# OpenLDAP+Samba small annoyances -- help!

## opopanax

Issue 1:  Once it's running, it seems to work fine.  I can do windows domain logins, etc.  I followed the "making happy users" section of the Samba By Example web-book provided on samba.org.  The article on gentoo-wiki.com kind of pointed me in the right direction, but all in all it's pretty horribly mangled, IMHO.  HOWEVER:  starting /etc/init.d/slapd takes about 5 minutes on boot, and about 5 minutes with "/etc/init.d/slapd restart"  I have logs turned to level 3, pam logins work fine, and there are no hitches when connecting to the server.  But i don't think this should take 5 minutes to start on a dual pentium 3 server.

Issue 2:  mod_ldap_userdir:  If I follow the guide http://us2.samba.org/samba/docs/man/Samba-Guide/happy.html what should the module config look like to allow access to ldap user public_html directories?  I've tried a few dn's and org combinations, and I can't seem to figure it out.  Sometimes I start apache and the server just hangs on whatever I put in the module config.  Help!

thanks for taking a look.  I'll post configs later if no one comes up with something obvious.

----------

## steveb

 *sketelsen wrote:*   

> Issue 1:  Once it's running, it seems to work fine.  I can do windows domain logins, etc.  I followed the "making happy users" section of the Samba By Example web-book provided on samba.org.  The article on gentoo-wiki.com kind of pointed me in the right direction, but all in all it's pretty horribly mangled, IMHO.  HOWEVER:  starting /etc/init.d/slapd takes about 5 minutes on boot, and about 5 minutes with "/etc/init.d/slapd restart"  I have logs turned to level 3, pam logins work fine, and there are no hitches when connecting to the server.  But i don't think this should take 5 minutes to start on a dual pentium 3 server.

 5 minutes? How much data do you have in LDAP? You must have millions of data in LDAP to take 5 minutes for starting! What engnine do you use to store the data?

 *sketelsen wrote:*   

> Issue 2:  mod_ldap_userdir:  If I follow the guide http://us2.samba.org/samba/docs/man/Samba-Guide/happy.html what should the module config look like to allow access to ldap user public_html directories?  I've tried a few dn's and org combinations, and I can't seem to figure it out.  Sometimes I start apache and the server just hangs on whatever I put in the module config.  Help!

 Can not help you with that, since I don't use it. I only quickly looked here http://horde.net/~jwm/software/mod_ldap_userdir/ and see, that it is not that difficult. Could you provide us with more info? Like:used structure in Samba LDAPthe ACL from your LDAP configuration

 *sketelsen wrote:*   

> thanks for taking a look.  I'll post configs later if no one comes up with something obvious.

 

cheers

SteveB

----------

## opopanax

well, I don't have a whole lot of data--  it's about 200 lines or so if i do a slapcat...  It's just a basic structure for samba usage, as described in the howto i linked to, and a couple of users.  It did the same before I had any data at all.

----------

## steveb

Strange! Looks like it is time to post your configuration.

cheers

SteveB

----------

## opopanax

/etc/openldap/slapd.conf

```

#data schemas

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

modulepath     /usr/lib/openldap/openldap

moduleload     back_bdb.la

moduleload     back_ldap.la

moduleload     back_ldbm.la

moduleload     back_passwd.la

moduleload     back_shell.la

password-hash {md5}

loglevel none

logdir /var/log/openldap

#Access control List information

######################################Recommended by Samba Docs (sbe3)

######################################

access to dn.base=""

      by self write

      by * auth

access to attrs=userPassword

      by self write

      by * auth

access to attrs=shadowLastChange

      by self write

      by * read

access to *

                by * read

                by anonymous auth

schemacheck    on

idletimeout   30

database   ldbm

checkpoint      32   30

#cachesize       10000

suffix      "dc=HAUNTEDHILL,dc=ATH,dc=CX"

rootdn      "cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX"

# rootpw = not2tell

rootpw          {MD5}encoded data--

directory   /var/lib/openldap-data

# Indices to maintain

index objectClass           eq

index cn                    pres,sub,eq

index sn                    pres,sub,eq

index uid                   pres,sub,eq

index displayName           pres,sub,eq

index uidNumber             eq

index gidNumber             eq

index memberUID             eq

index sambaSID              eq

index sambaPrimaryGroupSID  eq

index sambaDomainName       eq

index default               sub

```

/etc/openldap/ldap.conf

```

HOST    127.0.0.1

BASE    dc=HAUNTEDHILL,dc=ATH,dc=CX

```

/etc/conf.d/slapd

```

 OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

```

/etc/apache2/modules.d/47_mod_ldap_userdir.conf

```

<IfDefine LDAP_USERDIR>

  <IfModule !mod_ldap_userdir.c>

    LoadModule ldap_userdir_module   modules/mod_ldap_userdir.so

  </IfModule>

</IfDefine>

<IfModule mod_ldap_userdir.c>

       LDAPUserDir             public_html

       LDAPUserDirDNInfo       cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX not2tell

       LDAPUserDirBaseDN       ou=Domain Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

</IfModule>

```

/etc/nsswitch.conf

```

# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:      compat ldap

shadow:      compat ldap

group:       compat ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

#this line added for ldap

netgroup:    ldap [NOTFOUND=return] files

```

result of slapcat:

```

dn: dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: dcObject

objectClass: organization

o: HAUNTEDHILL

dc: HAUNTEDHILL

structuralObjectClass: organization

entryUUID: 52a989fc-73df-102a-83fd-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193949Z

entryCSN: 20060509193949Z#000000#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193949Z

dn: ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: organizationalUnit

ou: Users

structuralObjectClass: organizationalUnit

entryUUID: 52b610d2-73df-102a-83fe-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193949Z

entryCSN: 20060509193949Z#000001#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193949Z

dn: ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: organizationalUnit

ou: Groups

structuralObjectClass: organizationalUnit

entryUUID: 52b9e414-73df-102a-83ff-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193949Z

entryCSN: 20060509193949Z#000002#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193949Z

dn: ou=Computers,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: organizationalUnit

ou: Computers

structuralObjectClass: organizationalUnit

entryUUID: 52bd8c04-73df-102a-8400-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193949Z

entryCSN: 20060509193949Z#000003#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193949Z

dn: uid=root,ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 0

uid: root

uidNumber: 0

homeDirectory: /home/root

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaHomePath: \\%L\root

sambaHomeDrive: H:

sambaProfilePath: \\%L\profiles\root

sambaPrimaryGroupSID: S-1-5-21-2289881404-2339609040-3750859995-512

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-500

structuralObjectClass: inetOrgPerson

entryUUID: 52c462c2-73df-102a-8401-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

sambaLMPassword: A796F4D66993915975D3349E71AA9EA8

sambaAcctFlags: [U]

sambaNTPassword: 82B4E209C3C77B033C1030CAC3FB8C97

sambaPwdLastSet: 1147204340

sambaPwdMustChange: 1151092340

userPassword:: e01ENX1TZDZhNEtjNjRBNmNDS1RrUlQxcERBPT0=

gecos: Netbios Domain Administrator,,,,

cn: Netbios Domain Administrator

sn: Administrator

givenName: Netbios Domain

loginShell: /bin/bash

entryCSN: 20060510014552Z#000000#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510014552Z

dn: uid=nobody,ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

cn: nobody

sn: nobody

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 514

uid: nobody

uidNumber: 999

homeDirectory: /dev/null

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaHomePath: \\%L\nobody

sambaHomeDrive: H:

sambaProfilePath: \\%L\profiles\nobody

sambaPrimaryGroupSID: S-1-5-21-2289881404-2339609040-3750859995-514

sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaAcctFlags: [NUD        ]

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-2998

loginShell: /bin/false

structuralObjectClass: inetOrgPerson

entryUUID: 52d853ae-73df-102a-8402-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000001#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Domain Admins,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 512

cn: Domain Admins

memberUid: root

description: Netbios Domain Administrators

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-512

sambaGroupType: 2

displayName: Domain Admins

structuralObjectClass: posixGroup

entryUUID: 52e12592-73df-102a-8403-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000002#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Domain Users,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 513

cn: Domain Users

description: Netbios Domain Users

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-513

sambaGroupType: 2

displayName: Domain Users

structuralObjectClass: posixGroup

entryUUID: 52faefea-73df-102a-8404-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000003#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Domain Guests,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 514

cn: Domain Guests

description: Netbios Domain Guests Users

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-514

sambaGroupType: 2

displayName: Domain Guests

structuralObjectClass: posixGroup

entryUUID: 53012568-73df-102a-8405-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000004#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Domain Computers,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 515

cn: Domain Computers

description: Netbios Domain Computers accounts

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-515

sambaGroupType: 2

displayName: Domain Computers

structuralObjectClass: posixGroup

entryUUID: 530784f8-73df-102a-8406-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000005#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Administrators,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 544

cn: Administrators

description: Netbios Domain Members can fully administer the computer/sambaDom

 ainName

sambaSID: S-1-5-32-544

sambaGroupType: 5

displayName: Administrators

structuralObjectClass: posixGroup

entryUUID: 530ed6cc-73df-102a-8407-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000006#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Account Operators,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 548

cn: Account Operators

description: Netbios Domain Users to manipulate users accounts

sambaSID: S-1-5-32-548

sambaGroupType: 5

displayName: Account Operators

structuralObjectClass: posixGroup

entryUUID: 53153148-73df-102a-8408-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000007#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Print Operators,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 550

cn: Print Operators

description: Netbios Domain Print Operators

sambaSID: S-1-5-32-550

sambaGroupType: 5

displayName: Print Operators

structuralObjectClass: posixGroup

entryUUID: 531ba514-73df-102a-8409-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000008#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Backup Operators,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 551

cn: Backup Operators

description: Netbios Domain Members can bypass file security to back up files

sambaSID: S-1-5-32-551

sambaGroupType: 5

displayName: Backup Operators

structuralObjectClass: posixGroup

entryUUID: 5321f55e-73df-102a-840a-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#000009#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: cn=Replicators,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 552

cn: Replicators

description: Netbios Domain Supports file replication in a sambaDomainName

sambaSID: S-1-5-32-552

sambaGroupType: 5

displayName: Replicators

structuralObjectClass: posixGroup

entryUUID: 53284f30-73df-102a-840b-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

entryCSN: 20060509193950Z#00000a#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509193950Z

dn: sambaDomainName=HAUNTEDHILL,dc=HAUNTEDHILL,dc=ATH,dc=CX

structuralObjectClass: sambaDomain

entryUUID: 532ee66a-73df-102a-840c-adb81883bb10

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509193950Z

objectClass: top

objectClass: sambaDomain

objectClass: sambaUnixIdPool

sambaSID: S-1-5-21-2289881404-2339609040-3750859995

sambaDomainName: HAUNTEDHILL

gidNumber: 1003

uidNumber: 1013

entryCSN: 20060510032904Z#000000#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510032904Z

dn: ou=Idmap,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: organizationalUnit

ou: idmap

structuralObjectClass: organizationalUnit

entryUUID: c175bdf6-73e4-102a-8ffc-ade7271b03d1

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060509201843Z

entryCSN: 20060509201843Z#000000#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060509201843Z

dn: cn=Web,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

cn: Web

gidNumber: 1000

structuralObjectClass: posixGroup

entryUUID: 96397126-7413-102a-85cc-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510015357Z

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3001

sambaGroupType: 2

displayName: Web

entryCSN: 20060510015357Z#000002#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510015357Z

dn: cn=Game,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

cn: Game

gidNumber: 1001

structuralObjectClass: posixGroup

entryUUID: ad33156c-7413-102a-85cd-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510015435Z

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3003

sambaGroupType: 2

displayName: Game

entryCSN: 20060510015435Z#000002#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510015435Z

dn: cn=Multimedia,ou=Groups,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

cn: Multimedia

gidNumber: 1002

structuralObjectClass: posixGroup

entryUUID: b552cb84-7413-102a-85ce-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510015449Z

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3005

sambaGroupType: 2

displayName: Multimedia

entryCSN: 20060510015449Z#000002#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510015449Z

dn: uid=wopr$,ou=Computers,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: sambaSamAccount

cn: wopr$

sn: wopr$

uid: wopr$

uidNumber: 1010

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

description: Computer

gecos: Computer

structuralObjectClass: inetOrgPerson

entryUUID: 90649392-7414-102a-85cf-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510020056Z

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3020

sambaPrimaryGroupSID: S-1-5-21-2289881404-2339609040-3750859995-515

displayName: Computer

sambaPwdCanChange: 1147226456

sambaPwdMustChange: 2147483647

sambaLMPassword: EE0EDC63E229094FC2A87F058C247240

sambaNTPassword: B0EF47A62E1123AD5C7F33C721F1B163

sambaPwdLastSet: 1147226456

sambaAcctFlags: [S          ]

entryCSN: 20060510020056Z#000004#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510020056Z

dn: uid=testuser,ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

objectClass: sambaSamAccount

cn: testuser

sn: testuser

givenName: testuser

uid: testuser

uidNumber: 1011

gidNumber: 513

homeDirectory: /home/testuser

loginShell: /bin/bash

gecos: System User

structuralObjectClass: inetOrgPerson

entryUUID: 786ebb02-7417-102a-85d0-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510022145Z

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

displayName: System User

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3022

sambaPrimaryGroupSID: S-1-5-21-2289881404-2339609040-3750859995-513

sambaLogonScript: login.bat

sambaProfilePath: \\%L\profiles\testuser

sambaHomePath: \\%L\testuser

sambaHomeDrive: H:

sambaLMPassword: 0F20048EFC645D0A179B4D5D6690BDF3

sambaAcctFlags: [U]

sambaNTPassword: 1120ACB74670C7DD46F1D3F5038A5CE8

sambaPwdLastSet: 1147227721

sambaPwdMustChange: 1151115721

userPassword:: e01ENX1RZHAyOFB3K3hpcHBPZVkwdjdhalFnPT0=

entryCSN: 20060510022201Z#000001#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510022201Z

dn: uid=winmonolith$,ou=Computers,dc=HAUNTEDHILL,dc=ATH,dc=CX

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: sambaSamAccount

cn: winmonolith$

sn: winmonolith$

uid: winmonolith$

uidNumber: 1012

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

description: Computer

gecos: Computer

structuralObjectClass: inetOrgPerson

entryUUID: e02e3a34-7420-102a-85d1-8f12ca9e593f

creatorsName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

createTimestamp: 20060510032904Z

sambaSID: S-1-5-21-2289881404-2339609040-3750859995-3024

sambaPrimaryGroupSID: S-1-5-21-2289881404-2339609040-3750859995-515

displayName: WINMONOLITH$

sambaPwdMustChange: 2147483647

sambaAcctFlags: [W          ]

sambaPwdCanChange: 1147232750

sambaNTPassword: A7EDB19ECD2B853F79C3CD954923D278

sambaPwdLastSet: 1147232750

entryCSN: 20060510034550Z#000000#00#000000

modifiersName: cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX

modifyTimestamp: 20060510034550Z

```

Need anything else?Last edited by opopanax on Sat May 13, 2006 8:44 pm; edited 1 time in total

----------

## steveb

Could you try this for /etc/apache2/modules.d/47_mod_ldap_userdir.conf

```
<IfDefine LDAP_USERDIR>

  <IfModule !mod_ldap_userdir.c>

    LoadModule ldap_userdir_module   modules/mod_ldap_userdir.so

  </IfModule>

</IfDefine>

<IfModule mod_ldap_userdir.c>

   LDAPUserDir         public_html

   LDAPUserDirDNInfo      cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX XXX

   LDAPUserDirHomeAttribute   homeDirectory

   LDAPUserDirFilter      "(&(uid=%u)(objectClass=posixAccount))"

   LDAPUserDirBaseDN      ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

</IfModule>
```

Above I see, that you used this:

```
# rootpw = YYYY
```

but below in the 47_mod_ldap_userdir.conf I see, that you used the password "XXX". Wich one is correct?

You could allow anonymous bind to the ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX to read the attribute "homeDirectory". But you would need to change your ACL for that (and then you could remove the "LDAPUserDirDNInfo" entry completly.

cheers

SteveBLast edited by steveb on Sat May 13, 2006 9:14 pm; edited 1 time in total

----------

## opopanax

that's just a test password, but could you remove it from your post?  The one with the chick's name? I didn't scour the config well enough, and left it up by mistake.

I'll try your suggestions on the mod_ldap_userdir action, we'll see how it goes.

----------

## opopanax

that's just a test password, but could you remove it from your post?  The one with the chick's name? I didn't scour the config well enough, and left it up by mistake.

I still get a 403 Forbidden when trying to access testuser's public_html.  I think it might have something to do with the ou=Users bit...I don't think testuser is in Users, but is in Domain Users.  However, when I put Domain Users in mod_ldap_userdir.conf, it spits it out because I have too many arguments.

----------

## steveb

If you want to use Domain Users, then put the line in quotes. This should do the trick.

cheers

SteveB

----------

## opopanax

yeah, i didn't know what i was talking about, disregard prior entry...  However, i still get 403 on the testuser account, which sucks.

----------

## steveb

But do you see in your apache log, that the correct path is used? If so, then you have an Apache problem and not a mod_ldap problem.

cheers

SteveB

----------

## opopanax

i have log set to debug, but I don't see an actual path in error_log or access_log.

----------

## opopanax

I've found that a long delay while starting slapd with nss_ldap is pretty much normal.

I've banged my head against mod_ldap_userdir for a while, and can't seem to make any progress.  There's no useful information that comes out of the nss_ldap logs, as far as I can tell, and nothing useful in the apache logs either, or /var/log/messages.  I unmerged and manually installed the latest version (1.1.10, i think) from the developers' site, but I had exactly the same level of success.  I believe I'll have to migrate the unix groups over to ldap, and change group ownership of the /home/usernamepublic_html in order for this to work--I believe that's the problem--apache sees the directory, but I keep getting that Forbidden error...  which really tells me it's a permissions problem.

----------

## steveb

One stupid question: Do you have "-D LDAPuserdir" in your APACHE2_OPTS?

----------

## steveb

Maybe adding more parameter to the directive does help?

```
<IfDefine LDAPuserdir>

  <IfModule !mod_ldap_userdir.c>

    LoadModule ldap_userdir_module      modules/mod_ldap_userdir.so

  </IfModule>

</IfDefine>

<IfModule mod_ldap_userdir.c>

    LDAPUserDir             public_html

    LDAPUserDirServer       localhost

    LDAPUserDirDNInfo       cn=Manager,dc=HAUNTEDHILL,dc=ATH,dc=CX XXX

    LDAPUserDirBaseDN       ou=Users,dc=HAUNTEDHILL,dc=ATH,dc=CX

    LDAPUserDirFilter       "(&(uid=%v)(objectclass=posixAccount))"

    LDAPUserDirSearchScope  subtree

</IfModule>
```

Could you try to do the query by hand and look if you get the object back you are expecting?

cheers

SteveB

----------

## opopanax

it's probably wrong because I copied your file directly over, and didn't even think about the define line.  I'll try it when i get home tonight...

that's so funny...

----------

## opopanax

[/quote]nope, they're matched...   Also having a problem with phpldapadmin...

 *phpldapadmin wrote:*   

> 
> 
> Error
> 
> Our attempts to find your SCHEMA for "attributetypes" has return UNEXPECTED results.
> ...

 

----------

## steveb

Ouch! I can't help you with that, since I don't have a working OpenLDAP over here anyway...

----------

## opopanax

Well, I appreciate the help you've given, anyway.  Thanks for taking the time.  Luckily, this isn't a mission-critical kind of thing--I'm just poking around in my living room on an old server, trying to get stuff to work.  The goal is a full-on windows domain, w/email, openxchange, BIND, and a few other interesting services to start a "neighborhood network."  I figure, if the neighbors are scammin off of my internet connection (with my permission, and the key), I might as well give them something else to dick around with.

Cheers, and let me know if you think of something.  The phpldapadmin thing looks like a bona fide bug to me...

----------

## drax_

Hi sketelsen,

About your - 5 minutes to start openldap on boot, or restart it - problem...

Do you have 

```
bind_policy hard
```

 set in your /etc/ldap.conf file?

If you do, please try and set this to soft, instead of hard. This solved the problem for me.

FYI: A bind policy of hard means to continuously try to bind. Setting it to soft, means fail immediatly, if ldap doesn't respond. Changin it didn't impact any of my ldap-dependant services (apache, courier, pam, ...) yet solved the problem of slow starting up.

----------

## sedorox

 *drax_ wrote:*   

> Hi sketelsen,
> 
> About your - 5 minutes to start openldap on boot, or restart it - problem...
> 
> Do you have 
> ...

 

Yea, you will want to check this out. If you look at your system logs, you will notice that slapd tries to bind to itself. This is a problem with nss_ldap. There have been many posts about it. The best thing to do is to add the 'bind_policy soft' to ldap.conf, and I even added 'nss_reconnect_tries 3' to ldap.conf. This has seemed to help. Also, if you notice it gets stuck at starting udev when you reboot, comment out the TPM device in /etc/udev/rules/50-udev.rules, it gets stuck trying to look up user/group in ldap, which isn't loaded yet.

----------

