LDAP again…

I know… it’s getting boring…

I just wanted to say that I’ve sucessfully fixed two problems:

  1. I had a problem where passwd immediatly failed one another server I just LDAPed:
    pilif@sen1 ~ % passwd
    LDAP Password incorrect
    passwd: User not known to the underlying authentication module
    pilif@sen1 ~ %

    The problem was a use_first_pass I had in the pam_ldap-line of /etc/pam.d/passwd. When changing the password, it checked the authentity with an empty password (first_pass was empty – I never ever entered one) which failed. If somebody could please tell me the log level to set in slapd.conf to actually get useful logging information describing the problem: step forward!

  2. You have to set rootbinddn in you (pam|nss)_ldap configuration file. This will enable root to change a users password without having to know it first.

    Oh.. both updatedn and updateref where not correctly set in the replicas slapd.conf. I’ve fixed this too.

Fun with OpenLDAP

I bought “LDAP System Administration” because I was interested in LDAP for a long time and I never really understood what one could do with it.

While the reading book is great (it lacks some details here and there, but it’s really nice to read and has very understandable explanations), putting it to work wasn’t:

What I want to acomplish is to have a central user-database for our 3 people company: Two Windows PC’s, one Linux-Router, a Mac OS X workstation, 3 Linux-Servers, my Home-PC – I want to be able to log into all of them with my one password I have in the LDAP-Server. That’s what LDAP is for anyway.

Setting up the server was done in no time (although it required some sweat because I first installed the OpenLDAP Server of debian stable but then deceided to upgrade to the current release (debian is lagging like ever) by using the server from the unstable distribution. I got it to install eventually (after purging the former installation that caused the update-script of the new installation to quit beacuse ldap-utils where not installed [side note: if a packages installation script requires tools from another package: why isn’t this dependency marked in the package?]).

Soon I’ve created my test-account, installed nss_ldap and pam_ldap and it seemd to work.

Actually it crashed my SSH-daemon as soon as I tried to log on to the machine, I could not change the password of LDAP-accounts, su did not work and login was not possible either – despite the fact I was following the clear instructions in the LDAP-Book.

The SSH-Problem got solved by updating to the latest version (uncommenting the LDAP-Support for groups in /etc/nsswitch.conf did help with the older version but this was no alternative. suing eventually began to work without me really changing anything, changing the password required me to edit /etc/pam.d/passwd despite the fact that the in-file documentation of that file states that it is not necessary. Just like the su-problem, the one with login went away eventually.

/bin/passwd requires still requires me to enter the users old password when called as root. Stupid, but can be circumvented by using a LDAP-Admin-Tool. chsh authenticates via PAM and gets the current entries correctly but tries to save back to /etc/passwd. As stupid as the thing with passwd

So the adventure is not even half completed but a day is used and I had to fight problems which are not even supposed to be existing…

Is what I am trying to do really that sophisticated that it sinply does not work? Or am I just plain stupid?

I’ll keep you updated…

And on to replication

The show must go on. As our ADSL connection from the office to the internet is not that reliable, I deceided to use OpenLDAPs slurpd to replicate the LDAP tree to an internal LDAP-Server. The setup is quite well described in my LDAP-Book and it did work at the first time I tried it.

At least it sort of worked…

Although changed attributes appeared on the replica, a newly created user was not synchronized. There was no reject on the master either – the data just vanished [sidenote: why is there a replication-rejectlog if data can vanish anyway – this is not reliable behaviour at all].

Reading the syslog finally gave me the idea: The permissions of the replicas data directory where not set correctly: some of the files (and the directory istelf) belonged to root.root while slapd was running as slapd.slapd.

Now it’s working like a charm and I am looking forward to trying to authenticate richards mac against the internal LDAP-Server.

When this works, I’m going to finally convert the SAMBA-installation to a PDC and setup something to synchronize the windows-password with the unix one (both in LDAP – of course).

I’ll keep you updated on my progress…

Fun with Linux and new Hardware

Ooops… what a delay between the last post and this one. I really should post more often or this really gets uninteresting.

However: Recently, I could not resist anymore and bought myself a new desktop PC – initially intended to use at home, but I never could get araound moving it out of the office. One of the reasons may be Richard and our common love in Unreal Tournament which ceratinly works better on a 2.5 GHz P4 with a Radeon 9700 than on my Thinkpad ;-)

Anyway: After having seen KDE 3.1rc3 using TrueType-Fonts with Font-Hinting on my Gentoo-Box at home, I finally deceided that it is time to give linux a shot on this new PC to finally use it for the daily development-work (which I did in jEdit [see below] under Windows on SAMBA-exported directories).

I mean: The time was right: ATI just released a driver for the new Radeon series and I finally wanted to give it a shot.

And I shouldn’t have.

I chose Gentoo as my distribution. One one side because I wanted to see how long the new box takes for compiling the whole stuff I need and on the other side because I really knew that every other distribution will not work as they do not let the user do enough customizing in the installation and they certainly will not recognize my new hardware.

In short: Even installing Gentoo with its always-brand-new software-packages was a time-consuming frustrating thing. Some points:

  • I used the integrated Braodcom NetXtreme Gigabit Chipset on my Asus P4PE mainboard. Unfortunatly the driver is not included in the kernel and on the gentoo-install-cd is no compiler to compile a module matching to the running kernel. My solution was using Knoppix with a /lib copied to the partition I wanted to use for Gentoo. Another one would have been trying to get the kernel-headers used to compile the gentoo-install-kernel and compile the driver on another machine.
  • 2.4.19 does not support the ICH4-integraded IDE-Controller, so I had to install 2.4.20-rc2. I was to lazy to patch in the cool Gentoo-Patches. I will not upgrade the kernel anytime soon as I will certainly forget to re-compile all the modules I had to compile in addition to the ones provided with the kernel.
  • In the first night of using emerge &lt<a lot of stuff>> without sitting in front of the monitor, emerge failed about 10 Minutes after I left when compiling PostgreSQL because of a bug in that ebuild. One night the PC run in vain.
  • The ATI-Drivers did not work for me: When Starting XFree a strange error about fglrx not containing some object-data appeared and X closed down. Possibly, the DRI-Project was of help in at least getting X to work (the current CSV-version seems to support the new Radeon-Chips) – although not very fast and without all the 3D-features I could have. As I am currently not sitting in front of the machine, I could just see X not going down but I could not check if it really works, yet.

    I’ve learned that I will *never again* install linux on anything newer than 6 months old. I really am no crack in setting up Linux and the procedure I had to go through was a pain in the ass. Many times I wanted to give up as with every problem I solved, another one arised.

    Finally, my liking for Gentoo may be another problem. Compiling everything from Source is cool, but on the other hand does not bring that much of a performance improvement and certainly takes time, even more if ebuilds marked for production use are strictly broken and do not compile. As compiling is a time consuming process, I nearly *demand* that it works without myself having to sit in front of the monitor just to fix a compile-problem here ant there as this (nearly) defeats the whole sense of using gentoo instead of LFS

    Anyway: I am looking forward to the evening when I will possibly finally be ready to start using linux productivly.