[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap 233, openldap
From: Roy Ledochowski <rledo () us ! ibm ! com>
Date: 2005-02-28 19:17:25
Message-ID: OFC557F771.58B18303-ON88256FB6.00699E21-88256FB6.0069F872 () us ! ibm ! com
[Download RAW message or body]
This is a multipart message in MIME format.
--=_alternative 0069CF6088256FB6_=
Content-Type: text/plain; charset="US-ASCII"
Thanks John. What I don't get is that this exact config works on a couple
of distros of Linux, Solaris 8 and AIX 5.3 here. It has to be something
with HPUX.
"John Lane" <listmail@oceanfree.net>
02/25/2005 05:00 PM
To
Roy Ledochowski/Burlingame/IBM@IBMUS
cc
Subject
RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap 233, openldap
2.2.23>
I meant this to go to the group. Anyway...
if you don't run nscd (name service caching daemon) then nss_ldap is run
as a child of the user login session, with the uid of the user.
My problems were due to also insisting on tls certificate authentication
prior to any bind taking place.
I'll explain a bit about what I am doing. I've just successfully managed,
after about 3 weeks of trying various things, to get it working where the
only access is via a tls login on port 636 (you must have a suitable cert
to talk to the directory). I started using nss_ldap alone (after reading
posts saying pam was unnecessary) but now use pam_ldap too.
If you just use nss_ldap then pam_unix.so (in pam config) uses the
nsswitch to get the user details via nss_ldap. nss_ldap is invoked as
part of the login process and binds anonymously. Because it is running as
root, the ssl cert/key in ldap.conf should be the one for root. nss_ldap
actually reads the password rather than tries to auth it. This requires
your LDAP ACL to give read access to the userPassword for anonymous
logins. If the login is authenticated, part of setting up the environment
causes a second invocation of nss_ldap, this time as the actual user who
is logged in. However the ldap.conf cert/key belong to root and can't be
read by this user (unless you have a security hole) so the bind fails. The
login does succeed but uid/gid numbers in commands like "ls -l" show up as
numbers rather than names.
The solution to the latter nss_ldap call is to use nscd because, with
this, nss_ldap always runs as root and can thus always use the root
cert/key.
If you use pam_ldap then authentication goes thru that. This performs auth
access to the userPassword attribute so the ACL for this field can be
limited to auth access.
-----Original Message-----
From: Roy Ledochowski [mailto:rledo@us.ibm.com]
Sent: 25 February 2005 17:08
To: John Lane
Subject: RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap 233,
openldap 2.2.23>
John--
Thanks for the reply. I've never used nscd and I'm a bit confused -- how
does nscd make nss_ldap bind w/root uid? Won't it bind anonymously? In
our environment anonymous binds can't read passwords. Also, are you using
pam_ldap for authentication?
Thursday, February 24, 2005 11:54 PM
To: Roy Ledochowski/Burlingame/IBM@IBMUS
cc:
From: "John Lane" <listmail@oceanfree.net>
Subject: RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap 233,
openldap 2.2.23>
I could never get it to work with rootbinddn. You don't need it however.
My nss_ldap always binds as the root uid, as I am running nscd. Take your
rootbinddn out and see if your listusers works then.
-----Original Message-----
From: owner-nssldap@padl.com [mailto:owner-nssldap@padl.com]On Behalf Of
Roy Ledochowski
Sent: 25 February 2005 01:18
To: nssldap@padl.com
Subject: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap 233,
openldap 2.2.23>
Hi-
I have what may be a very simple question: I just compiled nss_ldap 233
and openldap 2.2.23 on HPUX 11.11. I have rootbinddn configured to use
the same proxy user that all other platforms we have are using and of
course my ldap.secret is the same as all other clients we have . My
problem is that anonymous binds work (ie listusers as a regular user), but
any root activities don't (ie listusers as root). Doing ldapsearch with
the proxy users and password works fine. With nss_ldap, the bind fails
(slapd gives err=49).
Can anyone help?
thanks ahead of time,
roy
--=_alternative 0069CF6088256FB6_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Thanks John. What I don't get
is that this exact config works on a couple of distros of Linux, Solaris
8 and AIX 5.3 here. It has to be something with HPUX. </font>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"John Lane" <listmail@oceanfree.net></b>
</font>
<p><font size=1 face="sans-serif">02/25/2005 05:00 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">Roy Ledochowski/Burlingame/IBM@IBMUS</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">RE: [nssldap] rootbinddn doesn't bind
<HPUX 11.11, nss_ldap 233, openldap 2.2.23></font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 color=#800000 face="Trebuchet MS">I meant this to go to
the group. Anyway...</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">if you don't run nscd
(name service caching daemon) then nss_ldap is run as a child of the user
login session, with the uid of the user.</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">My problems were due
to also insisting on tls certificate authentication prior to any bind taking
place.</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">I'll explain a bit about
what I am doing. I've just successfully managed, after about 3 weeks of
trying various things, to get it working where the only access is via a
tls login on port 636 (you <b>must</b> have a suitable cert to talk to
the directory). I started using nss_ldap alone (after reading posts saying
pam was unnecessary) but now use pam_ldap too.</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">If you just use nss_ldap
then pam_unix.so (in pam config) uses the nsswitch to get the user details
via nss_ldap. nss_ldap is invoked as part of the login process and
binds anonymously. Because it is running as root, the ssl cert/key in ldap.conf
should be the one for root. nss_ldap actually <b>reads</b> the password
rather than tries to <b>auth</b> it. This requires your LDAP ACL to give
read access to the userPassword for anonymous logins. If the login is authenticated,
part of setting up the environment causes a second invocation of nss_ldap,
this time as the actual user who is logged in. However the ldap.conf cert/key
belong to root and can't be read by this user (unless you have a security
hole) so the bind fails. The login does succeed but uid/gid numbers in
commands like "ls -l" show up as numbers rather than names.</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">The solution to the
latter nss_ldap call is to use nscd because, with this, nss_ldap always
runs as root and can thus always use the root cert/key.</font>
<br><font size=3> </font>
<br><font size=2 color=#800000 face="Trebuchet MS">If you use pam_ldap
then authentication goes thru that. This performs auth access to the userPassword
attribute so the ACL for this field can be limited to auth access.</font>
<br><font size=2 face="Tahoma"><br>
-----Original Message-----<b><br>
From:</b> Roy Ledochowski [mailto:rledo@us.ibm.com]<b><br>
Sent:</b> 25 February 2005 17:08<b><br>
To:</b> John Lane<b><br>
Subject:</b> RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap
233, openldap 2.2.23><br>
</font>
<br><font size=1 face="Tahoma">John--</font>
<br><font size=1 face="Tahoma"> </font>
<br><font size=1 face="Tahoma">Thanks for the reply. I've never used
nscd and I'm a bit confused -- how does nscd make nss_ldap bind w/root
uid? Won't it bind anonymously? In our environment anonymous binds
can't read passwords. Also, are you using pam_ldap for authentication?</font>
<br><font size=1 face="Tahoma"> </font>
<br><font size=1 face="Tahoma"> </font>
<br><font size=1 face="Tahoma"> </font>
<br><font size=3><i>Thursday, February 24, 2005 11:54 PM<br>
To: Roy Ledochowski/Burlingame/IBM@IBMUS<br>
cc: <br>
From: "John Lane" <listmail@oceanfree.net><br>
Subject: RE: [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap
233, openldap 2.2.23></i><br>
</font>
<br><font size=2 color=#800000 face="Trebuchet MS">I could never get it
to work with rootbinddn. You don't need it however.</font>
<br><font size=2 color=#800000 face="Trebuchet MS">My nss_ldap always binds
as the root uid, as I am running nscd. Take your rootbinddn out and see
if your listusers works then.</font>
<br><font size=2 face="Tahoma">-----Original Message-----<b><br>
From:</b> owner-nssldap@padl.com [mailto:owner-nssldap@padl.com]<b>On Behalf
Of </b>Roy Ledochowski<b><br>
Sent:</b> 25 February 2005 01:18<b><br>
To:</b> nssldap@padl.com<b><br>
Subject:</b> [nssldap] rootbinddn doesn't bind <HPUX 11.11, nss_ldap
233, openldap 2.2.23><br>
</font>
<br><font size=3><br>
</font><font size=2 face="sans-serif"><br>
Hi-</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
I have what may be a very simple question: I just compiled nss_ldap 233
and openldap 2.2.23 on HPUX 11.11. I have rootbinddn configured to
use the same proxy user that all other platforms we have are using
and of course my ldap.secret is the same as all other clients we have .
My problem is that anonymous binds work (ie listusers as a regular
user), but any root activities don't (ie listusers as root). Doing
ldapsearch with the proxy users and password works fine. With nss_ldap,
the bind fails (slapd gives err=49).</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Can anyone help?</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
thanks ahead of time,</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
roy</font>
<br>
--=_alternative 0069CF6088256FB6_=--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic