0) As mentioned in previous email, use "ldapclient -i", not "ldapclient -P".
Make sure you have the following TWO ACLs assigned to the baseDN, dc=comosers,dc=foo,dc=com, actually FIRST ONE is needed, SECOND ONE is to secure naming service.
Note that these two ACLs are NOT my creation, they exist in any normal installation of SUN ONE DS5.2, for the FIRST ONE, it was "allow (compare,read,search)", I removed "read" so that userPasswords WILL BE MASKED OFF while running "ldaplist" or "ldapaddent -D" commands.
1) (target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPassword") (version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
2) (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag|| memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
3) Also I noticed you have: === dn: cn=default,ou=profile,dc=foo,dc=com ... defaultSearchBase: dc=foo,dc=com ... ===
IIRC it should be set to:
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com ... defaultSearchBase: dc=composers,dc=foo,dc=com ...
4) Don't forget to add IP address for cnyitlin02.composers.foo.com in /etc/hosts, on top of DNS, or replace it with IP address in the default profile.
HTH.
Gary
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor Sent: Thursday, August 25, 2005 1:18 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- Justin Albstmeijer justin@VLAMea.nl wrote:
My 2 cents
- test with: ldapsearch -h ldapserver.domain.nl -s
base -b "" "objectclass=*" , to see if you can queuery the server.
I went ahead and got the ldapsearch. It worked. ldaplist is just busted, I guess.
- make sure the posix account has the
"shadowAccount" attribute
Added it. I went to user, properties, posixAccount, advanced, add value -> shadowAccount. Not sure if that's the right way of doing it or not...
- SSHA is default used by FDS for password
encyption.. this should be CRYPT.
Done -- thank you!
- make sure to use "simple" instead of "tls:simple"
for your initial tests
- use : ldapclient -v -P default -D
"cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w proxy_password {ipnumber_ldap_server} , to create the ldap_file & ldap_cred files
Yea -- that's where I hit another problem:
Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: Stopping ldap findBaseDN: calling __ns_ldap_default_config() found 2 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))" rootDN[0] dc=foo,dc=com found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile 'default'. Perhaps it does not exist or you don't have sufficient rights to read it.
However, from the FDS server itself, ldapsearch -x shows this: (snipped)
# default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: default defaultSearchScope: one
So, the profile is there but what's this about the rights???
- make sure you run te latest recommended patch
cluster.
Did that already.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Gary, thank you for the replies. (I do have the patch you mentioned:)
bash-2.03# showrev -p | grep "^Patch: 108993-48" Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0 [...]
--- "Tay, Gary" Gary_Tay@platts.com wrote:
- As mentioned in previous email, use "ldapclient -i", not "ldapclient
-P".
I did. It kept failing until I got rid of "-a default"
Handling manual option Unable to set value: invalid authenticationMethod (default)
Getting rid of -a default:
bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dc= com?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17 Arguments parsed: defaultSearchBase: dc=foo,dc=com credentialLevel: proxy proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com serviceSearchDescriptor: arg[0]: passwd: ou=People,dc=foo,dc=com?one arg[1]: shadow: ou=People,dc=foo,dc=com?one arg[2]: group: ou=group,dc=foo,dc=com?one arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one proxyPassword: password defaultServerList: 149.85.70.17 Handling manual option Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com Proxy password: {NS1}ecfa88f3a945c411 Credential level: 1 Authentication method: 0 Authentication method: 0 No proxyDN/proxyPassword required About to modify this machines configuration by writing the files Stopping network services Stopping sendmail Stopping nscd Stopping autofs Stopping ldap nisd not running nis_cache not running nispasswd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "composers.foo.com" file_backup: stat(/var/yp/binding/composers.foo.com)=-1 file_backup: No /var/yp/binding/composers.foo.com directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname composers.foo.com... success start: /usr/lib/ldap/ldap_cachemgr... success start: /etc/init.d/autofs start... success start: /etc/init.d/nscd start... success System successfully configured bash-2.03# id testdba id: invalid user name: "testdba" bash-2.03#
So, looks like it worked but I can't authenticate any users. id testdba produces traffic on the FDS server, so it's definitely trying to query it but can't resolve anything.
Also, I have two profiles:
# default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one
# tls_profile, profile, foo.com dn: cn=tls_profile,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com defaultSearchScope: one
My default profile doesn't have those 3 searchDescriptors. Or we are not using profiles anymore? Just curious...
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you're doing a manual config, right?
Thank you for your help, Gary.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
you will see that "ldaplist -l passwd {username}" will not show the password field..
the proxyagent user needs read access to all userPassword fields.. this can be done with the controlpanel of FDS..
So, looks like it worked but I can't authenticate any users. id testdba produces traffic on the FDS server, so it's definitely trying to query it but can't resolve anything.
Also, I have two profiles:
# default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one
# tls_profile, profile, foo.com dn: cn=tls_profile,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com defaultSearchScope: one
My default profile doesn't have those 3 searchDescriptors. Or we are not using profiles anymore? Just curious...
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added still? Because it looks like you're doing a manual config, right?
Thank you for your help, Gary.
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
Did you create this "ou=group,dc=foo,dc=com", because default FDS has a "ou=Groups,dc=foo,dc=com".
I used that one, by adding the "posixgroup" object to "ou=Groups,dc=foo,dc=com" and adding the following attribute to the profile.
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=foo,dc=com
--- Justin Albstmeijer justin@VLAMea.nl wrote:
you will see that "ldaplist -l passwd {username}" will not show the password field..
the proxyagent user needs read access to all userPassword fields.. this can be done with the controlpanel of FDS..
Alright. This the aci I added:
(targetattr = "*") (version 3.0; acl "Allow proxyAgent read access"; allow (read,compare) (userdn = "ldap:///uid=proxyAgent,ou=profile,dc=foo,dc=com") ;)
Still, I get this:
bash-2.03# ldaplist -l passwd ldaplist: Object not found (LDAP ERROR (50): Insufficient access.) bash-2.03#
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Just looked at my test solris client.. and got the same error.. It seems "ldapclient -P..." will even complete with the wrong proxyagent password.. (only uses this to create the NS1 password) and fetches the profile anonymous..
so do you get:
libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
in /var/adm/messages ?
Still, I get this:
bash-2.03# ldaplist -l passwd ldaplist: Object not found (LDAP ERROR (50): Insufficient access.) bash-2.03#
--- Justin Albstmeijer justin@VLAMea.nl wrote:
Just looked at my test solris client.. and got the same error.. It seems "ldapclient -P..." will even complete with the wrong proxyagent password.. (only uses this to create the NS1 password) and fetches the profile anonymous..
so do you get:
libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
in /var/adm/messages ?
nah, I get this:
Aug 25 11:28:26 unknown ldaplist[2747]: [ID 293258 user.error] libsldap: Status: 7 Mesg: LDAP ERROR (50): Insufficient access.
Sigh.
Well, I guess I'll reinstall FDS then.. No progress for 3 days, how much longer can I dick around with it...
I'll post my results once I reinstall FDS.
Thank you guys.
__________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
I did. It kept failing until I got rid of "-a default"
"-a" is the authentication method... I think you wanted to use "-P default". In your case no problem, because it defaults to it.. but in case you want to use a different profile...
389-users@lists.fedoraproject.org