.so
> > > session     optional      pam_mkhomedir.so
> > > session     [success=1 default=ignore] pam_succeed_if.so service in
> > > crond quiet use_uid
> > > session     required      pam_unix.so
> > > session     optional      pam_ldap.so
> > >
> > > [root at ldap home]# cat /etc/ldap.conf | grep -v \#
> > >
> > >
> > > BASE dc=tncionline, dc=net
> > > URI ldap://MailScanner warning: numerical links are often malicious:
> > > 127.0.0.1
> > > port 389
> > >
> > > SIZELIMIT    12
> > > TIMELIMIT    15
> > > DEREF        never
> > > timelimit 600
> > > bind_timelimit 600
> > > bind_policy soft
> > > idle_timelimit 3600
> > >
> > > nss_initgroups_ignoreusers
> > > pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> > > base dc=tncionline, dc=net
> > > pam_password md5
> > ----
> > here's a big problem... /etc/ldap.conf
> >
> > you need to add...(assuming this is where you have People/Groups)
> >
> > nss_base_passwd         ou=People,tncionline,dc=net?one
> > nss_base_shadow         ou=People,tncionline,dc=net?one
> > nss_base_group          ou=Groups,tncionline,dc=net?one
> >
> > take the space out of base...
> > base dc=tncionline,dc=net
> >
> > I'd also add (until you can deal)...
> > ssl no
> ----
> oh...
>
> nss_initgroups_ignoreusers
> pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
>
> you can remove pserwe,dgates from the list unless you have daemon services
> running as those users prior to LDAP start (highly unlikely)
>
> and if the above doesn't work, it is because your slapd.conf ACL's are
> blocking anonymous binds at the indicated dn's
>
> So you might want to either simplify your ACL's, permit anonymous binds to
> the 'people/groups' or let us see what you've got for ACL's
>
> these are some rules that I've found good to have in
> /etc/openldap/slapd.conf - YMMV
>
> allow           bind_anon_dn
>
> access to attrs=userPassword,sambaNTPassword,sambaLMPassword
>        by self write
>        by anonymous auth
>        by * none
>
> access to dn.regex="^uid=([^,]+)ou=People,dc=azapple,dc=com$$"
>        by self read
>        by anonymous auth
>        by * none
>
> # a bottom catchall rule...
> access to *
>        by anonymous read
>        by * read
>
> access to dn.base="cn=Subschema" by * read
>
> Craig
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Peter Serwe
http://truthlightway.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20091216/7612b906/attachment.html 


More information about the CentOS mailing list