[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: [nssldap] [pamldap] Infos abaout alias entries (pam_filter settings)
From: Maurer Roland MKG-Bank <R.Maurer () mkg-bank ! de>
Date: 2002-07-16 15:22:52
[Download RAW message or body]
Dear John,
I have added the index and the objectclass account was already in the
entries. The host "ldap" is just an examplename like "test". Only a word to
look for the filter. the user aam has the entry ldap in the account, wag has
no entry in the attribut host.
Here is a log of "aam" the User with the entry
Jul 16 16:31:49 ldaptest slapd[3730]: daemon: conn=9 fd� connection from
IP�7.0.0.1:1245 (IP=:: 34049) accepted.
Jul 16 16:31:49 ldaptest slapd[3735]: conn=9 op=0 BIND
dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:31:49 ldaptest slapd[3735]: conn=9 op=0 RESULT tag err=0 textJul 16 \
16:31:49 ldaptest slapd[3732]: conn=9 op=1 SRCH base="ou=People,o=mkg-bank,cȚ" \
scope=2 filter="(&(host=ldap)(uidȘm))"
Jul 16 16:31:49 ldaptest slapd[3732]: conn=9 op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:31:49 ldaptest slapd[3735]: conn=9 op=2 BIND
dn="UIDȘM,OU=PEOPLE,O=MKG-BANK,CȚ" method�8
Jul 16 16:31:49 ldaptest slapd[3735]: conn=9 op=2 RESULT tag err=0 textJul 16 \
16:31:49 ldaptest slapd[3732]: conn=9 op=3 BIND dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:31:49 ldaptest slapd[3732]: conn=9 op=3 RESULT tag err=0 textJul 16 \
16:31:49 ldaptest slapd[3730]: daemon: conn� fd� connection from IP�7.0.0.1:1246 \
(IP=:: 34049) accepted.
Jul 16 16:31:49 ldaptest slapd[3735]: conn� op=0 BIND
dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:31:49 ldaptest slapd[3735]: conn� op=0 RESULT tag err=0 text
Jul 16 16:31:49 ldaptest slapd[3732]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidȘm))"
Jul 16 16:31:49 ldaptest slapd[3732]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:31:49 ldaptest slapd[3735]: conn� op=2 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidȘm))"
Jul 16 16:31:49 ldaptest slapd[3735]: conn� op=2 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3732]: conn� op=3 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2 filter="(uidȘm)"
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=3 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3735]: conn� op=4 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixGroup)(|(memberUidȘm)(uniqueMember=uidȘm,ouPeople,o=mkg-bank,cȚ)))"
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=4 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest login(pam_unix)[3790]: session opened for user aam
by LOGIN(uid=0)
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=5 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidȘm))"
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=5 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3730]: daemon: conn� fd connection from
IP�7.0.0.1:1247 (IP=:: 34049) accepted.
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=0 BIND dn="" method�8
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=0 RESULT tag err=0 text
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidNumberS8))"
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3730]: daemon: conn� fd! connection from
IP�7.0.0.1:1248 (IP=:: 34049) accepted.
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=0 BIND dn="" method�8
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=0 RESULT tag err=0 text
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidNumberS8))"
Jul 16 16:31:50 ldaptest slapd[3732]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3735]: conn� op=2 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixGroup)(gidNumber22))"
Jul 16 16:31:50 ldaptest slapd[3735]: conn� op=2 SEARCH RESULT tag�1
err=0 textJul 16 16:31:50 ldaptest slapd[3730]: conn=-1 fd! closed
and here is "wag" who doesn't have any host attribut
Jul 16 16:37:40 ldaptest slapd[3730]: daemon: conn� fd� connection from
IP�7.0.0.1:1249 (IP=:: 34049) accepted.
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=0 BIND
dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=0 RESULT tag err=0 text
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2 filter="(&(host=ldap)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3730]: daemon: conn� fd� connection from
IP�7.0.0.1:1250 (IP=:: 34049) accepted.
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=0 BIND
dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=0 RESULT tag err=0 text
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3735]: conn� op=2 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=2 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3732]: conn� op=2 BIND
dn="CNMIN,O=MKG-BANK,CȚ" method�8
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=2 RESULT tag err=0 text
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=3 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2 filter="(&(host=ldap)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=3 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3732]: conn� op=3 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=3 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3735]: conn� op=4 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2 filter="(uid=wag)"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=4 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3732]: conn� op=5 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=wag)(uniqueMember=uid=wag,ouPeople,o=mkg-bank,cȚ)))"
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=5 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest login(pam_unix)[3804]: session opened for user wag
by LOGIN(uid=0)
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=6 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uid=wag))"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=6 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3730]: daemon: conn� fd connection from
IP�7.0.0.1:1251 (IP=:: 34049) accepted.
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=0 BIND dn="" method�8
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=0 RESULT tag err=0 text
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidNumber@82))"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3730]: daemon: conn� fd! connection from
IP�7.0.0.1:1252 (IP=:: 34049) accepted.
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=0 BIND dn="" method�8
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=0 RESULT tag err=0 text
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=1 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixAccount)(uidNumber@82))"
Jul 16 16:37:40 ldaptest slapd[3735]: conn� op=1 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3732]: conn� op=2 SRCH
base="ou=People,o=mkg-bank,cȚ" scope=2
filter="(&(objectClass=posixGroup)(gidNumberB1))"
Jul 16 16:37:40 ldaptest slapd[3732]: conn� op=2 SEARCH RESULT tag�1
err=0 textJul 16 16:37:40 ldaptest slapd[3730]: conn=-1 fd! closed
-----Ursprüngliche Nachricht-----
Von: John Dalbec [mailto:jpdalbec@cc.ysu.edu]
Gesendet am: Dienstag, 16. Juli 2002 15:37
An: Maurer Roland MKG-Bank
Cc: pamldap@padl.com; nssldap@padl.com
Betreff: Re: AW: AW: AW: [pamldap] Infos abaout alias entries
(pam_filter settings)
R. Maurer
Maurer Roland MKG-Bank wrote:
>
> I ' am using SUSE Linux an the copsine Schema is included, I have no idea
> about the mistake.
>
> this is my ldap.conf
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> database ldbm
>
> suffix o=mkg-bank,cȚ
> rootdn cnmin,o=mkg-bank,cȚ
> rootpw secret
>
> directory /var/lib/ldap
>
> index objectClass eq
I might add
index uid,host eq
here for efficiency. You'll need to stop the LDAP server, run
slapindex, then restart the LDAP server.
Make sure SuSE's cosine schema defines the "host" attribute. They may
have called it "hosts" or may not have defined it at all. Actually, if
you follow my indexing suggestion above and "host" is not defined,
slapindex will complain and LDAP will not restart. In that case,
comment out the new "index" line and LDAP should restart OK.
>
> # Access Rechte
>
> access to * by * write
>
> And this is my ldap.conf, where the clients is defined
>
> # @(#)$Id: ldap.conf,v 2.21 2001/06/20 01:08:45 lukeh Exp $
>
> host 127.0.0.1
> base ou=People,o=mkg-bank,cȚ
>
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn cnmin,o=mkg-bank,cȚ
>
> # Filter to AND with uid=%s
> #pam_filter objectclassŹcount
> pam_filter host=ldap
I thought your filter was host=testhost? What is the "host" attribute
set to on the entry you're using to test this? Maybe you should post a
section of the log file so I can see what you're talking about.
>
> # The user ID attribute (defaults to uid)
> #pam_login_attribute uid
>
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> #pam_lookup_policy yes
>
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
>
> # Group member attribute
> #pam_member_attribute uniquemember
>
> # Template login attribute, default template user
> # (can be overriden by value of former attribute
> # in user's entry)
> #pam_login_attribute userPrincipalName
> #pam_template_login_attribute uid
> #pam_template_login nobody
>
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> #nss_base_passwd ou=People,dc=padl,dc=com?one
> #nss_base_passwd ou=People,o=mkg-bank,cȚ?one?host=ldap
> <------------- ??neccassary??
>
> #nss_base_shadow ou=People,o=mkg-bank,cȚ?one
>
> #nss_base_group ou=Group,o=mkg-bank,cȚ?one
> #nss_base_hosts ou=Hosts,dc=padl,dc=com?one
> #nss_base_services ou=Services,dc=padl,dc=com?one
> #nss_base_networks ou=Networks,dc=padl,dc=com?one
> #nss_base_protocols ou=Protocols,dc=padl,dc=com?one
> #nss_base_rpc ou=Rpc,dc=padl,dc=com?one
> #nss_base_ethers ou=Ethers,dc=padl,dc=com?one
> #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
> #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
> #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
> #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
>
> -----Ursprüngliche Nachricht-----
> Von: John Dalbec [mailto:jpdalbec@cc.ysu.edu]
> Gesendet: Montag, 15. Juli 2002 21:34
> An: Maurer Roland MKG-Bank
> Cc: pamldap@padl.com; nssldap@padl.com
> Betreff: Re: AW: AW: [pamldap] Infos abaout alias entries (pam_filter
> settings)
>
> Maurer Roland MKG-Bank wrote:
> >
> > Sorry, but it still doesn't works
> >
> > In the log file I can see the filter as I have defined in the ldap.conf
> >
> > pam_filter host=testhost
> >
> > In the log I can see it as scope1 (what ever it is !)
> >
> > Then the ldap Server changed the filter an it is only looking for the
uid.
>
> That sounds like the server doesn't recognize 'host' as an attribute
> name. What server are you running? OpenLDAP? iPlanet? Something
> else? If OpenLDAP then is the "host" attribute defined in your
> slapd.conf? If you're running Red Hat on the server look for a line
>
> include /etc/openldap/schema/cosine.schema
>
> It should not be commented out.
> >
> > What have I done wrong ??
> >
> > Can anybody give me a working ldap.conf with an filter to uid AND host ?
> >
> > R. Maurer
> >
> > -----Ursprüngliche Nachricht-----
> > Von: John Dalbec [mailto:jpdalbec@cc.ysu.edu]
> > Gesendet: Montag, 1. Juli 2002 20:18
> > An: Maurer Roland MKG-Bank
> > Cc: pamldap@padl.com; nssldap@padl.com
> > Betreff: Re: AW: [pamldap] Infos abaout alias entries
> >
> > Maurer Roland MKG-Bank wrote:
> > >
> > > -----Ursprüngliche Nachricht-----
> > > Von: John Dalbec [mailto:jpdalbec@cc.ysu.edu]
> > > Gesendet: Freitag, 28. Juni 2002 23:02
> > > An: Maurer Roland MKG-Bank
> > > Cc: pamldap@padl.com; nssldap@padl.com
> > > Betreff: Re: [pamldap] Infos abaout alias entries
> > >
> > > Maurer Roland MKG-Bank wrote:
> > > >
> > > > Hey,
> > > >
> > > > to reduce redundant information in the LDAP I want to place all
Infos
> > > about
> > > > entries of peoples in one tree. To give different hosts a subset of
> > these
> > > > people for users I want to place an alias (as link to the info) into
> the
> > > > tree of the hosts.
> > > >
> > > > I this the usual way to give different hosts different subsets of
> users
> > ?
> > >
> > > No. The usual way is to define the "host" attribute on the user entry
> > > with the names of the hosts where the user can log on. Then in
> > > ldap.conf on each host you set
> > > pam_filter host=<hostname>
> > > where <hostname> is the hostname for that host.
> > > If you already have a pam_filter change it to
> > > pam_filter (&(<old filter>)(host=<hostname>))
> > > .
> > > John
> > >
> > > I just test the filter, but it doesn't fit. do I just give an name to
> the
> > > attribut in the account, or must I build a entries for the host ?
> > >
> > > Roland
> >
> > I just tried this and it seemed to work. You do
> >
> > ldapmodify <arguments>
> > <enter bind password>
> > dn: <DN of account>
> > add: host
> > host: <hostname>
> >
> > After you have done this for _every_ LDAP account that is authorized to
> > log in to the system, you then edit the /etc/ldap.conf file on that
> > system
> > and add the line "pam_filter host=<hostname>".
> >
> > If you prefer to build a single entry for the host with all the names,
> > you can use the pam_groupdn and pam_member_attribute settings in
> > /etc/ldap.conf.
> >
> > >
> > > >
> > > > Do anybody know how the alias is used in the ldap.conf for the use
of
> > > login
> > > > to UNIX systems.
> > > >
> > > > R: Maurer
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic