I’ve just authenticated my first test-user on Richard’s Mac OS X (10.2.5) box via LDAP. It worked nicely – besides the fact that the GID was not assigned correctly. I will have a look into this before I’m going to post a little tutorial here.
Stay tuned…
I know… it’s getting boring…
I just wanted to say that I’ve sucessfully fixed two problems:
pilif@sen1 ~ % passwd LDAP Password incorrect passwd: User not known to the underlying authentication module pilif@sen1 ~ %
The problem was a use_first_pass I had in the pam_ldap-line of /etc/pam.d/passwd. When changing the password, it checked the authentity with an empty password (first_pass was empty – I never ever entered one) which failed. If somebody could please tell me the log level to set in slapd.conf to actually get useful logging information describing the problem: step forward!
Oh.. both updatedn and updateref where not correctly set in the replicas slapd.conf. I’ve fixed this too.
Finally. It works. I got Richard’s OSX-Box to authenticate against my OpenLDAP server, I set up yesterday (acutually, it authenticates against the replica but this does not make any difference). Here’s what I did:<ol>
(In my explanations, I assume, your accounts have objectClasses of inetOrgPerson, posixAccount and shadowAccount).
What have I accomplished?
About the password-changing-problems, I will have a look at pam. Until then, I’m quite happy, I finally got it to work.
I really hope, someone will find this useful…
The show must go on. As our ADSL connection from the office to the internet is not that reliable, I deceided to use OpenLDAPs slurpd to replicate the LDAP tree to an internal LDAP-Server. The setup is quite well described in my LDAP-Book and it did work at the first time I tried it.
At least it sort of worked…
Although changed attributes appeared on the replica, a newly created user was not synchronized. There was no reject on the master either – the data just vanished [sidenote: why is there a replication-rejectlog if data can vanish anyway – this is not reliable behaviour at all].
Reading the syslog finally gave me the idea: The permissions of the replicas data directory where not set correctly: some of the files (and the directory istelf) belonged to root.root while slapd was running as slapd.slapd.
Now it’s working like a charm and I am looking forward to trying to authenticate richards mac against the internal LDAP-Server.
When this works, I’m going to finally convert the SAMBA-installation to a PDC and setup something to synchronize the windows-password with the unix one (both in LDAP – of course).
I’ll keep you updated on my progress…
I bought “LDAP System Administration” because I was interested in LDAP for a long time and I never really understood what one could do with it.
While the reading book is great (it lacks some details here and there, but it’s really nice to read and has very understandable explanations), putting it to work wasn’t:
What I want to acomplish is to have a central user-database for our 3 people company: Two Windows PC’s, one Linux-Router, a Mac OS X workstation, 3 Linux-Servers, my Home-PC – I want to be able to log into all of them with my one password I have in the LDAP-Server. That’s what LDAP is for anyway.
Setting up the server was done in no time (although it required some sweat because I first installed the OpenLDAP Server of debian stable but then deceided to upgrade to the current release (debian is lagging like ever) by using the server from the unstable distribution. I got it to install eventually (after purging the former installation that caused the update-script of the new installation to quit beacuse ldap-utils where not installed [side note: if a packages installation script requires tools from another package: why isn’t this dependency marked in the package?]).
Soon I’ve created my test-account, installed nss_ldap and pam_ldap and it seemd to work.
Actually it crashed my SSH-daemon as soon as I tried to log on to the machine, I could not change the password of LDAP-accounts, su did not work and login was not possible either – despite the fact I was following the clear instructions in the LDAP-Book.
The SSH-Problem got solved by updating to the latest version (uncommenting the LDAP-Support for groups in /etc/nsswitch.conf did help with the older version but this was no alternative. suing eventually began to work without me really changing anything, changing the password required me to edit /etc/pam.d/passwd despite the fact that the in-file documentation of that file states that it is not necessary. Just like the su-problem, the one with login went away eventually.
/bin/passwd requires still requires me to enter the users old password when called as root. Stupid, but can be circumvented by using a LDAP-Admin-Tool. chsh authenticates via PAM and gets the current entries correctly but tries to save back to /etc/passwd. As stupid as the thing with passwd
So the adventure is not even half completed but a day is used and I had to fight problems which are not even supposed to be existing…
Is what I am trying to do really that sophisticated that it sinply does not work? Or am I just plain stupid?
I’ll keep you updated…
I got my hands on a Philips Streamium. Not because I wanted one, but because I’m going to write a review for our broadband portal. I really wondered whether it was possible to use the device without the stupid musicmatch jukebox, so I went behind the scene using a network sniffer.
I will post a deeper review of what I’ve found (its just plain old XML over HTTP) later this day, because now I have to do some real work. Till then, you can have a look at the exchange between my musicmatch and the streamium here (and before you ask: I really have bought all the CD’s from which I have ripped the MP3’s you will see in the log. I rarely ever download music from P2P Networks).
It just came to my mind: I am through with Super Mario Advance 2 on my GameBoy Advance SP – at least, I’ve finished all 96 goals. No I’ve only to get all Yoshi-coins, but when I think of the dammed special world, I come to the conclusion that I’ll possibly never manage to get those coins.
No. This is not about the new iPods, Apple announced today (of course I’ve ordered myself a 30GB one, but this really is another history).
I’m just very pleased that two Bugs in jEdit’s current CVS-Version that have been fixed by Slava the same day, I’ve reported them. This is just great!
If you are in need of a good editor, go and get jEdit!
You may know CrossOver Office from CodeWeavers: It’s a commercial Wine-Distribution specificially targeted at supporting MS Office and a couple of other often used Windows applications under Linux.
As you can imagine, the CodeWeavers people are implementing featrues for their product independent of the Wine community but feed them back to the OpenSource project once a new release of CrossOver Office is released. This practice makes sense as it allows them to get media coverage by announcing lots of not-there-before features, but still work together with the community.
Just now that CrossOver Office 2.0 got released, there was a thread on the Wine-mailinglist because someone tried to implement tablet support for the Open Source Version only to learn, that it is already there in CrossOver Office. The changes got commited to the Wine-Code, but there was soem discussion why it did not get announced to the community so sensless duplicated work could have been prevented.
I was really happy to see the response of the guy at CodeWeaver. I just hope, every company would react to and work with the community in that way…
Read a conclusion of the thread here
I really saw this mess coming when I read the announcement that Mozilla’s Phoenix will be called Firebird for now: Firebird is a spin off of the once open-sourced Interbase-Database Server by Borland existing for three years now and using the name “Firebird” since then.
As you can imagine, the Firebird (DB)-People were not too happy about this – Phoenix had to be renamed because of a naming conflict and the new solution still creates one – but this time it’s not a commercional product it’s conflicting with – its another Open Source project.
I can understand both sides:
Mozilla
The name Firebird has been checked by Netscapes/AOLs legal departement (why have they not noticed this? or is it maybe that they thought it would not matter?) and another name-change would again involve the legal departement which won’t please neither the BIOS vendor Phoenix not the Mozilla-Team as they will not release another milestone called phoenix.
Firebird
Firebrid already suffers from not really be known in the public. The RDBMS it spun off is known mainly by delphi-developers and neither Interbase nor Firebird were often in the press these days. A more known product with the same name will further divert attention. And the psycological reason: The name Firebird was chosen based on the real political mess around open-sourcing Interbase and is, in my oppinion, a very well chosen name.
Why I can understand the arguments on both sides, I can neither offer a solution pleasing for both projects (besides the question why Phoenix is not to be called simply “Mozilla” – after all, the Browser-Component in the Mozilla Suite is to be replaced by Firebird (the browser) anyway) nor can I understand the way the folks around Firebird (the DB) react to the problem (and here – an entry in Dave Hyatts blog). War is never a solution – never!
gnegg 