Hi all
I am new to this list and need help setting up an authentication server for an all Linux network. I previously used OpenLDAP, but think it is very complicated to set up and use, so I am giving 389 a try.
However, things are not going great...
I am running a network where users should have access both through SSH to the servrer and be able to log in on a local machine to a roaming profile. /home is shared via NFS.
Both the server and all clients are running Fedora 13.
389 is installed and running. I can query the server and using the admin tools I was able to import an old account saved as LDIF.
However, the following does not work:
1. The user I imported can not authenticate. I think that I need to set up 389 to use encryption with ldaps (Fedora 13 does not allow unencrypted passwords, which I used earlier since this net was experimental, isolated and contains no sensitive information).
2. I can not import old posixGroups, nor can I create new ones. Trying to import using LDIF, I get errors. Trying to create manually, I do not see the option appear in the admin tool.
I wish there was a guide that did provide exactly the steps I need to set up my server and network. The manual is good, but frankly I do not understand it well enough and lots of information is redundant to my needs.
When I've gotten this to work, I intend to write such a guide! But perhaps someone on this list could point me in the right direction...)
BTW, please CC my Evernote account when you reply to this thread.
Lars Gunther wrote:
Hi all
I am new to this list and need help setting up an authentication server for an all Linux network. I previously used OpenLDAP, but think it is very complicated to set up and use, so I am giving 389 a try.
However, things are not going great...
I am running a network where users should have access both through SSH to the servrer and be able to log in on a local machine to a roaming profile. /home is shared via NFS.
Both the server and all clients are running Fedora 13.
389 is installed and running. I can query the server and using the admin tools I was able to import an old account saved as LDIF.
However, the following does not work:
- The user I imported can not authenticate. I think that I need to set
up 389 to use encryption with ldaps (Fedora 13 does not allow unencrypted passwords, which I used earlier since this net was experimental, isolated and contains no sensitive information).
Not sure what you mean by "Fedora 13 does not allow unencrypted passwords" - do you mean "unencrypted BIND operations"?
- I can not import old posixGroups, nor can I create new ones. Trying
to import using LDIF, I get errors. Trying to create manually, I do not see the option appear in the admin tool.
It would be helpful if you provided the errors, and more information about "the option appear in the admin tool".
I wish there was a guide that did provide exactly the steps I need to set up my server and network. The manual is good, but frankly I do not understand it well enough and lots of information is redundant to my needs.
When I've gotten this to work, I intend to write such a guide! But perhaps someone on this list could point me in the right direction...)
BTW, please CC my Evernote account when you reply to this thread.
2010-09-13 17:57, Rich Megginson skrev:
Not sure what you mean by "Fedora 13 does not allow unencrypted passwords" - do you mean "unencrypted BIND operations"?
When setting up authentication using the graphic tools (system-config-authentication) I must either specify ldaps or TLS (or use Kerberos which I think is overkill for my setup). ldaps seem to be the easiest option.
- I can not import old posixGroups, nor can I create new ones. Trying
to import using LDIF, I get errors. Trying to create manually, I do not see the option appear in the admin tool.
It would be helpful if you provided the errors, and more information about "the option appear in the admin tool".
This LDIF could noyt be imported. It was generated as an export from OpenLDAP.
dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se objectClass: posixGroup objectClass: top cn: gunther userPassword:: e2NyeXB0fXg= gidNumber: 600
Error Message:
cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se: Error adding object 'dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se'. The error sent by the server was 'No such object'. The object is: LDAPEntry: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se; LDAPAttributeSet: LDAPAttribute {type='gidnumber', values='600'} LDAPAttribute {type='userpassword', values='{crypt}x'} LDAPAttribute {type='objectclass', values='posixGroup,top' LDAPAttribute {type='cn', values='gunther'}.
This LDIF import succeded:
dn: uid=test,ou=People,dc=labbnet,dc=ne,dc=keryx,dc=se userPassword:: xxx loginShell: /bin/bash gidNumber: 600 uidNumber: 600 shadowMax: 99999 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount uid: gunther gecos: Testare shadowLastChange: 13313
BTW, please CC my Evernote account when you reply to this thread.
This works great. Please continue to do that :-)
2010-09-14 11:39, Lars Gunther skrev:
This LDIF could not be imported. It was generated as an export from OpenLDAP.
dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se objectClass: posixGroup objectClass: top cn: gunther userPassword:: e2NyeXB0fXg= gidNumber: 600
OK, I've found the problem
dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
Should be dn: cn=test,ou=Groups,dc=labbnet,dc=ne,dc=keryx,dc=se
Group/s/
Duh!
However, I still can not add posixGroups using the admin tool!
And I still can't log in as the user I've added.
Lars Gunther wrote:
2010-09-14 11:39, Lars Gunther skrev:
This LDIF could not be imported. It was generated as an export from OpenLDAP.
dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se objectClass: posixGroup objectClass: top cn: gunther userPassword:: e2NyeXB0fXg= gidNumber: 600
OK, I've found the problem
dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
Should be dn: cn=test,ou=Groups,dc=labbnet,dc=ne,dc=keryx,dc=se
Group/s/
Duh!
However, I still can not add posixGroups using the admin tool!
I still don't know what you mean by "add posixGroups using the admin tool". If by "admin tool" you mean the 389 GUI console, then right, there is no explicit posix group tab in the Group editor window, but you can use the Advanced... editor to add the posixGroup objectclass to the list of objectclasses.
And I still can't log in as the user I've added.
What error do you get? It's always helpful when you have a problem to specify * the platform and 389-ds-base version * the exact command you used - if by "log in" you mean system login, also please specify your /etc/ldap.conf settings * the error message and error code you get from the command, if any * check the directory server access log from around the time of your log in attempt to see what the directory server logged
2010-09-14 17:26, Rich Megginson skrev:
I still don't know what you mean by "add posixGroups using the admin tool". If by "admin tool" you mean the 389 GUI console, then right, there is no explicit posix group tab in the Group editor window, but you can use the Advanced... editor to add the posixGroup objectclass to the list of objectclasses.
Yep. That's what I meant. (389-console)
When I click Advanced I see posixGroup stuff not when I click "Show All Allowed Attributes", nor do I sse it as an option when I click the "Add Attribute" button.
What do you mean when you say "Advanced editor"?
Having searched for a while, I've found a way to add posixGroups: Right click -> New -> Other -> posixGroup
They will however be identified in the tree by the gidnimber, not by their cn...
And I still can't log in as the user I've added.
What error do you get? It's always helpful when you have a problem to specify
- the platform and 389-ds-base version
Fedora 13 389 1.2.0
Error message "User does not exist"
- the exact command you used - if by "log in" you mean system login,
I've tried "su" both locally and from a client machine.
also please specify your /etc/ldap.conf settings
[root@lb ~]# cat /etc/ldap.conf|grep -v "#"|sed '/^$/d' base dc=labbnet,dc=ne,dc=keryx,dc=se timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse uri ldaps://127.0.0.1:1636/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
I've changed the port to 1636 since *nix requires the server to run as root for ldaps on a port below 1024...
- the error message and error code you get from the command, if any
- check the directory server access log from around the time of your log
in attempt to see what the directory server logged
/var/log/dirsrv/slapd-lb/errors is silent
/var/log/dirsrv/slapd-lb/access (I've removed the timestamp)
conn=29 op=47 UNBIND conn=29 op=47 fd=85 closed - U1 conn=26 op=77 MOD dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=77 RESULT err=0 tag=103 nentries=0 etime=1 conn=26 op=78 MOD dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=78 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=79 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=79 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=80 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=80 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=82 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=82 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=83 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=83 RESULT err=0 tag=103 nentries=0 etime=0 conn=28 op=-1 fd=84 closed - B1 conn=26 op=-1 fd=82 closed - B1 conn=27 op=-1 fd=83 closed - B1
Lars Gunther wrote:
2010-09-14 17:26, Rich Megginson skrev:
I still don't know what you mean by "add posixGroups using the admin tool". If by "admin tool" you mean the 389 GUI console, then right, there is no explicit posix group tab in the Group editor window, but you can use the Advanced... editor to add the posixGroup objectclass to the list of objectclasses.
Yep. That's what I meant. (389-console)
When I click Advanced I see posixGroup stuff not when I click "Show All Allowed Attributes", nor do I sse it as an option when I click the "Add Attribute" button.
What do you mean when you say "Advanced editor"?
I mean the window you are using that has the "Show All Allowed Attributes" etc.
You should be able to left-click on the objectClass attribute to select it, then Add Value to select the posixGroup objectclass to add to the entry. Once you do that, you should be able to Add Attribute to add the posixGroup attributes.
Having searched for a while, I've found a way to add posixGroups: Right click -> New -> Other -> posixGroup
They will however be identified in the tree by the gidnimber, not by their cn...
Right. If you want the group to be recognized both by the console and by the OS, you need to create it as a regular group first, then add posixGroup.
And I still can't log in as the user I've added.
What error do you get? It's always helpful when you have a problem to specify
- the platform and 389-ds-base version
Fedora 13 389 1.2.0
Error message "User does not exist"
- the exact command you used - if by "log in" you mean system login,
I've tried "su" both locally and from a client machine.
also please specify your /etc/ldap.conf settings
[root@lb ~]# cat /etc/ldap.conf|grep -v "#"|sed '/^$/d' base dc=labbnet,dc=ne,dc=keryx,dc=se timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse
uri ldaps://127.0.0.1:1636/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
I've changed the port to 1636 since *nix requires the server to run as root for ldaps on a port below 1024...
- the error message and error code you get from the command, if any
- check the directory server access log from around the time of your log
in attempt to see what the directory server logged
/var/log/dirsrv/slapd-lb/errors is silent
/var/log/dirsrv/slapd-lb/access (I've removed the timestamp)
conn=29 op=47 UNBIND conn=29 op=47 fd=85 closed - U1 conn=26 op=77 MOD dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=77 RESULT err=0 tag=103 nentries=0 etime=1 conn=26 op=78 MOD dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=78 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=79 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=79 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=80 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=80 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=82 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=82 RESULT err=0 tag=103 nentries=0 etime=0 conn=26 op=83 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn\5c=directory manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot" conn=26 op=83 RESULT err=0 tag=103 nentries=0 etime=0 conn=28 op=-1 fd=84 closed - B1 conn=26 op=-1 fd=82 closed - B1 conn=27 op=-1 fd=83 closed - B1
This doesn't show any SRCH or BIND operations that would have been done by su.
On 9/14/2010 4:11 PM, Rich Megginson wrote:
Lars Gunther wrote:
2010-09-14 17:26, Rich Megginson skrev: Having searched for a while, I've found a way to add posixGroups: Right click -> New -> Other -> posixGroup
They will however be identified in the tree by the gidnimber, not by their cn...
Right. If you want the group to be recognized both by the console and by the OS, you need to create it as a regular group first, then add posixGroup.
Also, the advanced editor has a Naming Attribute button in the lower right corner which launches a Change Name Attribute dialog. There you can uncheck gidnumber and check cn to make the latter the naming attribute.
389-users@lists.fedoraproject.org