Now I have my ldap server doing authentication and providing autofs maps perfectly the next question ... is there a utility anywhere that will allow me to stuff 1200 users into the ldap server from a csv file
I am looking for ideas for getting windows users into an ldap server. I am currently running a Linux server for my department and need to create an LDAP server which mirrors the username/password information for all of us as they are stored in the windows server here. I have the openldap server up and running on Ubuntu 8.04 and it works great; I now need to find some way to import user info into this from windows. I've seen discussions of using ldifde.exe to export the AD users into an ldif file. Is this the simplest way to go about it?
Our Linux server is currently providing us with much needed services using apache, and apache is authenticating using LDAP to our windows server (Using our windows username / password is required functionality). This windows server has some problem which causes it to delay for inordinate amounts of time between authentication requests and responses. The situation is such that this problem will not be addressed by IT staff. However, I have control over the Linux server so I am looking to just mirror the windows server on an LDAP server of my own. I could get away with updating the passwords in the Linux server.
I installed ldap on my server and one of my client machines yesterday.It also now won't let me get into graphical utilities that require root privileges; synaptic for example. It comes back with "incorrect password". I noticed that in the terminal it now requires me to enter two passwords to become root: the root password and the ldap password. I wonder if the two are related.I'm not sure what information to post; there's a ton of configuration files associated with this setup. Can somebody help me troubleshoot this? Thanks!
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
I am switching to Gnome because its look and feel is closer to Windows for my workgroup. LDAP and NFS are working fine with KDE and SSH. but I cant login with LDAP users both directly or via NX client. When logging in directly on the server it shows this error:
Code: "Xsession: Login for <user> is disabled " When logging via NX client it says, it authenticated successfully and then quited with this popup message: Code: Could not connect to session bus: Failed to connect to socket /tmp/dbus-0frstajyNE: Connection refused I closed this popup window and one more appeared: Code: Could not acquire name on session bus
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
I wanted to use ldap to create users on my machine.I got LDAP set up via yast, and it seems to work OK. But when I create a user via LDAP, the system doesn't seem to want to know.LDAP actually creates a home directory for the new user, but the system merely assigns it a UID and nothing else.I have access to another opensuse system which does not behave in this way. I.e. I can set up a user exclusively in LDAP and the system will recognise the new user no problem.I have compared the two ldap configurations to see if there's some magic "propagate LDAP users to Local users" setting, but this doesn't appear to exist
I have read the man of ldif .In my attempt to build my current directory, I have taken a dump of my last successful implementation (which was created on FreeBSD 8.1) and substituted values for the dc=company and dc=com values with the correct ones for the current directory (attempting to implement under CentOS 5.4) and even tho the correct schemas are in place it is choking on entry.
I have created a CA on my server then created a server certificate under that then exported it as a common server certificate.I have then gone to my LDAP server and enabled TLS and told it to use the common server certificate.Now on my client I have enabled LDAP TLS/SSL and it's asking me to download a certificate ... from where ? Do I export the certificate to a file and put it on a web server.If so what format as the export offers loads.
On this moment i configure a testenvironment with 1 Microsoft active directory server and 1 Opensuse 11 samba filesharing server. But i have a issue. The samba server is add to the domain and the servers can communicate with eachother. I can login to the domain on the samba server and the LDAP settings tab on yast2 samba configuration tool tell me that samba and the MS LDAP server can communicate with eachother. I can see the shares on the samba server but i can't autenticate myself. When i whant to logon than see i always "domain: domainname.local" and "access denied". My question is now how can i give the MS administrator account rights to view the shares and configure the rights for the other users.Samba config file
In the OpenSUSE documentation I red this very exciting chapter Chapter 6. Network Authentication with Kerberos That mentions "Using LDAP and Kerberos" which combined with NFSv4 would give my office net functionality of a M$ Win network.
We are still on 11.2 (we have no win clients at all) and I was testing different setups of 11.4 in VM, but I can't get YaST to configure the LDAP with Kerberos setup (our current setup does not use Kerberos only LDAP). Unfortunately I could not find any meaningful HOWTO on how to do it in SuSE. The page in docs involves editing config files, but I would like to avoid this, because from my former experience with Samba, as it would mean I cannot use yast anymore and that is sad.
Is there a way to configure LDAP + Kerberos (in terms of issuing of krb tickets at login) with YaST?
PS: I basically need Kerberos for NFS and Intranet site.
I'm using SLES 10 SP3 with an OpenLDAP directory for user authentication. But every time I try to change the password, SLES tells me that it will be shortened to 8 charactes. I also set the susemaxpasswordlength to 30 within the LDAP. Also changing to MD5 for encryption doesn't fix it.
I am posting this as I have tried several times to work this out. I have read article after article, post after post and tutorial after to tutorial to sort this issue. I have an Ubuntu 10.04 machine running as the LDAP and NFS server with two Opensuse 11.3 desktop machines. Both of the Opensuse machines can login using the LDAP server for authentication and this works fine. The server also exports the NFS Shares no problem but I am unable to mount the shares from the Opensuse machines. I have been using Yast, NFS Client to mount them.
Yast NFS Client can see the shares and lists them however when I apply the settings it states:
'Unable to mount entries in etc/fstab' I need to mount the shares according to the LDAP details as I want the users to be able to access their files no matter which machine they login at. Can anyone shed any light on the issue. Any help would be great and I would be enternally grateful as I am now beginning to pull my hear out slightly.
I'm trying to integrate sendmail and openLDAP together. I've followed the guide in O'Reilly's LDAP book and my lookups are good. I think my problem is virtual users. What I'm trying to accomplish is that if an email is sent to firstname.lastname@example.org and there is an entry in LDAP for joe then it'll be accepted. Right now, it'll only accept emails only for system users. Below is my sendmail.mc (most comments removed)
Code: divert(-1)dnl include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for linux')dnl OSTYPE(`linux')dnl dnl ## I have a real one define(`SMART_HOST', `my.smart.host')dnl dnl # define(`confDEF_USER_ID', ``8:12'')dnl
Imported users and groups (UIDs 500 and above) from Redhad to Ubuntu 9.10 by appending users to the passwd, shadow and group files. Users and groups appear to work, but they do not show in the Users/Groups GUI. Is that because they do not start at a UID 1000 and up? What are my options to make them visable?
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
I took to yast to install ldap. I creating the CA cert, server key and server cert and specified them during the yast ldap server dialogs.
The firewall is open for ldap.
I also went through yast's ldap client ... though I didn't exactly see to anything (presuably it wrote up a configuration file somewhere).
However when trying use the basic ldap tools, like ldapwhoami. Well it doesn't connect and gives me the above error. Of coure the ldap db is unpopulated as yet, so it probably is not able to say who am at all. But ldapadd doesn't work either.
It seems to point to my SSL usage not being correct .. so I'm trying to double check that now.
I have an Openldap server and many 9.10 servers using it to check for possible ssh users. No problems there. Just brought up my first 10.04 server and went through the same procedure to allow ldap users to ssh in, works great. The problem is that ldap users cannot su to root on the 10.04 server. Only locally defined users can su to root, though they cannot su to ldap users. The local root user can su to anyone. Quick overview of how I installed ldap login:
Code: # apt-get install libnss-ldap # echo "session required pam_mkhomedir.so skel=/etc/skel/" >> /etc/pam.d/common-session And added ldap to the end of these lines in /etc/nsswitch.conf:
This process has worked without a hitch on 9.10 dozens of times. So my question is, why are ldap and local users now incapable of using su across authentication mechanisms? For reference these are the error messages in /var/log/auth.log when trying to su to root from an ldap user:
Code: Jun 14 16:17:07 server unix_chkpwd: check pass; user unknownJun 14 16:17:07 server unix_chkpwd: password check failed for user (root) Jun 14 16:17:07 server su: pam_unix(su:auth): authentication failure; logname=ldapuser uid=2000 euid=2000 tty=/dev/pts/5 ruser=ldapuser rhost= user=root Jun 14 16:17:09 server su: pam_authenticate: Authentication failure Jun 14 16:17:09 server su: FAILED su for root by ldapuser And the auth.log for trying to su to an ldap user from a local one:
Code: Jun 14 17:18:18 server su: pam_unix(su:auth): authentication failure; logname=localuser uid=1000 euid=1000 tty=/dev/pts/0 ruser=localuser rhost= user=ldapuser Jun 14 17:18:18 server su: Successful su for ldapuser by localuserJun 14 17:18:18 server su: + /dev/pts/0 localuser:ldapuser Jun 14 17:18:18 server su: bad group ID `2000' for user `ldapuser': Operation not permitted
I'm using Sun One LDAP server, (Soon to be moving to openldap). I have one Master server, no slaves, about 60 user accounts.
I'd like to add an attribute to each of the users DN's to restrict there ability to login to specific hostnames. I.e. I have hosts A, B and C. Dev staff can access A and B, but not C, and support staff need to access all of them.
I found a link at [url] which talked about using 'hostsallowedlogin' and 'hostsdeniedlogin' attributes but I'm presuming these are bespoke. If they are, how do you configure the ldap.conf to take note of these attributes when authorizing access?
"Merging" may not be quite the right word but that is the desired end result.
Scenario: many Solaris 10 servers, each with various local users. We want to set up LDAP for all for all of them. LDAP server is set up, procedure for getting other servers to use it for user authentication is documented and tested. The question is how to handle users that are in LDAP who also exist as a local user on a given machine.
It appears that the usernames on both sides follow a convention and therefore match but obviously the userids will not match. Local user joe has userid 1234, LDAP user joe has userid 56789.
The way I see it we'll have to:
1. move local user joe's home directory to the path that LDAP user joe will want
2. change local user joe's userid to that of LDAP user joe
3. change joe's files' owner to his new userid
4. remove local user joe
5. finally configure LDAP
Is this a rational procedure? Is there a more effective method? I'm not looking forward to this as there are many servers and each of them have a different set of local users, each with different userids which will have to be handled manually and individually therefore not even scriptable much.