It’s coming along…

I’ve just authenticated my first test-user on Richard’s Mac OS X (10.2.5) box via LDAP. It worked nicely – besides the fact that the GID was not assigned correctly. I will have a look into this before I’m going to post a little tutorial here.

Stay tuned…

LDAP again…

I know… it’s getting boring…

I just wanted to say that I’ve sucessfully fixed two problems:

  1. I had a problem where passwd immediatly failed one another server I just LDAPed:
    pilif@sen1 ~ % passwd
    LDAP Password incorrect
    passwd: User not known to the underlying authentication module
    pilif@sen1 ~ %

    The problem was a use_first_pass I had in the pam_ldap-line of /etc/pam.d/passwd. When changing the password, it checked the authentity with an empty password (first_pass was empty – I never ever entered one) which failed. If somebody could please tell me the log level to set in slapd.conf to actually get useful logging information describing the problem: step forward!

  2. You have to set rootbinddn in you (pam|nss)_ldap configuration file. This will enable root to change a users password without having to know it first.

    Oh.. both updatedn and updateref where not correctly set in the replicas slapd.conf. I’ve fixed this too.

OSX and OpenLDAP

Finally. It works. I got Richard’s OSX-Box to authenticate against my OpenLDAP server, I set up yesterday (acutually, it authenticates against the replica but this does not make any difference). Here’s what I did:<ol>

  • As I have the homeDirectory attribute in the form /home/username, and Mac OS X has the users in /Users/username, I actually have two ways to fix this: a) add another attribute to the LDAP-Server called osxHomeDirecotry or something like that. This was no alternative as I don’t have an enterprise number yet so I could not legally create an OID for such an attribute. b) symlink /home to /Users. That’s what I did.
  • Now I started the “Directory Access” Utility in the Application/Utilities folder.
  • I’ve removed the checkmark on LDAPv2, selected LDAPv3 and clicked on “configure”
  • The next step was to remove the checkmark “Use DHCP supplied LDAP-Server” as my DHCP-Server does not supply an LDAP server (and I don’t even know which option-code that would be on the DHCP-Server).
  • Now I’ve clicked on the “more”-Arrow to display the advanced settings where I’ve entered the hostname of the internal (replica) LDAP-Server. In LDAP Mappings, I’ve selected “Custom”, the SSL-Checkbox stayed un-checked after my un-successful tries to get OpenLDAP to use my self-signed certificate yesterday. I’ll get back to this as before I get productive with my setup.
  • In the new dialog that popped up, I had to make some adjustments:

    (In my explanations, I assume, your accounts have objectClasses of inetOrgPerson, posixAccount and shadowAccount).

    1. Under “Users”, set the RecordName to “uid”
    2. I had to add a Record called “Group” to Users and assign “primaryUID” to it or the group of the user was not recognized (see the prior entry to this blog)
    3. Under “Group” add the RecordName-Attribute and assign cn to it or the Group was not recognized later on.
    4. Now close the dialog by hitting “OK” and then close the Next dialog too with “OK”
    5. Now select the “Authentication”-Tab and chose a “Custom” search path. Add your newly added LDAP-Server.
    6. Do the same with the Contacts-Tab – although I have not yet figured out how to get this to work.
    7. Hit “Apply”
    8. Reboot
      The last step is very annoying: I had to experiment quite a bit with the mapping settings to finally get my LDAP-Groups recognized and get the right primary group assigned to LDAP-Users (it was always 0/wheel which is not what I wanted – not at all). There is no way to get the OS to recognize changes you make in the Direcotry Access Utility but to reboot the machine. I’m happy, OSX boots that fast. If it had been windows I’d stell be wating for the reboots to complete ;-)

      What have I accomplished?

      • I can login with the LDAP-Accounts be selecting “other” in the Login-Screen and then entering username and password
      • I can su to any LDAP-Account
        What still does not work:

        • passwd
        • Although I can set a new password in the system preferences, the changes do not get written back to the LDAP-Server

          About the password-changing-problems, I will have a look at pam. Until then, I’m quite happy, I finally got it to work.

          I really hope, someone will find this useful…

  • And on to replication

    The show must go on. As our ADSL connection from the office to the internet is not that reliable, I deceided to use OpenLDAPs slurpd to replicate the LDAP tree to an internal LDAP-Server. The setup is quite well described in my LDAP-Book and it did work at the first time I tried it.

    At least it sort of worked…

    Although changed attributes appeared on the replica, a newly created user was not synchronized. There was no reject on the master either – the data just vanished [sidenote: why is there a replication-rejectlog if data can vanish anyway – this is not reliable behaviour at all].

    Reading the syslog finally gave me the idea: The permissions of the replicas data directory where not set correctly: some of the files (and the directory istelf) belonged to root.root while slapd was running as slapd.slapd.

    Now it’s working like a charm and I am looking forward to trying to authenticate richards mac against the internal LDAP-Server.

    When this works, I’m going to finally convert the SAMBA-installation to a PDC and setup something to synchronize the windows-password with the unix one (both in LDAP – of course).

    I’ll keep you updated on my progress…

    Fun with OpenLDAP

    I bought “LDAP System Administration” because I was interested in LDAP for a long time and I never really understood what one could do with it.

    While the reading book is great (it lacks some details here and there, but it’s really nice to read and has very understandable explanations), putting it to work wasn’t:

    What I want to acomplish is to have a central user-database for our 3 people company: Two Windows PC’s, one Linux-Router, a Mac OS X workstation, 3 Linux-Servers, my Home-PC – I want to be able to log into all of them with my one password I have in the LDAP-Server. That’s what LDAP is for anyway.

    Setting up the server was done in no time (although it required some sweat because I first installed the OpenLDAP Server of debian stable but then deceided to upgrade to the current release (debian is lagging like ever) by using the server from the unstable distribution. I got it to install eventually (after purging the former installation that caused the update-script of the new installation to quit beacuse ldap-utils where not installed [side note: if a packages installation script requires tools from another package: why isn’t this dependency marked in the package?]).

    Soon I’ve created my test-account, installed nss_ldap and pam_ldap and it seemd to work.

    Actually it crashed my SSH-daemon as soon as I tried to log on to the machine, I could not change the password of LDAP-accounts, su did not work and login was not possible either – despite the fact I was following the clear instructions in the LDAP-Book.

    The SSH-Problem got solved by updating to the latest version (uncommenting the LDAP-Support for groups in /etc/nsswitch.conf did help with the older version but this was no alternative. suing eventually began to work without me really changing anything, changing the password required me to edit /etc/pam.d/passwd despite the fact that the in-file documentation of that file states that it is not necessary. Just like the su-problem, the one with login went away eventually.

    /bin/passwd requires still requires me to enter the users old password when called as root. Stupid, but can be circumvented by using a LDAP-Admin-Tool. chsh authenticates via PAM and gets the current entries correctly but tries to save back to /etc/passwd. As stupid as the thing with passwd

    So the adventure is not even half completed but a day is used and I had to fight problems which are not even supposed to be existing…

    Is what I am trying to do really that sophisticated that it sinply does not work? Or am I just plain stupid?

    I’ll keep you updated…