Results 1 to 2 of 2

Thread: can't access ldap server OR client isn't conf'ed correctly...

  1. #1
    Join Date
    Mar 2008

    can't access ldap server OR client isn't conf'ed correctly...

    Hello everyone,
    I seem to be in a complete stall as to how or why I can't seem to get a client pc to connect to an LDAP server....

    ubuntu version is 11.10.
    I started off using this tutorial

    which helped in setting up the LDAP server on a server machine.
    I also added TLS support (chapter "TLS") but i didn't follow chapters "replication" or "replication and TLS".

    Then I went on to configure the client (chapter "LDAP Authentication").

    I followed the steps again and again , reconfigured the package ldap-auth-config but had no luck..

    since yesterday I have read/tried countless tutorials, (for different versions of ubuntu, different distros).. but I haven't managed to get the command
    getent passwd
    to fetch some ldap users that exist only in the ldap server DIT.

    The thing is I don't know if there is a problem with the client config of some problem with the LDAP server (btw -firewalls are down on both the ldap server and client), and I can't find a single tutorial to help me give me some sort of command that does ldap queries from the client side, just to see if the server responds to it!!

    what's more, I am extremely confused at this point at the differences between libnss-ldap, libpam-ldap, libpam-ldapd, libnss-ldapd (if that thing even exists - i can't remember all the different options for authentication I came across) and the list can go on.

    where should files be located in the client? /etc/ or /etc/ldap/ ?
    how should they be called? libnss-ldap.conf? libpam-ldap.conf? something else? what else is needed?

    Can someone help with checking the contents of my client config files? As I have very ZERO experience with pam, nss, and ldap ...

    Thank you for your help

    here are some of the relevant files (ask for it if I forgot something)

    nass@server00:/etc$ ls -l /etc/lib*
    -rw-r--r-- 1 root root 76 2012-02-02 13:10 libnss-ldap.conf
    -rw-r--r-- 1 root root 76 2012-02-02 13:06 libnss-ldap.conf-dpkg.old
    -r--r----- 1 root root 6 2012-02-02 13:06 libnss-ldap.secret
    as well as

    nass@server00:/etc$ sudo ls -l /etc/ld*
    -rw-r--r-- 1 root root 9136 2012-02-02 13:08 /etc/ldap.conf
    -rw------- 1 root root 6 2012-02-02 13:08 /etc/ldap.secret
    nass@server00:/etc$ sudo ls -l /etc/pam*
    -rw-r--r-- 1 root root 552 2011-08-19 04:05 /etc/pam.conf
    -rw-r--r-- 1 root root 76 2012-02-02 13:10 /etc/pam_ldap.conf
    -r--r----- 1 root root 6 2012-02-02 13:11 /etc/pam_ldap.secret
    drwxr-xr-x 2 root root 4096 2012-02-02 14:01 pam.d
    and the file contents are
    nass@server00:/etc$ cat /etc/libnss-ldap.conf
    host ldap
    base dc=da,dc=asfa,dc=gr
    rootbinddn cn=admin,dc=da,dc=asfa,dc=gr
    /etc/libnss-ldap.conf is the same as /etc/pam_ldap.conf
    the relevant .secret files are the same too (contain only the plain text LDAP root user password (why should that exist on a client pc, i don't know - but the ncurses dpkg-reconfigure ldap-auth-config asked for it)

    nass@server00:/etc$ cat /etc/ldap.conf | egrep -v '^(#|$)' 
    base dc=da,dc=asfa,dc=gr
    uri ldapi:///
    ldap_version 3
    rootbinddn cn=admin,dc=da,dc=asfa,dc=gr
    pam_password exop
    nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,mysql,news,nslcd,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data
    the /etc/pam.d/common-* files
    nass@server00:/etc$ cat /etc/pam.d/common-* | egrep -v '^(#|$)'
    account [success=2 new_authtok_reqd=done default=ignore]
    account [success=1 default=ignore]
    account requisite
    account required
    auth [success=2 default=ignore] nullok_secure
    auth [success=1 default=ignore] use_first_pass
    auth requisite
    auth required
    password [success=2 default=ignore] obscure sha512
    password [success=1 user_unknown=ignore default=die] use_authtok try_first_pass
    password requisite
    password required
    session [default=1]
    session requisite
    session required
    session optional
    session required
    session optional
    session [default=1]
    session requisite
    session required
    session optional
    session required
    session optional
    I think that's about it.
    If you need something else, let me know,
    If there is any command that I can use on the client side to check connectivity to LDAP server, please let me know!!!!

    Thank you very much for your help.

  2. #2
    Join Date
    Sep 2010
    Indian Capital City
    Ubuntu 14.04 Trusty Tahr

    Re: can't access ldap server OR client isn't conf'ed correctly...

    Assuming that the server has been setup properly (in basic mode, no TLS etc security).

    To check that client is able to contact ldap server you can use
    nc -zv <ldap-server-name> 389 ## This is assuming that you'll be using standard 389 port for LDAP
    ## Also if it's not reachable by name, then try IP there
    If that works then you'll need to setup your libnss file, like you have done it already (make sure if you use name in uri, the server was reachable by it's name with 'nc' command). In my setups it has always been ldap:// or ldaps://

    In your setup what I think missing is ldap in /etc/nsswitch.conf file. What does following say
    egrep '^passwd|^group' /etc/nsswitch.conf
    Last edited by luvshines; February 4th, 2012 at 03:19 PM.
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    Mark it [SOLVED] if the issue has been resolved

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts