=== Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you're doing a manual config, right? === Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com, NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e. composers.foo.com, which you set in the rootDN entry nisDomainObject.
Yes set the ACLs to allow proxyAgent to read LDAP DIT. Yes "ldapclient -i" is manul config, I use it as "ldapclient -P" failed me when I tried to use TLS. If "ldapclient -P" works for you with or without TLS, by all mean use this syntax.
You passwd SSD should then be ou=People,dc=composers,dc=foo,dc=com?one You shadow SSD should then be ou=People,dc=composers,dc=foo,dc=com?one You group SSD should then be ou=group,dc=composers,dc=foo,dc=com?one (SSD = serviceSearchDescriptor)
Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file to re-populate your LDAP data using this baseDN, including needed DUACongProfile, proxyAgent and sample People/group entries, the proxyAgent DN in your ldif file should be cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com.
# default, profile, composers.foo.com dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com defaultSearchBase: dc=composers,dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
# tls_profile, profile, composers.foo.com dn: cn=tls_profile,ou=profile,dc=composers,dc=foo,dc=com defaultSearchBase: dc=composers,dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile defaultSearchScope: one serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
Read Solaris8 "man ldapclient" page, there is no such valid value "default" for "-a" option, please use "-a simple" and rerun "ldapclient -v -i ...", if you omit "-a", it defaults to "none", so proxyDN/PW are not really needed, that was why you have this msg in "ldapclient" result: No proxyDN/proxyPassword required.
/usr/sbin/ldapclient -v -i -a simple -b dc=composers,dc=foo,dc=com -c proxy \ -D cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com -w password \ -S "passwd: ou=People,dc=composers,dc=foo,dc=com?one" \ -S "shadow: ou=People,dc=composers,dc=foo,dc=com?one" \ -S "group: ou=group,dc=composers,dc=foo,dc=com?one" \ -S "netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one" \ 149.85.70.17
You seemed to jump very fast, before checking "id testdba" or "getent passwd testdba", first check these step-by-step:
# ldapclient -l NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com NS_LDAP_BINDPASSWD= {NS1}... NS_LDAP_SERVERS= 149.85.70.17 NS_LDAP_SEARCH_BASEDN= dc=composers,dc=foo,dc=com NS_LDAP_AUTH= simple NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one
# /usr/lib/ldap/ldap_cachemgr -g Does it say LDAP cache manager is UP and running?
# cat /var/ldap/cachemgr.log Any critical error?
# ldaplist -l passwd testdba", it should display something like: dn: uid=testdba,ou=People,dc=composers,dc=foo,dc=com givenName: Test sn: DBA loginShell: /bin/sh uidNumber: 1111 gidNumber: 111 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: testdba cn: Test DBA homeDirectory: /home/testdba
If "ldaplist -l passwd testdba" fails, don't expect "id testdba" and "getent passwd testdba" to work.
Gary
-----Original Message----- From: fedora-directory-users-bounces@redhat.com on behalf of Igor Sent: Thu 8/25/2005 9:39 PM To: General discussion list for the Fedora Directory server project. Cc: Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
Gary, thank you for the replies. (I do have the patch you mentioned:) bash-2.03# showrev -p | grep "^Patch: 108993-48" Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0 [...] --- "Tay, Gary" Gary_Tay@platts.com wrote: > 0) As mentioned in previous email, use "ldapclient -i", not "ldapclient > -P". > I did. It kept failing until I got rid of "-a default" Handling manual option Unable to set value: invalid authenticationMethod (default) Getting rid of -a default: bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dc= com?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17 Arguments parsed: defaultSearchBase: dc=foo,dc=com credentialLevel: proxy proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com serviceSearchDescriptor: arg[0]: passwd: ou=People,dc=foo,dc=com?one arg[1]: shadow: ou=People,dc=foo,dc=com?one arg[2]: group: ou=group,dc=foo,dc=com?one arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one proxyPassword: password defaultServerList: 149.85.70.17 Handling manual option Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com Proxy password: {NS1}ecfa88f3a945c411 Credential level: 1 Authentication method: 0 Authentication method: 0 No proxyDN/proxyPassword required About to modify this machines configuration by writing the files Stopping network services Stopping sendmail Stopping nscd Stopping autofs Stopping ldap nisd not running nis_cache not running nispasswd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "composers.foo.com" file_backup: stat(/var/yp/binding/composers.foo.com)=-1 file_backup: No /var/yp/binding/composers.foo.com directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname composers.foo.com... success start: /usr/lib/ldap/ldap_cachemgr... success start: /etc/init.d/autofs start... success start: /etc/init.d/nscd start... success System successfully configured bash-2.03# id testdba id: invalid user name: "testdba" bash-2.03# So, looks like it worked but I can't authenticate any users. id testdba produces traffic on the FDS server, so it's definitely trying to query it but can't resolve anything. Also, I have two profiles: # default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one # tls_profile, profile, foo.com dn: cn=tls_profile,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com defaultSearchScope: one My default profile doesn't have those 3 searchDescriptors. Or we are not using profiles anymore? Just curious... Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you're doing a manual config, right? Thank you for your help, Gary. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This is gonna be loooong... I just want to thank you guys again for wading thru this crap...
--- "Tay, Gary" Gary_Tay@platts.com wrote:
=== Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you're doing a manual config, right? === Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com, NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e. composers.foo.com, which you set in the rootDN entry nisDomainObject.
well, instead, I got rid of composers altogether.
Yes set the ACLs to allow proxyAgent to read LDAP DIT.
I have this:
(targetattr = "*") (version 3.0;acl "Allow proxyAgent read access";allow (read,compare)(userdn = "ldap:///uid=proxyAgent,ou=profile,dc=foo,dc=com");)
Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file
well, I got rid of composers for now. If you say I've to reinstall I will but that'll probably be my last resort, though.
Step by step # ldapclient -l
bash-2.03# ldapclient -l NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyAgent,ou=profile,dc=foo,dc=com NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 NS_LDAP_SERVERS= 149.85.70.17 NS_LDAP_SEARCH_BASEDN= dc=foo,dc=com NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=foo,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=foo,dc=com?one
# /usr/lib/ldap/ldap_cachemgr -g Does it say LDAP cache manager is UP and running?
bash-2.03# /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration: server debug level 0 server log file "/var/ldap/cachemgr.log" number of calls to ldapcachemgr 15
cachemgr cache data statistics: Configuration refresh information: Configured to NO REFRESH. Server information: Previous refresh time: 2005/08/25 11:11:57 Next refresh time: 2005/08/25 11:21:57 server: 149.85.70.17, status: UP Cache data information: Maximum cache entries: 256 Number of cache entries: 0
# cat /var/ldap/cachemgr.log Any critical error?
bash-2.03# cat /var/ldap/cachemgr.log Thu Aug 25 11:11:56.9844 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log Thu Aug 25 11:11:57.0843 sig_ok_to_exit(): parent exiting... bash-2.03# ps -ef | grep ldap root 2553 1 0 11:11:56 ? 0:00 /usr/lib/ldap/ldap_cachemgr
So, doesn't look like any errors...
______________________ Also: On the FDS server:
[root@cnyitlin02 slapd-cnyitlin02]# ldapsearch -x | grep compose defaultServerList: cnyitlin02.composers.foo.com [root@cnyitlin02 slapd-cnyitlin02]#
That's it, nothing else. However, when I rerun ldapclient -i, I get this:
file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "composers.foo.com" ^^^^^^^^^^^^^ file_backup: stat(/var/yp/binding/composers.foo.com)=-1 file_backup: No /var/yp/binding/composers.foo.com directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname foo.com... success start: /usr/lib/ldap/ldap_cachemgr... success start: /etc/init.d/autofs start... success start: /etc/init.d/nscd start... success start: /etc/init.d/sendmail start... success System successfully configured
Where does it get composers from???
It also resets /etc/defaultdomain to composers even though i manually change it to foo.com
# ldaplist -l passwd testdba", it should display something like:
Nope.
bash-2.03# ldaplist -l passwd testdba ldaplist: Object not found bash-2.03# ldaplist -l passwd ldaplist: Object not found (LDAP ERROR (50): Insufficient access.) bash-2.03#
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
389-users@lists.fedoraproject.org