LDAP Authentication problem

08/03/2007, 19h10

Hi
I really don't want to lose much words, so let's start

Goals:
I have an LDAP-server which works (a SUSE-Client is able to
authenticate on this server...).
The server requires SSL/TLS to connect...
My ambition is now to connect from my freshly installed Debian-Etch
client to this server and to authenticate (using libnss-ldap) on it.

Nice, so far. Isn't it?

Now, the way that is already behind me:
I've installed first the libnss-ldap package and configured it... I
was pretty sure that everything was as good as possible!

I've edited the /etc/nsswitch.conf (1).
Then, I wrote the password for the admin-user into /etc/libnss-ldap.secret:
# echo -n "<password>" > /etc/libnss-ldap.secret

After that, I made softlinks into the /etc/ldap, so that
/etc/ldap/ldap.conf -> /etc/libnss-ldap.conf
/etc/ldap/ldap.secret -> /etc/libnss-ldap.secret

I did that because I just couldn't figure out, which is the right
configuration file....

As already said, the server works. So I thought, I joust could do "su
<user>" and I'll be this user

Actually this didn't work and finally we reach my problem now:

Problem:
It's quite easy to describe: It doesn't work

I got the "No such user"- error...

So, I turned on one of my best friends: Wireshark (on the server).
It showed me some SSL-traffic between the client and the server... Not
bad so far...

But in the syslog from my client I could find "Couldn't connect to
LDAP server".."cn=admin,o=cag".

I can't see my mistake... But I'm sure that it is kind of a lack of
understanding...

Thanks a lot for answers...
Christoph Buchli

(1)
# cat /etc/nsswitch.conf | grep -v ^\#
passwd: ldap files
group: ldap files
shadow: ldap files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

(2)
# cat /etc/libnss-ldap.conf | grep -v ^\#
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base o=cag
uri ldaps://x.y.21.109:636
ldap_version 3
rootbinddn cn=admin,o=cag
pam_password nds
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd o=cag
nss_base_shadow o=cag
nss_base_group o=cag

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

09/03/2007, 00h50

On Thu, Mar 08, 2007 at 07:46:22PM +0100, Christoph Buchli wrote:
> Goals:
> I have an LDAP-server which works (a SUSE-Client is able to
> authenticate on this server...).
> The server requires SSL/TLS to connect...
> My ambition is now to connect from my freshly installed Debian-Etch
> client to this server and to authenticate (using libnss-ldap) on it.
>
It's been a long time since I setup a machine as an LDAP client from
scratch. Have you tried locating the corresponding files on your
existing client and duplicating the setup from that?

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFF8K0W1snWssAFC08RAhdkAJ4lD5JGo1d7bljWd7jn/dIcTXvulQCgiNAL
g76e03phRD25geUg5c9FN5Y=
=b2Dn
-----END PGP SIGNATURE-----

10/03/2007, 09h10

Hi all, Roberto

The configuration-file from my debian client looks exactly the same as
the one from the suse-client...

(Suse:/etc/ldap.conf = Debian:/etc/libnss-ldap.conf)

regards

On 3/8/07, Christoph Buchli <christoph.buchli@gmail.com> wrote:
> Hi
> I really don't want to lose much words, so let's start

>
> Goals:
> I have an LDAP-server which works (a SUSE-Client is able to
> authenticate on this server...).
> The server requires SSL/TLS to connect...
> My ambition is now to connect from my freshly installed Debian-Etch
> client to this server and to authenticate (using libnss-ldap) on it.
>
> Nice, so far. Isn't it?
>
> Now, the way that is already behind me:
> I've installed first the libnss-ldap package and configured it... I
> was pretty sure that everything was as good as possible!
>
> I've edited the /etc/nsswitch.conf (1).
> Then, I wrote the password for the admin-user into /etc/libnss-ldap.secret:
> # echo -n "<password>" > /etc/libnss-ldap.secret
>
> After that, I made softlinks into the /etc/ldap, so that
> /etc/ldap/ldap.conf -> /etc/libnss-ldap.conf
> /etc/ldap/ldap.secret -> /etc/libnss-ldap.secret
>
> I did that because I just couldn't figure out, which is the right
> configuration file....
>
> As already said, the server works. So I thought, I joust could do "su
> <user>" and I'll be this user

> Actually this didn't work and finally we reach my problem now:
>
> Problem:
> It's quite easy to describe: It doesn't work

> I got the "No such user"- error...
>
> So, I turned on one of my best friends: Wireshark (on the server).
> It showed me some SSL-traffic between the client and the server... Not
> bad so far...

> But in the syslog from my client I could find "Couldn't connect to
> LDAP server".."cn=admin,o=cag".
>
> I can't see my mistake... But I'm sure that it is kind of a lack of
> understanding...
>
> Thanks a lot for answers...
> Christoph Buchli
>
> (1)
> # cat /etc/nsswitch.conf | grep -v ^\#
> passwd: ldap files
> group: ldap files
> shadow: ldap files
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
>
> (2)
> # cat /etc/libnss-ldap.conf | grep -v ^\#
> @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
> base o=cag
> uri ldaps://x.y.21.109:636
> ldap_version 3
> rootbinddn cn=admin,o=cag
> pam_password nds
> ssl start_tls
> nss_map_attribute uniqueMember member
> pam_filter objectclass=posixAccount
> nss_base_passwd o=cag
> nss_base_shadow o=cag
> nss_base_group o=cag
>

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

10/03/2007, 19h50

On Sat, Mar 10, 2007 at 09:38:00AM +0100, Christoph Buchli wrote:
> Hi all, Roberto
>
> The configuration-file from my debian client looks exactly the same as
> the one from the suse-client...
>
> (Suse:/etc/ldap.conf = Debian:/etc/libnss-ldap.conf)
>
Odd. On my system, here is what /etc/libnss-ldap.conf looks like:

base dc=connexer,dc=com
uri ldaps://santiago.connexer.com/
ldap_version 3

Then, my /etc/ldap/ldap.conf has this:

BASE dc=connexer,dc=com
URI ldaps://santiago.connexer.com
TLS_CACERT /etc/ldap/cacert.pem

Then, my /etc/nsswitch.conf has this:

passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFF8wsF5SXWIKfIlGQRAnPQAJ9hmLJBLuO31zA1ScLOl1 O0xXsNDQCeNtFj
TggMWZFrLwvKpOKXtwWVno8=
=Ldko
-----END PGP SIGNATURE-----

03/04/2007, 13h50

Hi all

Jeah.
It worked now.

I can authenticate on a Novell SELS9 LDAP-Server.

The link to the thread on the newsgroup de.comp.sys.novell
(unfortunately in German) is here: http://tinyurl.com/36gz8y

Thanks to all for ...

kindly regards,
christoph

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

08/03/2007, 19h10	#1
Christoph Buchli Messages: n/a Hébergeur:	LDAP Authentication problem Hi I really don't want to lose much words, so let's start Goals: I have an LDAP-server which works (a SUSE-Client is able to authenticate on this server...). The server requires SSL/TLS to connect... My ambition is now to connect from my freshly installed Debian-Etch client to this server and to authenticate (using libnss-ldap) on it. Nice, so far. Isn't it? Now, the way that is already behind me: I've installed first the libnss-ldap package and configured it... I was pretty sure that everything was as good as possible! I've edited the /etc/nsswitch.conf (1). Then, I wrote the password for the admin-user into /etc/libnss-ldap.secret: # echo -n "<password>" > /etc/libnss-ldap.secret After that, I made softlinks into the /etc/ldap, so that /etc/ldap/ldap.conf -> /etc/libnss-ldap.conf /etc/ldap/ldap.secret -> /etc/libnss-ldap.secret I did that because I just couldn't figure out, which is the right configuration file.... As already said, the server works. So I thought, I joust could do "su <user>" and I'll be this user Actually this didn't work and finally we reach my problem now: Problem: It's quite easy to describe: It doesn't work I got the "No such user"- error... So, I turned on one of my best friends: Wireshark (on the server). It showed me some SSL-traffic between the client and the server... Not bad so far... But in the syslog from my client I could find "Couldn't connect to LDAP server".."cn=admin,o=cag". I can't see my mistake... But I'm sure that it is kind of a lack of understanding... Thanks a lot for answers... Christoph Buchli (1) # cat /etc/nsswitch.conf \| grep -v ^\# passwd: ldap files group: ldap files shadow: ldap files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis (2) # cat /etc/libnss-ldap.conf \| grep -v ^\# @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ base o=cag uri ldaps://x.y.21.109:636 ldap_version 3 rootbinddn cn=admin,o=cag pam_password nds ssl start_tls nss_map_attribute uniqueMember member pam_filter objectclass=posixAccount nss_base_passwd o=cag nss_base_shadow o=cag nss_base_group o=cag -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

09/03/2007, 00h50	#2
Roberto C. Sanchez Messages: n/a Hébergeur:	Re: LDAP Authentication problem On Thu, Mar 08, 2007 at 07:46:22PM +0100, Christoph Buchli wrote: > Goals: > I have an LDAP-server which works (a SUSE-Client is able to > authenticate on this server...). > The server requires SSL/TLS to connect... > My ambition is now to connect from my freshly installed Debian-Etch > client to this server and to authenticate (using libnss-ldap) on it. > It's been a long time since I setup a machine as an LDAP client from scratch. Have you tried locating the corresponding files on your existing client and duplicating the setup from that? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF8K0W1snWssAFC08RAhdkAJ4lD5JGo1d7bljWd7jn/dIcTXvulQCgiNAL g76e03phRD25geUg5c9FN5Y= =b2Dn -----END PGP SIGNATURE-----

10/03/2007, 09h10	#3
Christoph Buchli Messages: n/a Hébergeur:	Re: LDAP Authentication problem Hi all, Roberto The configuration-file from my debian client looks exactly the same as the one from the suse-client... (Suse:/etc/ldap.conf = Debian:/etc/libnss-ldap.conf) regards On 3/8/07, Christoph Buchli <christoph.buchli@gmail.com> wrote: > Hi > I really don't want to lose much words, so let's start > > Goals: > I have an LDAP-server which works (a SUSE-Client is able to > authenticate on this server...). > The server requires SSL/TLS to connect... > My ambition is now to connect from my freshly installed Debian-Etch > client to this server and to authenticate (using libnss-ldap) on it. > > Nice, so far. Isn't it? > > Now, the way that is already behind me: > I've installed first the libnss-ldap package and configured it... I > was pretty sure that everything was as good as possible! > > I've edited the /etc/nsswitch.conf (1). > Then, I wrote the password for the admin-user into /etc/libnss-ldap.secret: > # echo -n "<password>" > /etc/libnss-ldap.secret > > After that, I made softlinks into the /etc/ldap, so that > /etc/ldap/ldap.conf -> /etc/libnss-ldap.conf > /etc/ldap/ldap.secret -> /etc/libnss-ldap.secret > > I did that because I just couldn't figure out, which is the right > configuration file.... > > As already said, the server works. So I thought, I joust could do "su > <user>" and I'll be this user > Actually this didn't work and finally we reach my problem now: > > Problem: > It's quite easy to describe: It doesn't work > I got the "No such user"- error... > > So, I turned on one of my best friends: Wireshark (on the server). > It showed me some SSL-traffic between the client and the server... Not > bad so far... > But in the syslog from my client I could find "Couldn't connect to > LDAP server".."cn=admin,o=cag". > > I can't see my mistake... But I'm sure that it is kind of a lack of > understanding... > > Thanks a lot for answers... > Christoph Buchli > > (1) > # cat /etc/nsswitch.conf \| grep -v ^\# > passwd: ldap files > group: ldap files > shadow: ldap files > hosts: files dns > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > > > (2) > # cat /etc/libnss-ldap.conf \| grep -v ^\# > @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ > base o=cag > uri ldaps://x.y.21.109:636 > ldap_version 3 > rootbinddn cn=admin,o=cag > pam_password nds > ssl start_tls > nss_map_attribute uniqueMember member > pam_filter objectclass=posixAccount > nss_base_passwd o=cag > nss_base_shadow o=cag > nss_base_group o=cag > -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

10/03/2007, 19h50	#4
Roberto C. Sanchez Messages: n/a Hébergeur:	Re: LDAP Authentication problem On Sat, Mar 10, 2007 at 09:38:00AM +0100, Christoph Buchli wrote: > Hi all, Roberto > > The configuration-file from my debian client looks exactly the same as > the one from the suse-client... > > (Suse:/etc/ldap.conf = Debian:/etc/libnss-ldap.conf) > Odd. On my system, here is what /etc/libnss-ldap.conf looks like: base dc=connexer,dc=com uri ldaps://santiago.connexer.com/ ldap_version 3 Then, my /etc/ldap/ldap.conf has this: BASE dc=connexer,dc=com URI ldaps://santiago.connexer.com TLS_CACERT /etc/ldap/cacert.pem Then, my /etc/nsswitch.conf has this: passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF8wsF5SXWIKfIlGQRAnPQAJ9hmLJBLuO31zA1ScLOl1 O0xXsNDQCeNtFj TggMWZFrLwvKpOKXtwWVno8= =Ldko -----END PGP SIGNATURE-----

03/04/2007, 13h50	#5
Christoph Buchli Messages: n/a Hébergeur:	Re: LDAP Authentication problem Hi all Jeah. It worked now. I can authenticate on a Novell SELS9 LDAP-Server. The link to the thread on the newsgroup de.comp.sys.novell (unfortunately in German) is here: http://tinyurl.com/36gz8y Thanks to all for ... kindly regards, christoph -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email