Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
On Thu, 2008-01-10 at 14:40 -0600, Sean Carolan wrote:
Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
---- well, if you want something that's comprehensive, I probably can't offer much.
CentOS documentation definitely has some clues... http://www.centos.org/docs/5/html/5.1/Deployment_Guide/ch-ldap.html
and you should become familiar with openldap's official documentation here... http://www.openldap.org/doc/admin23/
and finally, I would recommend a book... LDAP System Administration by Gerald Carter which really simplifies the instruction even though it is old and outdated
Craig
On Jan 10, 2008 6:38 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2008-01-10 at 14:40 -0600, Sean Carolan wrote:
Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
well, if you want something that's comprehensive, I probably can't offer much.
Thanks for the pointers, Craig. I'm finding that web documentation for LDAP authentication on CentOS is extremely sparse and/or inaccurate. Here's what I've been able to do so far:
* Get slapd up and running * Import my /etc/passwd, /etc/shadow, /etc/group using the migration scripts * Run commands like "ldapsearch -x -D "cn=Admin,dc=example,dc=com" -W, which successfully connects and gets info from slapd
I would like to use Webmin to manage this, but unfortunately Webmin doesn't seem to find any ldap users or groups. Anyone else have experience getting this to work?
On Thu, 2008-01-10 at 22:10 -0600, Sean Carolan wrote:
On Jan 10, 2008 6:38 PM, Craig White craigwhite@azapple.com wrote:
On Thu, 2008-01-10 at 14:40 -0600, Sean Carolan wrote:
Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
well, if you want something that's comprehensive, I probably can't offer much.
Thanks for the pointers, Craig. I'm finding that web documentation for LDAP authentication on CentOS is extremely sparse and/or inaccurate. Here's what I've been able to do so far:
- Get slapd up and running
- Import my /etc/passwd, /etc/shadow, /etc/group using the migration scripts
- Run commands like "ldapsearch -x -D "cn=Admin,dc=example,dc=com"
-W, which successfully connects and gets info from slapd
I would like to use Webmin to manage this, but unfortunately Webmin doesn't seem to find any ldap users or groups. Anyone else have experience getting this to work?
---- sure, I use webmin's LDAP Users and Groups module on every network server that I maintain. It's perfect for my needs.
The first question that occurs to me is if you did all that. When you do 'getent passwd' does each user in LDAP show up? Remember that if you still have a user in /etc/passwd and in LDAP (which would be a fatal setup), they would actually appear twice.
Craig
sure, I use webmin's LDAP Users and Groups module on every network server that I maintain. It's perfect for my needs.
Yes, this is exactly what I'm trying to do. It would be perfect for our needs too.
The first question that occurs to me is if you did all that. When you do 'getent passwd' does each user in LDAP show up? Remember that if you still have a user in /etc/passwd and in LDAP (which would be a fatal setup), they would actually appear twice.
Yep, each user shows up one time when I run 'getent passwd'. I'm thinking that perhaps there is a problem in my /etc/ldap.conf since this is what it appears webmin is using to bind to the LDAP server. Here's a copy of that file if it's any help.
#host 127.0.0.1 #base dc=domain,dc=com
suffix "dc=domain,dc=com" #rootbinddn "cn=Admin,dc=domain,dc=com"
uri ldap://127.0.0.1/ pam_password exop
ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=People,dc=domain,dc=com nss_base_shadow ou=People,dc=domain,dc=com nss_base_group ou=Group,dc=domain,dc=com nss_base_hosts ou=Hosts,dc=domain,dc=com
scope one
On Sat, 2008-01-12 at 09:11 -0600, Sean Carolan wrote:
sure, I use webmin's LDAP Users and Groups module on every network server that I maintain. It's perfect for my needs.
Yes, this is exactly what I'm trying to do. It would be perfect for our needs too.
The first question that occurs to me is if you did all that. When you do 'getent passwd' does each user in LDAP show up? Remember that if you still have a user in /etc/passwd and in LDAP (which would be a fatal setup), they would actually appear twice.
Yep, each user shows up one time when I run 'getent passwd'. I'm thinking that perhaps there is a problem in my /etc/ldap.conf since this is what it appears webmin is using to bind to the LDAP server. Here's a copy of that file if it's any help.
---- not really, have you run system-config-authentication ? That also configures pam & nss which are necessary items.
If each user shows only once AND they are in /etc/passwd and LDAP, then it would be a clear indication that the underlying system isn't configured to find users/groups/passwords in LDAP at all. If each user has been removed from /etc/passwd, then it may very well be working.
Configuring Webmin's LDAP Users and Groups is only possible when you have configured the underlying system first, can actually do command line add/remove/delete ldap users and can authenticate as an LDAP user to various systems such as ssh. At that point, Webmin's configuration becomes obvious. It is not reasonable to expect Webmin to supply the understanding of LDAP that the administrator cannot accomplish without Webmin.
Craig
not really, have you run system-config-authentication ? That also configures pam & nss which are necessary items.
Yes, I have and unfortunately when the 'ldap' tags are added to /etc/nsswitch.conf the system won't allow me to authenticate, su or sudo at all!
If each user shows only once AND they are in /etc/passwd and LDAP, then it would be a clear indication that the underlying system isn't configured to find users/groups/passwords in LDAP at all. If each user has been removed from /etc/passwd, then it may very well be working.
I'm hesitant to remove users from /etc/passwd and rely on LDAP for authentication before I'm sure it is working. Can you not have the system attempt first to authenticate users via LDAP, then fall back to pam_unix if that doesn't work?
Configuring Webmin's LDAP Users and Groups is only possible when you have configured the underlying system first, can actually do command line add/remove/delete ldap users and can authenticate as an LDAP user to various systems such as ssh. At that point, Webmin's configuration becomes obvious. It is not reasonable to expect Webmin to supply the understanding of LDAP that the administrator cannot accomplish without Webmin.
This is where I'm stuck. As soon as I try to turn on the system authentication by editing /etc/pam.d/system_auth and /etc/nsswitch.conf the system becomes unusable. Try to run "su -" and it just sits there and hangs. I know it's my own fault for not configuring it right, I just wish the available documentation gave some detailed examples. There is so much incorrect and incomplete information out there on the web that I'm not sure what to try.
On Sat, 2008-01-12 at 10:44 -0600, Sean Carolan wrote:
not really, have you run system-config-authentication ? That also configures pam & nss which are necessary items.
Yes, I have and unfortunately when the 'ldap' tags are added to /etc/nsswitch.conf the system won't allow me to authenticate, su or sudo at all!
If each user shows only once AND they are in /etc/passwd and LDAP, then it would be a clear indication that the underlying system isn't configured to find users/groups/passwords in LDAP at all. If each user has been removed from /etc/passwd, then it may very well be working.
I'm hesitant to remove users from /etc/passwd and rely on LDAP for authentication before I'm sure it is working. Can you not have the system attempt first to authenticate users via LDAP, then fall back to pam_unix if that doesn't work?
Configuring Webmin's LDAP Users and Groups is only possible when you have configured the underlying system first, can actually do command line add/remove/delete ldap users and can authenticate as an LDAP user to various systems such as ssh. At that point, Webmin's configuration becomes obvious. It is not reasonable to expect Webmin to supply the understanding of LDAP that the administrator cannot accomplish without Webmin.
This is where I'm stuck. As soon as I try to turn on the system authentication by editing /etc/pam.d/system_auth and /etc/nsswitch.conf the system becomes unusable. Try to run "su -" and it just sits there and hangs. I know it's my own fault for not configuring it right, I just wish the available documentation gave some detailed examples. There is so much incorrect and incomplete information out there on the web that I'm not sure what to try.
---- #1 - Don't hand edit system-auth and nsswitch.conf by hand and also run system-config-authentication...the processes are mutually defeating. Just use system-config-authentication as it is designed to make the changes to both of those files and also /etc/ldap.conf as it sees fit. It works.
#2 - You probably need to add the following lines to /etc/ldap.conf to smooth things...
timelimit 30 bind_timelimit 30 bind_policy soft nss_initgroups_ignoreusers root,ldap
This will solve your issues with 'su -' and the length of time it takes.
I previously gave you links to CentOS documentation (which was lifted from RHEL) which discusses Red Hat's integration for using LDAP to authenticate. I also gave you the link to openldap.org administrator guide for using LDAP and I think I directed you to Gerald Carter's book which simplifies it. There also is information on TLDP web site.
If you are dismayed by the lack of detailed information on the web, it's only because: - LDAP wasn't designed to do authentication in the first place - There is no one way to do authentication via LDAP, but rather a lot of methodologies. - LDAP is a tool that merely seeks to provide responsive usage to an ever increasing set of RFC's. Authentication is but one of thing that LDAP provides. The expectation that the usage of LDAP to accomplish a task should be apparent is like expecting GIMP to make you an artist.
Start with 'test' users that don't exist in /etc/passwd until you get confidence.
Craig
Thanks for your patience, Craig. So I took your advice and started with a fresh install of CentOS 5, and followed the instructions in the documentation exactly as they are written. I got this far:
[root@server migration]# ./migrate_all_online.sh Enter the X.500 naming context you wish to import into: [dc=domain,dc=com] Enter the hostname of your LDAP server [ldap]: server.domain.com Enter the manager DN: [cn=manager,dc=domain,dc=com]: Enter the credentials to bind with: Do you wish to generate a DUAConfigProfile [yes|no]? no
Importing into dc=domain,dc=com...
Creating naming context entries... Migrating groups... Migrating hosts... Migrating networks... Migrating users... Migrating protocols... Migrating rpcs... Migrating services... Migrating netgroups... Migrating netgroups (by user)... Migrating netgroups (by host)... ldap_bind: Invalid credentials (49) Importing into LDAP... ldap_bind: Invalid credentials (49) /usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.Hh9210
I will go and read all of the links you sent me, but it's very frustrating to follow even a simple tutorial for the OS and have it not work. Because I have little experience with LDAP I don't know whether it's a problem with the documentation, or human error.
On Sat, 2008-01-12 at 17:00 -0600, Sean Carolan wrote:
Thanks for your patience, Craig. So I took your advice and started with a fresh install of CentOS 5, and followed the instructions in the documentation exactly as they are written. I got this far:
[root@server migration]# ./migrate_all_online.sh Enter the X.500 naming context you wish to import into: [dc=domain,dc=com] Enter the hostname of your LDAP server [ldap]: server.domain.com Enter the manager DN: [cn=manager,dc=domain,dc=com]: Enter the credentials to bind with: Do you wish to generate a DUAConfigProfile [yes|no]? no
Importing into dc=domain,dc=com...
Creating naming context entries... Migrating groups... Migrating hosts... Migrating networks... Migrating users... Migrating protocols... Migrating rpcs... Migrating services... Migrating netgroups... Migrating netgroups (by user)... Migrating netgroups (by host)... ldap_bind: Invalid credentials (49) Importing into LDAP... ldap_bind: Invalid credentials (49) /usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.Hh9210
I will go and read all of the links you sent me, but it's very frustrating to follow even a simple tutorial for the OS and have it not work. Because I have little experience with LDAP I don't know whether it's a problem with the documentation, or human error.
---- Just so we're clear here, you are actually trying to learn two distinct things simultaneously, how to use LDAP and how to use LDAP to authenticate. They are not the same thing. If you knew how to use LDAP, adding authentication to the knowledge base would be relatively trivial. Likewise, if you knew how to use LDAP, configuring Webmin would be relatively trivial.
I can tell you that Gerald Carter's book makes the entire process painless but you are going to do it your way and I respect that to a point...but ask that you recognize that you do so at the peril of massive frustration.
invalid credentials (error 49) is what you get when the binddn you are using doesn't work. To do a live add, it presumes that you have already created the password with the slappasswd command and entered that value for the password as rootbinddn in slapd.conf and that you are telling migrate_all_online.sh to use that exact same rootbinddn.
Make sense?
Craig
Just so we're clear here, you are actually trying to learn two distinct things simultaneously, how to use LDAP and how to use LDAP to authenticate. They are not the same thing. If you knew how to use LDAP, adding authentication to the knowledge base would be relatively trivial. Likewise, if you knew how to use LDAP, configuring Webmin would be relatively trivial.
Thank you for the info. I understand that LDAP and authentication are not the same thing. We use LDAP within our organization for storing other types of data but most of the staff do not like to deal with it. In fact some team members were opposed to using LDAP for authentication, now I understand why! It seems to be a pain in the ass to learn how to use and configure.
I can tell you that Gerald Carter's book makes the entire process painless but you are going to do it your way and I respect that to a point...but ask that you recognize that you do so at the peril of massive frustration.
At this point I am leaning toward using kerberos instead. It took me 20 minutes to get a working kerberos server installation up and running, and I can now easily add new users and authenticate them, manage tickets, etc. Now I understand what you meant about LDAP not being designed for authentication. Thank you again for your time, Craig. This was a good learning experience for me.
thanks
Sean
On Sat, 2008-01-12 at 17:49 -0600, Sean Carolan wrote:
Just so we're clear here, you are actually trying to learn two distinct things simultaneously, how to use LDAP and how to use LDAP to authenticate. They are not the same thing. If you knew how to use LDAP, adding authentication to the knowledge base would be relatively trivial. Likewise, if you knew how to use LDAP, configuring Webmin would be relatively trivial.
Thank you for the info. I understand that LDAP and authentication are not the same thing. We use LDAP within our organization for storing other types of data but most of the staff do not like to deal with it. In fact some team members were opposed to using LDAP for authentication, now I understand why! It seems to be a pain in the ass to learn how to use and configure.
I can tell you that Gerald Carter's book makes the entire process painless but you are going to do it your way and I respect that to a point...but ask that you recognize that you do so at the peril of massive frustration.
At this point I am leaning toward using kerberos instead. It took me 20 minutes to get a working kerberos server installation up and running, and I can now easily add new users and authenticate them, manage tickets, etc. Now I understand what you meant about LDAP not being designed for authentication. Thank you again for your time, Craig. This was a good learning experience for me.
---- sure but for less than $20 and 2-3 hours, you can master LDAP and be the envy of all the guys in your office and the object of affection for all the ladies.
;-)
kerberos is actually a more secure authentication system because passwords don't continually cross the network.
Craig
sure but for less than $20 and 2-3 hours, you can master LDAP and be the envy of all the guys in your office and the object of affection for all the ladies.
;-)
kerberos is actually a more secure authentication system because passwords don't continually cross the network.
I do plan to get some books and read up on this some more. Thank you again for all the suggestions. The centos mailing list seems like a good resource with some smart people on it.
On Thu, 10 Jan 2008, Craig White wrote:
On Thu, 2008-01-10 at 14:40 -0600, Sean Carolan wrote:
Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
well, if you want something that's comprehensive, I probably can't offer much.
CentOS documentation definitely has some clues... http://www.centos.org/docs/5/html/5.1/Deployment_Guide/ch-ldap.html
and you should become familiar with openldap's official documentation here... http://www.openldap.org/doc/admin23/
and finally, I would recommend a book... LDAP System Administration by Gerald Carter which really simplifies the instruction even though it is old and outdated
Haven't read the book, but Gerry Carter gave an outstanding presentation at this year's LISA (ok, last year's) on OpenLDAP, Full day session, and worth every minute. Excellent presentation on wireshark, too, no matter your skill level with it. Great guy, too.
Scott
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
2008/1/10, Sean Carolan scarolan@gmail.com:
Can anyone point me to a how to or beginners guide to setting up LDAP authentication on CentOS5 with replication?
http://freshmeat.net/projects/smbldap-tools/
this is what I've been using the last ....4-5 years.
-
Alexander Georgiev -
Craig White -
Scott Ehrlich -
Sean Carolan