# Gentoo LDAP guide, advice on NIS import.

## grunthus

Hi,

I am following the LDAP guide:

http://www.gentoo.org/doc/en/ldap-howto.xml

Everything works as described until I get to the "Migrate existing data to LDAP" section. The script 

```
./migrate_all_online.sh 

```

generates an error when importing:

```
cloche MigrationTools-47 # ./migrate_all_online.sh 

Enter the X.500 naming context you wish to import into: [dc=ascent] 

Enter the hostname of your LDAP server [ldap]: cloche

Enter the manager DN: [cn=manager,dc=ascent]: 

Enter the credentials to bind with: 

Do you wish to generate a DUAConfigProfile [yes|no]? 

Importing into dc=ascent...

Creating naming context entries...

Migrating aliases...

Migrating groups...

Migrating hosts...

Migrating networks...

Migrating users...

Migrating protocols...

Migrating rpcs...

Migrating services...

Migrating netgroups...

Migrating netgroups (by user)...

Migrating netgroups (by host)...

Importing into LDAP...

adding new entry "ou=Hosts,dc=ascent"

ldapadd: No such object (32)

/usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to /tmp/nis.7068.ldif

```

I am using net-nds/openldap-2.3.41. My existing user authentication is handled by NIS on a separate host, which I'd like to import.

Here are my config files:

```
cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE   dc=ascent

URI   ldap://cloche.ascent:389/

TLS_REQCERT   allow

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

```

```

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

modulepath   /usr/lib/openldap/openldap

moduleload   back_hdb.so

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

   by self write

   by users read

   by anonymous auth

database   hdb

suffix    "dc=ascent"

checkpoint   32   30 # <kbyte> <min>

rootdn    "cn=Manager,dc=ascent"

rootpw      {SSHA}deleted here

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory   /var/lib/openldap-ldbm

# Indices to maintain

index   objectClass   eq

host cloche

rootbinddn root

```

This is my third attempt at LDAP, always getting stuck at this point! Any advice gratefully received, ta.

Chris

----------

## M

I think it is better not to do online migration, use the other script to export data to .ldif file. At least this is how I did it. This way you can see what are you missing and I think right now you are missing base dn. Something like this

dn: dc=ascent,dc=com

o: Ascent

dc: ascent

objectClass: top

objectClass: dcObject

objectClass: organization

Save this as ldif and import in your ldap, or better install phpldapadmin and create base dn via frontend.

----------

## grunthus

Thank you for the pointers. I followed your advice and abandoned the online migration script. In fact since I only have a few users on this system, I'm just adding them one at a time. After the initial editing of the config files, I'm trying webmin for adding new users.

To get it (webmin) working I had to add 

```
sn: ${REAL}
```

to the "Config for LDAP Users and Groups module" config.  Without this I could not add any users.

I'll probably play around a bit before wiping out this LDAP configuration and starting over.

Thanks again

----------

## grunthus

Hi again.

Just getting around to looking at my LDAP server again. I'm following the guide

```
http://www.gentoo.org/doc/en/ldap-howto.xml
```

Steps 1 and 2 seem to have gone OK, but now hitting a difficulty in step 3:

 *Quote:*   

> Code Listing 3.6: Testing LDAP Auth
> 
> ```
> # getent passwd|grep 0:0
> 
> ...

 

When I run the getent command, I only get one row back. So presumably NOT picking up LDAP.

My /etc/pam.d/system-auth looks like this:

```
#%PAM-1.0

#Modified by Chris for LDAP

auth       required     pam_env.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_ldap.so

account    sufficient   pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

password   sufficient   pam_ldap.so use_authtok use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

Should I switch the order of the pam_ldap and pam_unix? Or will that be a bad idea?

Yours in ignorance,

Chris

PS here is my nsswitch.conf

```
cloche ~ # cat /etc/nsswitch.conf 

# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:         files ldap 

group:          files ldap

shadow:         files ldap

#passwd:      compat

#shadow:      compat

#group:       compat

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files nis

bootparams:  files

automount:   files

aliases:     files

```

----------

## M

Check also your /etc/ldap.conf, that file comes with nss_ldap I think, and better change scope one to scope sub and in slapd.conf don't put any ACL restrictions until you got everything working. Do you see something in syslog? Try just with something like this:

ldapsearch -v -x -D 'cn=Manager,dc=domain,dc=com' -W -b 'ou=People,dc=domain,dc=com' '(uid=someusername)'

----------

## grunthus

Hi and thanks for the info. I changed scope one to scope sub in ldap.conf. The syslog does show failed login attempts:

```

Dec 11 22:26:25 cloche sshd[5518]: error: PAM: Authentication failure for illegal user pryde from xx.xx.xx.xx

Dec 11 22:26:25 cloche sshd[5518]: Failed keyboard-interactive/pam for invalid user pryde from xx.xx.xx.xx port 40466 ssh2

[b]Dec 11 22:26:25 cloche slapd[5492]: conn=12 op=0 BIND dn="" method=128[/b]

Dec 11 22:26:25 cloche slapd[5492]: conn=12 op=0 RESULT tag=97 err=0 text=

Dec 11 22:26:25 cloche slapd[5492]: conn=12 op=1 SRCH base="ou=People,dc=ascentsoftware,dc=org,dc=uk" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=pryde))"

Dec 11 22:26:25 cloche slapd[5492]: conn=12 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Dec 11 22:26:25 cloche slapd[5492]: conn=12 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
```

The bold line above shows BIND dn="" - doesn't seem right. Trying the ldapsearch gives a failure:

```

cloche ~ # ldapsearch -v -x -D 'cn=Manager,dc=ascentsoftware,dc=org,dc=uk' -W -b 'ou=People,dc=ascentsoftware,dc=org,dc=uk' '(uid=bob)'

ldap_initialize( <DEFAULT> )

Enter LDAP Password: 

filter: (uid=bob)

requesting: All userApplication attributes

# extended LDIF

#

# LDAPv3

# base <ou=People,dc=ascentsoftware,dc=org,dc=uk> with scope subtree

# filter: (uid=bob)

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

matchedDN: dc=ascentsoftware,dc=org,dc=uk

# numResponses: 1

```

Does this have any bearing (URI and BASE mismatch?)

```
cloche ~ # head /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE    dc=ascentsoftware,dc=org,dc=uk

URI     ldap://cloche.ascent:389/

TLS_REQCERT     allow

```

I'm prepared to go back (again) to scratch, but the guide here http://www.gentoo.org/doc/en/ldap-howto.xml just keeps leading me to the same problem: getent only shows one line.

Thanks !!

----------

## M

BIND dn="" is ok, I have some ldap server at work and this is how it works, usually apps can authenticate against ldap either by collecting user password from ldap and matching with what is provided or just bind against ldap. URI and BASE looks ok but you should get results with just ldapsearch -x -D "cn=Manager,dc=ascentsoftware,dc=org,dc=uk" -W . Can you try to login without using ssh, I am not sure but maybe some change is needed for ssh in /etc/pam.d.

----------

## grunthus

OK, tried logging in without ssh, but no go. Log now does show up some interesting things I hadn't seen or noticed before.

```
Dec 13 19:26:11 cloche slapd[4505]: daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol)

Dec 13 19:26:11 cloche slapd[4505]: nss_ldap: failed to bind to LDAP server ldap://cloche.ascent: Can't contact LDAP server
```

I'm going to check out IPV6 support just now, doing a emerge --newuse system to pick up any IPV6 missing. Slapd is running, so not sure about second error. 

Will post back here in due course!

----------

## grunthus

Sadly, still no joy with the gentoo ldap guide. Have tried a couple of times over. Getent never returns the second entry as listed in the guide.

Unfortunately, as I need to rebuild my authentication + file server now, I will stick with NIS. Had hoped to branch out and use LDAP. I'll try it again in a virtual machine at some point in the future.

Thanks for the advice meantime!

----------

## cantrop

 *grunthus wrote:*   

> Hi,
> 
> I am following the LDAP guide:
> 
> http://www.gentoo.org/doc/en/ldap-howto.xml
> ...

 

I'm having the same problem here. I guess the guide is wrong or is missing something.

I didn't even modify the example from the guide and named my machine genfic.com (Just to be sure).

The error I get is fundamently early, when I try to test with:

```
 ldapsearch -x -D "cn=Manager,dc=genfic,dc=com" -W 
```

I get:

```
# search result

search: 2

result: 32 No such object

# numResponses: 1

```

I cannot get over this point because import from NIS (online or offline) won't work - the error will be the same.

There must be missing something in the guide. 

cantrop

----------

## grunthus

For what it's worth cantrop, I abandoned the migration scripts in the meantime and just added a single user entry via an LDIF file. I was having enough trouble with the basic LDAP setup, so thought to simplify things as far as possible.

Although as I mentioned already, I've temporarily abandoned my LDAP adventure, if anyone can get me past the getent problem (getting only one response) then I may re-enter the fray.

Should get

```
# getent passwd|grep 0:0 

root:x:0:0:root:/root:/bin/bash 

root:x:0:0:root:/root:/bin/bash
```

I get

```
# getent passwd|grep 0:0 

root:x:0:0:root:/root:/bin/bash
```

Cheers and good luck

----------

## novazur

Almost same problem here.

I have openldap working fine on my first server (x86).

Now, I'm installing a new one (amd64).

I have everything identical, all USES, /etc/openldap/*, /etc/ldap.conf etc...

I stop the first server, copy /var/lib/openldap-ldbm/* to the second

Start the second, and first I have errors in logs (about cyrus-sasl I think) :

```
Jun 23 23:59:49 serveur2        root@serveur2:/var/tmp/portage/net-nds/openldap-2.3.43/work/openldap-2.3.43/servers/slapd

Jun 23 23:59:49 serveur2 slapd[25856]: sql_select option missing

Jun 23 23:59:49 serveur2 slapd[25856]: auxpropfunc error no mechanism available

Jun 23 23:59:49 serveur2 slapd[25856]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Jun 23 23:59:49 serveur2 slapd[25856]: auxpropfunc error invalid parameter supplied

Jun 23 23:59:49 serveur2 slapd[25856]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
```

and, getent never get ldap informations :

# getent passwd | grep 0:0

root:x:0:0:root:/root:/bin/bash

I spent hours on that without succes. I don't understand anything.

Edit :

Solved for me.

On first server :

stop slapd

slapcat -l ldap.raw

egrep -v '^entryCSN:' <ldap.old >ldap.new

On second server :

I re-emerged openldap with USE -sasl berkdb

changed database to hdb

delete /var/lib/openldap-ldbm

slapadd -l ldap.new

start slapd

But I don't understand why and how it works on first server with ldbm database and this directory.

----------

