Hello FreeBSD!!
I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work
x(
If I grep 'getent passwd' for an ldap account it will show that ldap account on the ldap server itself:
However, if I grep 'getent passwd' for an ldap account on the client side nothing turns up after a long pause
This is the /usr/local/etc/ldap.conf on the ldap server (FreeBSD 8.1) and is apparently doing it's job:
This is how I have the /etc/ldap.conf on the ldap client (centos 5.5) which for some reason is not working:
This is the nsswitch on the CentOS 5.5 client:
This is what's going on in the logs on the ldap server during the getent passwd from the client
ldapsearch from the client as the pam_ldap services account is able to locate the ldap user info
It's only the getent requests from the clients that are failing so it seems that there _has_ to be something off in the /etc/ldap.conf file.
One thing I would like to be clear about is that the pam_ldap account that I am using to search the directory is an inetOrgPerson account and the user accounts that I am looking for are posixAccounts.
This is the ldap software I have on the FreeBSD server:
And this is what I am using on the Centos 5.5 client:
Some advice is sorely needed here. Thank you very kindly in advance!
I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work
x(
If I grep 'getent passwd' for an ldap account it will show that ldap account on the ldap server itself:
Code:
[root@LBSD2:~] #getent passwd | grep bluethundr
bluethundr:$1$jN/xxdx5$gPtH1R.2A6K3wsbNNMTBY/:1001:1002:Timothy P. Dunphy:/home/bluethundr:/usr/local/bin/bash
[root@LBSD2:~] #grep bluethundr /etc/passwd
[root@LBSD2:~] #However, if I grep 'getent passwd' for an ldap account on the client side nothing turns up after a long pause
Code:
[root@LCENT01:~] #getent passwd | grep bluethundr
[root@LCENT01:~] #This is the /usr/local/etc/ldap.conf on the ldap server (FreeBSD 8.1) and is apparently doing it's job:
Code:
host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=comThis is how I have the /etc/ldap.conf on the ldap client (centos 5.5) which for some reason is not working:
Code:
host LBSD2.summitnjhome.com
base ou=staff,ou=Group,dc=summitnjhome,dc=com
sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret # <- password is in plaintext in this file
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=comThis is the nsswitch on the CentOS 5.5 client:
Code:
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap
#hosts: db files nisplus nis dns
hosts: files dnsThis is what's going on in the logs on the ldap server during the getent passwd from the client
Code:
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SRCH base="ou=staff,dc=summitnjhome,dc=com" scope=2 deref=0 filter="(objectClass=posixAccount)"
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: activity on 1 descriptor
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: activity on:
Feb 23 02:26:54 LBSD2 slapd[52517]: 12r
Feb 23 02:26:54 LBSD2 slapd[52517]:
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: read activity on 12ldapsearch from the client as the pam_ldap services account is able to locate the ldap user info
Code:
ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=bluethundr)'
Code:
43 uid=bluethundr,cn=summitnjops,ou=staff,ou=Group,dc=summitnjhome,dc=com
uid: bluethundr
cn: Timothy P.
givenName: Timothy P.
sn: Dunphy
mail: bluethundr@gmail.com
mailRoutingAddress: bluethundr@mail.summitnjhome.com
mailHost: mail.summitnjhome.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: ldapPublicKey
uidNumber: 1001
gidNumber: 10000
homeDirectory: /home/bluethundr
gecos: Timothy Dunphy
loginShell: /bin/bash
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAFAKE-DATA-com
sshPublicKey: ssh-rsa
AAAABFAKE-DATA-FAKE_DATAxxgvmqQfKyS8i26+IelHcqRT5cgCSU
bFlPR3ouVu8eAgIE6gwKTuElIaTwJQ4QjBlaGaohEQRei0FWsfb7EzH1ikE34gJTdoaSnozU9MWc+f
tim@dunphy
userPassword: {CRYPT}secretIt's only the getent requests from the clients that are failing so it seems that there _has_ to be something off in the /etc/ldap.conf file.
One thing I would like to be clear about is that the pam_ldap account that I am using to search the directory is an inetOrgPerson account and the user accounts that I am looking for are posixAccounts.
This is the ldap software I have on the FreeBSD server:
Code:
LBSD2# pkg_info | grep -i ldap
ldapvi-1.7_2 A tool to update LDAP entries with a text editor
openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5 A pam module for authenticating with LDAPAnd this is what I am using on the Centos 5.5 client:
Code:
[root@LCENT01:~] #rpm -qa | grep -i ldap
python-ldap-2.2.0-2.1
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
ldapvi-1.7-10.el5
php-ldap-5.1.6-27.el5
openldap-clients-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5Some advice is sorely needed here. Thank you very kindly in advance!