Hello,
I'm new to Centos and to openldap. I am by trade a Solaris Admin. I'm experimenting with openldap and thought Linux would be easier to install and setup openldap on, so far this is true. The problem I'm having is that I can't get the client server to authenticate to the openldap server. I can authenticate on the server itself though. I can su to, login and shh into the openldap server and become a ldap user. I just can't become an ldap user on the client.
I didn't setup TLS/SSL. I can do that after I have it working. I'm using hashed passwords though. I don't have replication setup. I'm am tying to setup the most basic openldap environment then build from there. I have read the openldap section in the admin guide.
My setup at home.
Openldap server � light.deathnote.net -- 10.0.1.21
client server � vm-centos01.deathnote.net � 10.0.1.7 -- VM on virtualbox
Virtualbox host � L (OS MAC) � 10.0.1.2
router (apple airport extreme) / default gatway � 10.0.1.1
All computer can reach the internet and ping each other. When I installed centos I disabled SELinux.
I used these guids to setup my openldap.
Centralize user accounts with OpenLDAP
24.6.*OpenLDAP Setup Overview
Step-by-step OpenLDAP Installation and Configuration | HowtoForge - Linux Howtos and Tutorials
Below I have included some output from the files I'm using with openldap. Please Let me know if you see any errors. Any help getting my clients to work would be great thanks for reading this post.
[root@vm-centos01 ~]# tail /var/log/messages
Jul 2 09:25:33 vm-centos01 xfs: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://light.deathnote.net: Can't contact LDAP server
Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://10.0.1.21/: Can't contact LDAP server
Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Jul 2 09:26:21 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://light.deathnote.net: Can't contact LDAP server
Jul 2 09:26:21 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://10.0.1.21/: Can't contact LDAP server
Jul 2 09:26:21 vm-centos01 xfs: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Jul 2 09:27:25 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://light.deathnote.net: Can't contact LDAP server
Jul 2 09:27:25 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://10.0.1.21/: Can't contact LDAP server
Jul 2 09:27:25 vm-centos01 xfs: nss_ldap: could not search LDAP server - Server is unavailable
nothing shows up in this log on the ldap server.
[root@vm-centos01 ~]# netstat -tuan|grep 389
[root@vm-centos01 ~]#
[root@light ~]# netstat -tuan|grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:55958 127.0.0.1:389 ESTABLISHED
tcp 0 0 127.0.0.1:389 127.0.0.1:55958 ESTABLISHED
[root@light ~]#
There seems to be a possible network issue here.
[root@vm-centos01 ~]# more /etc/ldap.conf
host light.deathnote.net
base dc=deathnote,dc=net
uri ldap://10.0.1.21/
ssl off
[root@light openldap]# more /etc/ldap.conf
host 127.0.0.1
base dc=deathnote,dc=net
uri ldap://127.0.0.1/
ssl no
pam_password md5
[root@light openldap]# more /etc/openldapldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#HOST 127.0.0.1
BASE dc=deathnote,dc=net
#URI ldap:///light.deathnote.net ldap:///light.deathnote.net:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://127.0.0.1/
#TLS_CACERTDIR /etc/openldap/cacerts
[root@vm-centos01 ~]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
[root@vm-centos01 ~]# more /etc/sysconfig/authconfig
USEWINBINDAUTH=no
USEKERBEROS=no
USESYSNETAUTH=no
USEPAMACCESS=no
USEMKHOMEDIR=yes
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=yes
USEDB=no
USEWINBIND=no
USESHADOW=yes
PASSWDALGORITHM=md5
USEHESIOD=no
USELDAP=yes
USELOCAUTHORIZE=yes
USEPASSWDQC=no
USECRACKLIB=yes
USENIS=no
USEMD5=yes
[root@vm-centos01 ~]#
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
[root@light openldap]# more slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
loglevel 296
pidfile /var/run/openldap/slapd.pid access to attrs=shadowLastChange,userPassword
by anonymous auth
by self write
by * auth
access to *
by * read
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=deathnote,dc=net"
rootdn "cn=Manager,dc=deathnote,dc=net"
rootpw {SSHA}/ZKRMzbmnEVoUNdqx3T1gsh2AmyvJmCi
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
Any help would be great.
---------- Post updated at 03:06 PM ---------- Previous update was at 12:39 PM ----------
I found out what the issue was. I just need to open port 389 on the firewall. I wish when people create guides, on how to do things, they would tell you to do these things.
Maybe this will help othes as well.