[FUG-BR] LDAP AGAIN
Giancarlo Rubio
gianrubio em gmail.com
Quinta Agosto 28 19:12:09 BRT 2008
2008/8/28 William David FUG-BR <fugbr em biosystems.ath.cx>:
> Boa Tarde
> gostaria de pedir a ajuda pra uma cosia que esta me deixando careca.
> estou com um maldito erro no Openldap.
>
> no qual ele nao retorna os grupos corretamente pelo id e o samba se
> perde ao logar com o usuário não permitindo ele conectar aos
> compartilhamentos pela restrição de grupos.
>
> eu estava escrevendo uma artigo sobre o FREBSD + OLDAP + Samba + e
> empaquei nisso
>
> vejam o artigo que tem visão completa das configuração e explicações
> http://biosystems.ath.cx:8080/wiki/doku.php?id=manuais:sar
>
>
> # id bio
> uid=1013(bio) gid=513(Domain Users) groups=513(Domain Users)
>
> # id teste
> uid=1395(teste) gid=513(Domain Users) groups=513(Domain Users)
>
> # id teste1
> uid=1396(teste1) gid=513(Domain Users) groups=513(Domain Users)
Qual seria o retorno certo desse id?? Se possivel poste em algum
lugar, um ldapsearch -x -D "cn=Manager,dc=schwarz" -w teste, para ver
sua base real.
> Aug 28 16:19:33 Bartelby id: nss_ldap: could not search LDAP server -
> Server is unavailable
Isso sempre acontece aqui cmg, tem a ver com a política usada soft.
>
> # getent group
>
> teste1:*:1000:teste,bio,teste1
> teste2:*:1003:teste,bio
> teste3:*:1004:teste,bio
> teste4:*:1005:teste,bio
> # /usr/local/libexec/slapd -V
> @(#) $OpenLDAP: slapd 2.4.11 (Jul 25 2008 13:17:13) $
> root em Bartelby.schwarz:/usr/ports/net/openldap24-server/work/openldap-2.4.11/servers/slapd
>
>
> # /var/db/pkg/
> pam_ldap-1.8.4
> db46-4.6.21.1
> nss_ldap-1.257
> openldap-sasl-client-2.4.11
> openldap-sasl-server-2.4.11
> smbldap-tools-0.9.5
> samba-3.0.31_1,1
>
>
>
>
> ############################################
> minhas config são:
>
>
> # /usr/local/etc/nss_ldap.secret <-> /etc/ldap.secret <->
> /usr/local/etc/ldap.secret
> teste
>
> # /usr/local/etc/nss_ldap.conf <-> /etc/ldap.conf <-> /usr/local/etc/ldap.conf
> host schwarz-001b
>
> uri ldap://schwarz-001b:389/
>
> port 389
>
> base dc=schwarz
>
> bind_policy soft
>
> rootbinddn cn=Manager,dc=schwarz
>
> pam_password SSHA
> ssl no
> bind_policy soft
> nss_base_passwd ou=Users,dc=schwarz?one
> nss_base_passwd ou=Computers,dc=schwarz?one
Não tá errado isso nao???
> nss_base_group ou=Groups,dc=schwarz?one
>
>
>
> # /usr/local/etc/openldap/ldap.conf
> BASE dc=schwarz
> URI ldap://192.168.1.232 ldap://192.168.2.100
>
> BINDDN cn=manager,dc=schwarz
>
>
>
>
> # /usr/local/etc/openldap/slapd.conf
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/samba.schema
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> ServerID 001
>
> modulepath /usr/local/libexec/openldap
> moduleload back_hdb
>
> loglevel 256
>
> database hdb
>
> suffix "dc=schwarz"
> rootdn "cn=Manager,dc=schwarz"
>
> rootpw {SSHA}qgsEroh1jPssq3EOKn74TESuVhLm95Wl
>
> directory /var/db/openldap-sch
>
> checkpoint 1024 5
>
> index objectClass,uidNumber,gidNumber,entryUUID,entryCSN,contextCSN
> eq
> index cn,sn,uid,displayName
> pres,sub,eq
> index memberUid,mail,givenname
> eq,subinitial
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName,sambaGroupType,sambaSIDList
> eq
>
> overlay syncprov
>
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> lastmod on
>
> syncrepl rid=001
> provider=ldap://192.168.1.232
> type=refreshAndPersist
> interval=00:00:00:10
> searchbase="dc=schwarz"
> scope=sub
> schemachecking=off
> bindmethod=simple
> binddn="cn=manager,dc=schwarz"
> credentials=teste
> retry="60 +"
>
> syncrepl rid=003
> provider=ldap://192.168.2.100
> type=refreshOnly
> interval=00:00:02:00
> searchbase="dc=schwarz"
> scope=sub
> schemachecking=off
> bindmethod=simple
> binddn="cn=manager,dc=schwarz"
> credentials=teste
> retry="60 +"
>
> mirrormode on
>
> access to *
> by self write
> by anonymous auth
> by * none
>
Eu nunca usei em produção synclerep, vc já tentou fazer o teste sem a
replicação usando apenas 1 servidor??
>
> ## /etc/nsswitch.conf
> group: files ldap
> group_compat: nis
> hosts: files dns
> networks: files
> passwd: files ldap
> passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> # host schwarz-001b
> schwarz-001b.schwarz has address 192.168.1.232
>
> # netstat -an
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
> tcp4 0 0 192.168.1.232.59920 192.168.2.100.389 TIME_WAIT
> tcp4 0 0 192.168.1.232.53064 192.168.1.232.389 TIME_WAIT
> tcp4 0 0 192.168.1.232.389 192.168.2.100.58975 ESTABLISHED
> tcp4 0 0 192.168.1.232.389 192.168.1.232.63562 ESTABLISHED
> tcp4 0 0 192.168.1.232.63562 192.168.1.232.389 ESTABLISHED
> tcp4 0 52 192.168.1.232.22 192.168.1.246.55668 ESTABLISHED
> tcp4 0 0 192.168.1.232.389 192.168.1.232.55105 ESTABLISHED
> tcp4 0 0 192.168.1.232.55105 192.168.1.232.389 ESTABLISHED
> tcp4 0 0 *.389 *.* LISTEN
> tcp6 0 0 *.389 *.* LISTEN
>
>
>
> --
> -=-=-=-=-=-=-=-=-=-
> William David Armstrong <----. Of course it runs
> Bio Systems Security Networking <----|==========================
> MSN / GT biosystems em gmail.com <----' OpenBSD or FreeBSD
> --------------------------------------
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
--
Giancarlo Rubio
Mais detalhes sobre a lista de discussão freebsd