'[nssldap] Can't get nss_ldap working with Novell E-directory'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    [nssldap] Can't get nss_ldap working with Novell E-directory
From:       Mike Corcoran <mike.corcoran () wright ! edu>
Date:       2002-12-01 18:27:21
[Download RAW message or body]



I have pam_ldap working with NDS (Edirectory 8.6.2) and I'm 
able to login to Solaris using my Novell password now, but 
I'm not able to get nss_ldap v 2.03 to work on Solaris-8.  
If I do a "getent passwd" I only see the local password entries, 
yet using a packet sniffer I can see that the solaris box is 
querying NDS and getting thousands of accounts back in the result 
of the query.  The LDAP binds are all successful, and it appears 
that everything coming back should be enough to satisfy the 
requirements of a password entry, yet the system does not seem
 to see them as valid accounts.  I really wish there was more 
documentation on this stuff, like specific details on each item
in ldap.conf, and what it affects.

I built and compiled nss_ldap as follows (are any of these warnings
bad?)

./configure --with-ldap-dir=/usr/local/apps/nsldapsdk5
--with-ldap-lib=netscape5 --prefix=/usr/local/apps/nss_ldap-203

gcc -v:
gcc version 2.95.3 20010315 (release)

uname -a:
SunOS btc1.wright.edu 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-1

make:

gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-nss.o ldap-nss.c
ldap-nss.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-pwd.o ldap-pwd.c
ldap-pwd.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-grp.o ldap-grp.c
ldap-grp.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-rpc.o ldap-rpc.c
ldap-rpc.c:30: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-hosts.o ldap-hosts.c
ldap-hosts.c:23: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-network.o ldap-network.c
ldap-network.c:25: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-proto.o ldap-proto.c
ldap-proto.c:30: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-spwd.o ldap-spwd.c
ldap-spwd.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-alias.o ldap-alias.c
ldap-alias.c:24: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-service.o ldap-service.c
ldap-service.c:30: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-schema.o ldap-schema.c
ldap-schema.c:23: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-ethers.o ldap-ethers.c
ldap-ethers.c:24: warning: `rcsId' defined but not used
ldap-ethers.c:225: warning: `_nss_ldap_setetherent_r' defined but not
used
ldap-ethers.c:237: warning: `_nss_ldap_endetherent_r' defined but not
used
ldap-ethers.c:245: warning: `_nss_ldap_getetherent_r' defined but not
used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ldap-bp.o ldap-bp.c
ldap-bp.c: In function `_nss_ldap_bootparams_constr':
ldap-bp.c:116: warning: unused variable `be'
ldap-bp.c: At top level:
ldap-bp.c:24: warning: `rcsId' defined but not used
ldap-bp.c:107: warning: `bp_ops' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o util.o util.c
util.c:58: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o globals.o globals.c
globals.c:36: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o ltf.o ltf.c
ltf.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o snprintf.o snprintf.c
snprintf.c:1: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o resolve.o resolve.c
resolve.c:55: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o dnsconfig.o dnsconfig.c
dnsconfig.c:30: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o irs-nss.o irs-nss.c
irs-nss.c:21: warning: `rcsId' defined but not used
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o sasl.o sasl.c
gcc -DHAVE_CONFIG_H   -D_REENTRANT -I/usr/local/apps/nsldapsdk5/include
-g
-O2 -Wall -fPIC -c -o pagectrl.o pagectrl.c
pagectrl.c:23: warning: `rcsId' defined but not used
/usr/ccs/bin/ld  -o nss_ldap.so   -Bdynamic -M ./exports.solaris -G
-L/usr/local/apps/nsldapsdk5/lib -R/usr/local/apps/nsldapsdk5/lib
ldap-nss.o
ldap-pwd.o ldap-grp.o ldap-rpc.o ldap-hosts.o ldap-network.o
ldap-proto.o
ldap-spwd.o ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o
ldap-bp.o util.o globals.o ltf.o snprintf.o resolve.o dnsconfig.o
irs-nss.o
sasl.o pagectrl.o  -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4
-lprldap50 -lplc4 -lplds4 -ldl -lnsl -lresolv

libraries are installed in the correct places (linked into /usr/lib)
and checked with ldd and everything looks good.
---------------------------------------------------
/etc/nsswitch.conf has:

passwd:     files ldap
---------------------------------------------------
Here are the contents of my ldap.conf file with a few
things censored for security reasons:

/etc/ldap.conf:

# PADL Software
# http://www.padl.com
#

host 130.108.censored

base ou=People,o=wsuauth

ldap_version 3

port 389

scope base

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_lookup_policy no  {what does this do??}

pam_check_host_attr no

pam_groupdn cn=users,ou=unix,ou=esc,o=wsuauth

pam_password nds

nss_base_passwd         ou=People,o=wsuauth?sub   {what does this do?}
nss_base_shadow         ou=People,o=wsuauth?sub   {what does this do?}
nss_base_group          ou=unix,ou=esc,o=wsuauth?base  {what does this
do?}

# For NDS now do:
nss_map_attribute uniqueMember member  {what does this do and how does
it work?}

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
pam_password nds

ssl off

-----------------------------------------------------------------------------

and if we lookup an account such as mine with ldapsearch we see:

version: 1
dn: cn=mike,ou=People,o=wsuauth
host: btc1
shadowFlag: 1
shadowExpire: -1
shadowInactive: -1
shadowWarning: 7
shadowMax: 99999
shadowMin: 0
shadowLastChange: 11250
loginShell: /bin/sh
homeDirectory: /usr/local/users/mike
gecos: Mike's Gecos
gidNumber: 64000
uidNumber: 100
DirXML-Associations: cn=NDSToNDS,cn=WSU AuthTest Driver
Set,ou=DirXML,ou=esc,o
 =wsuauth#1#{8057B8C5-72EB-d611-AB69-0008C7F92558}
uid: mike
givenName: Mike
fullName: Mike Corcoran
Language: ENGLISH
sn: Corcoran
securityEquals: cn=users,ou=unix,ou=esc,o=wsuauth
securityEquals: cn=unix-users,ou=unix,ou=esc,o=wsuauth
ou: CaTS - System Support
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: ndsLoginProperties
objectClass: top
objectClass: posixAccount
objectClass: uamPosixUser
objectClass: shadowAccount
objectClass: account
objectClass: posixGroup
loginTime: 20021124153931Z
l: 040 Library Anex
groupMembership: cn=users,ou=unix,ou=esc,o=wsuauth
groupMembership: cn=unix-users,ou=unix,ou=esc,o=wsuauth
cn: mike
cn: CN
cn: Win 95 user
ACL: 2#subtree#cn=mike,ou=People,o=wsuauth#[All Attributes Rights]
ACL: 6#entry#cn=mike,ou=People,o=wsuauth#loginScript
ACL: 2#entry#[Public]#messageServer
ACL: 2#entry#[Root]#groupMembership
ACL: 6#entry#cn=mike,ou=People,o=wsuauth#printJobConfiguration
ACL: 2#entry#[Root]#networkAddress
ACL: 2#entry#[Public]#uidNumber
ACL: 2#entry#[Public]#gidNumber
ACL: 2#entry#[Public]#loginShell
ACL: 2#entry#[Public]#homeDirectory
ACL: 2#entry#[Public]#gecos
ACL: 2#entry#[Public]#groupMembership
ACL: 1#entry#[Public]#cn

------------------------------------------------------------

Yet I cannot login and I cannot "getent passwd" and see my
entry.  I tried compiling nss with --enable-debugging
but it didn't provide any useful information.  i saw calls to
subroutines but none of the arguments being passed.

all that gets logged by syslog is pam_authenticate: authentication
failed.

Any ideas??

Mike
--
Mike Corcoran
Lead Systems Programmer, UNIX
Computing and Telecomm Services (CaTS)
Wright State University
phone: 937-775-2431
fax: 937-775-4049
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic