# Problems and solutions using nss_ldap

## RAPHEAD

Hi,

I've basically a similar setup like described in this nice howto:

http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC

but I have encountered two problems of which one is not completely resolved yet:

1.) If you use the nsswitch.conf settings as described in the howto, you will encounter the problem described here: https://bugs.gentoo.org/show_bug.cgi?id=99564

This can be resolved by using a ~x86 udev version -- currently I'm using 087.

2.) Unfortunately I only get to the point when the slapd service is starting up and then the system hangs again.

I have identified it as a chicken egg problem when starting slapd in the default runlevel.

If slapd starts on system boot, it hangs for quite a while and will even never start if you do not have defined timeouts in /etc/ldap.conf

In /var/log/messages the corresponding logs read:

```

Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

Oct 30 02:01:06 slapd[5585]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...

Oct 30 02:01:10 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

...

```

I guess linux tries to find out something about the user "ldap" but it can't because the ldap backend is just starting.

However, the user ldap IS defined in /etc/shadow and my /etc/nsswitch.conf is:

```

passwd:      files ldap

shadow:      files ldap

group:        files ldap

...

```

I think it should not be neccesary to ask the ldap backend about the user ldap as it can be found in the "files" backend but obviously this is not the way how linux interprets this file.

The same problem is discussed here:

http://lists.freebsd.org/pipermail/freebsd-stable/2006-July/026916.html

Any ideas how this can be fixed? I think switching nsswitch.conf while booting is not a nice solution.

----------

## dambacher

Yes, chicken-egg

slapd wants to start and somehow switch users/grops, thereby accessing nss_ldap wich wants to call slapd.

So we need a chicken: /etc/passwd /etc/group

add this to your  /etc/ldap.conf

```

nss_initgroups_ignoreusers root,ldap

```

It helped for me.

----------

## RAPHEAD

Hi dambacher,

great, it worked!

----------

## RAPHEAD

I have some unresolved follow-up problems/questions which I want to state in the following:

1.) How can I create new users which can log on to my LDAP server? I have googled for this question but I could not come up with a sufficient answer. I don't want to use my rootdn for all purposes. From my POV it should be possible to bind to slapd with any existing user in the tree but how does slapd know how to interpret those entries?

2.) This is in fact a weird problem -- I cannot log in with any user in my LDAP tree and I know why. The log output indicates that on login, the corresponding user cannot be found in the tree. So I tried to fire this search with JExplorer manually. Indeed! the search returns zero results but I can see the entries and they are there!

The search is:

start from: ou=Users,dc=mydom,dc=lan

full subtree

uid is equal to root

Again, there is such a record but why can it not be found?

If I only search for the objectType, the search works.

----------

## dambacher

for 1)

I use the kde program LUMA to manage my tree. But there are web-based tools, too. Webmin should work, too 

and if you configure right, you can allso use the standart scripts useradd etc.

You can also use the ldapadd/ldapsearch command line tools and just insert user entries.

2)

- check your nss-ldap configuration. does it use the right ldap fields for resolving uid/gid information

- check this manually with ldapsearch

- check for your slapd indices. are they configured and build correctly

- enclosed you find my ldap configuration

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

include      /etc/openldap/schema/core.schema

include      /etc/openldap/schema/cosine.schema

include      /etc/openldap/schema/inetorgperson.schema

include      /etc/openldap/schema/nis.schema

include      /etc/openldap/schema/misc.schema

include      /etc/openldap/schema/samba.schema

access to dn.base="" by * read

access to dn.subtree="dc=XXX,dc=de" attrs="userPassword"

  by dn="cn=Manager,dc=XXX,dc=de" write

  by dn="uid=root,ou=People,dc=XXX,dc=de" write

  by anonymous auth

  by self write

  by * none

access to dn.subtree="dc=XXX,dc=de" attrs="sambaLMPassword","sambaNTPassword"

  by dn="cn=Manager,dc=XXX,dc=de" write

  by dn="uid=root,ou=People,dc=XXX,dc=de" write

  by anonymous auth

  by self write

  by * none

access to *

  by dn="cn=Manager,dc=XXX,dc=de" write

  by dn="uid=root,ou=People,dc=XXX,dc=de" write

  by * read

database   ldbm

suffix      "dc=XXX,dc=de"

rootdn      "cn=Manager,dc=XXX,dc=de"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw      {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory   /var/lib/openldap-ldbm

index   objectClass   eq

index   uid      pres,sub,eq

index    cn,sn,mail   pres,eq,approx,sub

## required to support pdb_getsambapwrid()

index displayName   pres,sub,eq

## uncomment these if you are storing posixAccount and

## posixGroup entries in the directory as well

index uidNumber               eq

index gidNumber               eq

index memberUid               eq

index   sambaSID              eq

index   sambaPrimaryGroupSID  eq

index   sambaDomainName       eq

### SSL configuration ###

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

#loglevel conns config ACL 

loglevel 0

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

```

```

# ldap.conf

base dc=XXX,dc=de

uri ldaps://XXXzvr.ni.XXX.de

rootbinddn cn=Manager,dc=XXX,dc=de

ldap_version 3

scope one

pam_login_attribute uid

pam_member_attribute memberUid

pam_password exop

nss_base_passwd      ou=People,dc=XXX,dc=de?sub

nss_base_passwd      ou=Computers,dc=XXX,dc=de?sub

nss_base_passwd      ou=machines,dc=XXX,dc=de?sub

nss_base_shadow      ou=People,dc=XXX,dc=de?sub

nss_base_group      ou=Group,dc=XXX,dc=de?sub

nss_base_aliases   ou=Aliases,dc=XXX,dc=de

ssl start_tls

ssl on

#ssl off

#debug 256

#logdir /var/log/nss_ldap

#bind_policy soft

nss_initgroups_ignoreusers root,ldap

```

----------

## Noven

With regards to using other users to connect... creating the user is only the first step. You then need to set up your ACL to allow them to do the required operation. The default slapd.conf has some ACL examples, you can set it up depending on which part of the tree you want them to access, and what operations to allow them to do. Here is a simple example:

```

access to dn.subtree="ou=people,dc=mynet,dc=org"

by dn="cn=slavetraders,ou=people,dc=mynet,dc=org" write

```

That lets the HR people edit people records. Using ACL's to allow read access is more common, for example letting a web application access part of the tree.

To simple allow users to log in you'll something like this:

```

Access to *

        by dn="uid=root,ou=people,dc=mynet,dc=org" write

        by self write

        by users read

        by anonymous auth

```

You'll need 'by anonymous read' for any non-authed program to search the list, so maybe try that.

----------

## RAPHEAD

Hi,

ok, Noven I know I will have to set up ACLs to effectively restrict a user's rights.

The problem is I am not able to bind to my LDAP server with any of the existing users.

I think this has to do with my general problem -- I cannot search for stuff in LDAP.

@dambacher

I have semantically the same configs like you. The only exceptions are:

- I do not use SSL

- I have no ACLs so far

- I don't have the entry "nss_base_aliases   ou=Aliases,dc=XXX,dc=de"

I think the problem can best be perceived by the following example:

```

tux init.d # ldapsearch -x uid=root

# extended LDIF

#

# LDAPv3

# base <> with scope subtree

# filter: uid=root

# requesting: ALL

#

# search result

search: 2

result: 0 Success

# numResponses: 1

```

The user root exists with uid=root but as you can see, it does not get found. The same happens when I search with other LDAP tools.

Another question is: why is it not possible to see the rootdn when browsing the tree?

In my case it is cn=Manager,dc=mydomain,dc=lan. I can bind to slapd with this DN!

many thanks so far

----------

## Noven

If you have no ACL's, that is your problem. By default Manager is allowed to bind, no other users are. If you give other users 'read' access then they will be able to bind.

Currently I can search the entire tree with my user. If I remove the 'by users read' from

```
Access to * 

        by dn="uid=root,ou=people,dc=mynet,dc=org" write 

        by self write 

        by users read 

        by anonymous auth
```

then my user cannot bind and search.

----------

## RAPHEAD

Hi,

ok meanwhile I can bind with other users, thanks to noven  :Smile: 

But my primary problem persists.

Can you try a simple search like

ldapsearch -x uid=root

(if uid root exists in your tree) and tell me what result you get?

I can see in /var/log/messages that  when I want to log in with a user which only

exists in LDAP, the search for that user fails and as a result the log in.

thanks, Thomas

----------

## Noven

```

twdr@brains ~ $ ldapsearch -x uid=root

# extended LDIF

#

# LDAPv3

# base <> with scope subtree

# filter: uid=root

# requesting: ALL

#

# root, People, xxxx.org

dn: uid=root,ou=People,dc=xxxx,dc=org

sn: root

loginShell: /bin/bash

uidNumber: 0

gidNumber: 0

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

uid: root

gecos: root

shadowLastChange: 13430

cn: root

homeDirectory: /root

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

twdr@brains ~ $        

```

Note this is with twdr, my unprivileged user account. Searching for other users works fine too. Can you search as root? The other test is to run a 'getent passwd | grep ldaponlyuser' . If that doesn't work you have a problem with your pam.d/system-auth file. Post the relevant configs, I'll see if I can spot any errors.

----------

## RAPHEAD

Seems like this is my problem! No matter with which user I try to bind/search I get no result when conducting this search.

Here is my system-auth file:

```

#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    required     pam_unix.so

account    sufficient   pam_localuser.so

account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_authok use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

#session    required     pam_makehomedir.so skel=/etc/skel/ umask=0066

session    optional     pam_ldap.so

```

----------

## Noven

The good news is that seems to be a correct config. The bad news is we sill haven't identified the problem. Does slaptest give you any errors? Are you sure your data tree is set up correctly? (minor typos can wreak havoc)

I'd say check over the basic configs. The first time I set up openldap I used this howto: http://www.howtoforge.com/linux_ldap_authentication

Its pretty basic and there is plenty more to learn, but its a good place to start and at least get you to the point you can use ldapsearch. If you can follow it through and get ldapsearch and getent to work you are least into the interesting problems  :Wink:  It is quite possible when going straight to a complex setup that simple things can get overlooked.

----------

## dambacher

Sorry  - work ... Now I'm back.

1) We check if you ldap works correctly.

1a) can you use ldapsearch to get your user entries by searching for uid=youusername or  uidNimber=youridnumber?

1b) Can you check if you get other results from ldapsearch wehter you run it as normal user or you use the manager  password like in 

```
 ldapsearch  -D cn=Manager,dc=yourdc -W uid=root
```

correctly configured, you should see everything but  passwords.

1c) can you get more info if you resolve user information when logged in as user, e.g.

```

ldapsearch -D uid=youruid,ou=People,dc=yourdc -W uid=youruid

```

you should see your passwords then but not the ones of other users.

2) we check pam_ldap and nss_ldap.

2a)

What Ou values have you chosen within your ldap database?

Some people set up their accounts under ou=People, dc=yourdc

Others use ou=Users,dc=yourdc.

You have to match this names with you nss configuration in /etc/nssswitch.conf

2a)

do you see the ldap-users or ldap-groups if you do a 

```

getent passwd | grep "yourldapuser"

```

or 

```

getent group | grep "yourldapgroup"

```

3)

Just in case, it may be helpful:

Do you get errors in syslog if you try to connect via ssh to your ldap-based system?

----------

## RAPHEAD

Hi together,

1a.) and 1b.) 

The interesting thing is that no matter hich user I bind to slapd, I cannot find any entries if I search for cn, uid, sn, uidNumber...

The result looks always like this:

```

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <> with scope subtree

# filter: uid=root

# requesting: ALL

#

# search result

search: 2

result: 0 Success

# numResponses: 1

```

BUT there is one property which I can search for successfully:  objectClass=posixAccount

If I use this expression I get all corresponding entries!

1c.) Same as above, also if I use another user than Manager, no success.

2a.)

You can see that here:

```

nss_base_passwd         ou=Users,dc=n-fuse,dc=lan?sub

nss_base_passwd         ou=Computers,dc=n-fuse,dc=lan?sub

nss_base_shadow         ou=Users,dc=n-fuse,dc=lan?sub

nss_base_group          ou=Groups,dc=n-fuse,dc=lan?sub

```

This is exactly how my tree structure looks when I browse over it.

2b.)

I forgot to state this in my last post!

In fact I see ALL users, also the ones which only exist in LDAP when doing "getent passwd"

This is because the resulting search is "objectClass=posixAccount" and as stated above,

this search works. Crazy, isn't it?

3.)

sure, if I try to log in with "testuser" I get the following log messages:

```

Nov  7 22:05:23 n1box slapd[32207]: conn=56 fd=15 ACCEPT from IP=127.0.0.1:2339 (IP=0.0.0.0:389)

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=0 BIND dn="cn=Manager,dc=n-fuse,dc=lan" method=128

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=0 BIND dn="cn=Manager,dc=n-fuse,dc=lan" mech=SIMPLE ssf=0

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=0 RESULT tag=97 err=0 text=

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=1 SRCH base="ou=Users,dc=n-fuse,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=2 SRCH base="ou=Computers,dc=n-fuse,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Nov  7 22:05:23 n1box slapd[32207]: conn=56 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Nov  7 22:05:23 n1box sshd[32603]: Invalid user testuser from 192.168.1.105

Nov  7 22:05:28 n1box sshd[32603]: Address 192.168.1.105 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

```

As you can see, it suffers from the problem stated in 1.)

----------

## RAPHEAD

You won't belive it,

I just deleted all users in LDAP and recreated them with the command that I also used bevore:

smbldap-populate

And now everything is working again!

I don't see any reason why it failed because I did not edit the users somehow.

However, If I find some thing out, I will post it here.

thanks for your help.

I will also post future problems and solvations here.

----------

## dambacher

when I iposted my slapd.conf, did you add 

```

index   uid      pres,sub,eq

index    cn,sn,mail   pres,eq,approx,sub 

```

to yours or was it there before?

This is to build the indices for uid and others. If you added it afterwards, only new entries get in the index.

----------

## RAPHEAD

Hi,

I had these indices set up from the beginning,

except the "approx" thing but I still don't have it!

Thomas

----------

## pedro_ra

Hi,

It's been a while since I worked a config on Ldap, but I remember I had a search problem simillar to yours.

If I recall it correctly, the problem was stating an 'ou' in ldap.conf for nss_base_passwd

like in:

```
nss_base_passwd      ou=People,dc=XXX,dc=de?sub 
```

It started to work when I deleted the 'ou' bit like:

```
nss_base_passwd      dc=XXX,dc=de?sub 
```

Anyway it seems it's working for you now anyway

I would also like to know if anyone can confirm what I stated above.

----------

