[opensuse] ldap slpd config
I'm trying to get ldap configured to manage my logins, network shares, passwd file, group file, my "samba" users (domain) stuff...etc... I first tried to follow some books and got lost. I then made sure I had the packages installed for suse and yast2 and tried yast2 -- Now I am getting: [today...many times...] Ishtar slapd[27910]: SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm) ......message repeated [many times].... filling up my /var/log/messages. Somehow I don't think this is right. Anyone have any further clues on how to get this working? I got YAB (yet another book) but the book got lost as soon as I went to my /etc/open-ldap/ dir and looked in slapd.conf and saw: # Note: The OpenLDAP configuration has been created by YaST. YaST does not # use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore # YaST uses OpenLDAP's dynamic configuration database (back-config) to # store the LDAP server's configuration. # # A copy of the original /etc/openldap/slapd.conf file has been created as: # /etc/openldap/slapd.conf.YaSTsave # # To access the new configuration backend easily you can use SASL external # authentication. I.e. the following ldapsearch command, executed as the root # user, can be used to print the complete slapd configuration to stdout: # ldapsearch -Y external -H ldapi:/// -b cn=config --------- I tried this, but it doesn't work; ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list? Help? -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Donnerstag 03 September 2009 00:51:36 schrieb Linda Walsh:
I'm trying to get ldap configured to manage my logins, network shares, passwd file, group file, my "samba" users (domain) stuff...etc...
I first tried to follow some books and got lost.
I then made sure I had the packages installed for suse and yast2 and tried yast2 --
Now I am getting:
[today...many times...] Ishtar slapd[27910]: SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm) ......message repeated [many times]....
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page. If you were using another LDAP client, change that client's config to not try SASL/GSSAPI authentication. Or setup SASL/GSSAPI properly of course.
filling up my /var/log/messages.
Somehow I don't think this is right.
Anyone have any further clues on how to get this working?
I got YAB (yet another book) but the book got lost as soon as I went to my /etc/open-ldap/ dir and looked in slapd.conf and saw:
# Note: The OpenLDAP configuration has been created by YaST. YaST does not # use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore # YaST uses OpenLDAP's dynamic configuration database (back-config) to # store the LDAP server's configuration. # # A copy of the original /etc/openldap/slapd.conf file has been created as: # /etc/openldap/slapd.conf.YaSTsave # # To access the new configuration backend easily you can use SASL external # authentication. I.e. the following ldapsearch command, executed as the root # user, can be used to print the complete slapd configuration to stdout: # ldapsearch -Y external -H ldapi:/// -b cn=config --------- I tried this, but it doesn't work; ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
According to the GSSAPI error message above your LDAP server seems to be running. This error here indicates then, that the server is not listening on the ldapi:/// interface, or that you were not running ldapsearch on the same host as the LDAP server is running on. "ldapi" is base on Unix Domain Sockets, so it only works on the same host. Please check /etc/sysconfig/openldap (OPENLDAP_START_LDAPI=yes) if the "ldapi" listener ist enabled. If not, enable it, restart slapd and try again.
So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list? What does this command give you:
ldapsearch -x -H ldap://
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b It doesn't say anything about an -x switch or a need to configure SASL/GSSAPI to make it work properly. Hasn't GSSAPI been deprecated non-fixable security flaws? I seem to remember it being a requirement a few years back, then heard it was dropped when some serious problems were found. But most of the vendors still seem to offer and use it...so I'm a little bit confused...?
If you were using another LDAP client, change that client's config to not try SASL/GSSAPI authentication. Or setup SASL/GSSAPI properly of course.
filling up my /var/log/messages.
Somehow I don't think this is right.
Anyone have any further clues on how to get this working?
I got YAB (yet another book) but the book got lost as soon as I went to my /etc/open-ldap/ dir and looked in slapd.conf and saw:
# Note: The OpenLDAP configuration has been created by YaST. YaST does not # use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore # YaST uses OpenLDAP's dynamic configuration database (back-config) to # store the LDAP server's configuration. # # A copy of the original /etc/openldap/slapd.conf file has been created as: # /etc/openldap/slapd.conf.YaSTsave # # To access the new configuration backend easily you can use SASL external # authentication. I.e. the following ldapsearch command, executed as the root # user, can be used to print the complete slapd configuration to stdout: # ldapsearch -Y external -H ldapi:/// -b cn=config --------- I tried this, but it doesn't work; ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
According to the GSSAPI error message above your LDAP server seems to be running. This error here indicates then, that the server is not listening on the ldapi:/// interface, or that you were not running ldapsearch on the same host as the LDAP server is running on. "ldapi" is base on Unix Domain Sockets, so it only works on the same host. Please check /etc/sysconfig/openldap (OPENLDAP_START_LDAPI=yes) if the "ldapi" listener ist enabled. If not, enable it, restart slapd and try again.
So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list? What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base +
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Montag 07 September 2009 13:33:30 schrieb Linda Walsh:
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
---- I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b That command whould never ever give you the error message you pasted in your first mail ("SASL [conn=1] Failure: GSSAPI Error: ...."). As the above command explicitly requests ldapsearch to suse the SASL mechnsim: "external", which is not related in any way to GSSAPI.
It doesn't say anything about an -x switch or a need to configure SASL/GSSAPI to make it work properly. That completly depends on which authentication mechanism you want to use. If you want to you simple authentication you need to have the "-x" switch, otherwise ldapsearch (and other commandline tools) default to SASL authentication (the used SASL mechanism is negoiated base on what client and server support, unless you specify "-y <mechanism>".
When YaST is used to setup OpenLDAP it sets up the configuration database (the database with the base dn: "cn=config") in a way that only access via ldapi:/// and the sasl mechanism "external" is allowed. The "normal" databases (i.e. the one you configured in the yast module) are accessible via simple authentication by default, and that's where you need the "-x" switch.
Hasn't GSSAPI been deprecated non-fixable security flaws? No.
I seem to remember it being a requirement a few years back, then heard it was dropped when some serious problems were found. But most of the vendors still seem to offer and use it...so I'm a little bit confused...? GSSAPI has not been deprecated. You must confuse something here.
[..]
So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list?
What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unfortunately you didn't answer this question.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ralf Haferkamp wrote:
Am Montag 07 September 2009 13:33:30 schrieb Linda Walsh:
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b That command whould never ever give you the error message you pasted in your first mail ("SASL [conn=1] Failure: GSSAPI Error: ....").
But it did. I cut and pasted the command and the error...
What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unfortunately you didn't answer this question.
Wow...that worked! Excellent...some output... (I used "localhost" as my server, using the server name doesn't seem to work). # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=site supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ralf Haferkamp wrote:
Am Montag 07 September 2009 13:33:30 schrieb Linda Walsh:
Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
---- I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b
That command whould never ever give you the error message you pasted in your first mail ("SASL [conn=1] Failure: GSSAPI Error: ....").
--- But it did. I cut and pasted the command and the error...
What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unfortunately you didn't answer this question.
--- Wow...that worked! Excellent...some output... (I used "localhost" as my server, using the server name doesn't seem to work). Ok. So your ldapserver is listening on the normal LDAP server port and accepting connections (if using the hostname does not work, it seems that your name service configuration is somehow screwed, or a firewall is getting in your way). What still doesn't seem to work it the access via ldapi:// as used by the YaST ldap-server module. Did you check /etc/sysconfig/openldap as stated in my first mail? Also please check the commandline arguments that slapd is started with:
Am Freitag 11 September 2009 09:18:46 schrieb Linda Walsh: ps axuw | grep slapd -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I didn't see this come back from the list, so I'm reposting AND updating -- have been trying different things...please forgive any duplication. Ralf Haferkamp ~asked:
q(ldapsearch -x -H ldap://
-b "" -s base +)? linda: Wow...that worked! Excellent...some output... (I used "localhost" as my server, using the server name doesn't seem to work). Ralf Haferkemp replied: Ok. So your ldapserver is listening on the normal LDAP server port and accepting connections (if using the hostname does not work, it seems that your name service configuration is somehow screwed, or a firewall is getting in your way).
linda: no FW. Just not config'ed. I let yast set it up, but I didn't do something right, or yast left it in a weird state, so it's "at where its at" -- messed up; I'm a complete newb to ldap. Got books on it, but they all seem "greek" none of the examples fit, no scripts or make files to move my /etc passwd+shad+group into it; no way to understand 'how' to add other database items to it...alot of schema's and .ldif(?) files, but not sure how they relate. Am usually good w/tech books, but this is such a different language, I haven't gotten the mental points to hang the concepts on.
What still doesn't seem to work it the access via ldapi:// as used by the YaST ldap-server module. Did you check /etc/sysconfig/openldap as stated in my first mail? Also please check the command-line arguments that slapd is started with: ps axuw | grep slapd
ldap 25292 0.0 0.1 128852 14356 ? Ssl 00:43 0:09 /usr/lib/openldap/slapd -h ldap:// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=on --- I looked in the rc script and it doesn't appear to have any interfaces defined. I'm not sure where or what was suppose to add them. netstat shows ldap listening on port 389, I'm not sure what (if any) the relation is between slapd and slpd, but slpd is listening on 192.168.3.1:427, the host's addr, and localhost:427. ldap is listening on 0.0.0.0(:389), which I guess(?) means it should accept connections coming from any network. I changed that and added ldapi -- yast reads it as an empty database. I added most of the ldif/schema's I could -- (at least the ones that didn't hang yast) -- but I don't know how to setup a proper 'realm' (which is what I keep getting errors about), nor how to merge my passwd/group/shad, netgroup, services, 'addressbook' info, samba authentication (running as a domain server for 1 workstation (my desktop) & occasional guests..). Have I missed any uses for it...it seems like it's supposed to be usable for just about everything... ;-) So how do I get stuff into it and get authentication and services? Thanks, Linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I didn't see this come back from the list, so I'm reposting AND updating -- have been trying different things...please forgive any duplication. Ralf Haferkamp ~asked:
q(ldapsearch -x -H ldap://
-b "" -s base +)? linda: Wow...that worked! Excellent...some output... (I used "localhost" as my server, using the server name doesn't seem to work). Ralf Haferkemp replied: Ok. So your ldapserver is listening on the normal LDAP server port and accepting connections (if using the hostname does not work, it seems that your name service configuration is somehow screwed, or a firewall is getting in your way).
linda: no FW. Just not config'ed. I let yast set it up, but I didn't do something right, or yast left it in a weird state, so it's "at where its at" -- messed up; I'm a complete newb to ldap. Got books on it, but they all seem "greek" none of the examples fit, no scripts or make files to move my /etc passwd+shad+group into it; no way to understand 'how' to add other database items to it...alot of schema's and .ldif(?) files, but not sure how they relate. Am usually good w/tech books, but this is such a different language, I haven't gotten the mental points to hang the concepts on.
What still doesn't seem to work it the access via ldapi:// as used by the YaST ldap-server module. Did you check /etc/sysconfig/openldap as stated in my first mail? Also please check the command-line arguments that slapd is started with: ps axuw | grep slapd
ldap 25292 0.0 0.1 128852 14356 ? Ssl 00:43 0:09 /usr/lib/openldap/slapd -h ldap:// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=on --- I looked in the rc script and it doesn't appear to have any interfaces defined. I'm not sure where or what was suppose to add them. netstat shows ldap listening on port 389, I'm not sure what (if any) the relation is between slapd and slpd, but slpd is listening on 192.168.3.1:427, the host's addr, and localhost:427. ldap is listening on 0.0.0.0(:389), which I guess(?) means it should accept connections coming from any network. I changed that and added ldapi -- yast reads it as an empty database. I added most of the ldif/schema's I could -- (at least the ones that didn't hang yast) -- but I don't know how to setup a proper 'realm' (which is what I keep getting errors about), nor how to merge my passwd/group/shad, netgroup, services, 'addressbook' info, samba authentication (running as a domain server for 1 workstation (my desktop) & occasional guests..). Have I missed any uses for it...it seems like it's supposed to be usable for just about everything... ;-) So how do I get stuff into it and get authentication and services? Thanks, Linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Sonntag 13 September 2009 02:32:19 schrieb Linda Walsh:
I didn't see this come back from the list, so I'm reposting AND updating -- have been trying different things...please forgive any duplication.
Ralf Haferkamp ~asked:
q(ldapsearch -x -H ldap://
-b "" -s base +)? linda: Wow...that worked! Excellent...some output... (I used "localhost" as my server, using the server name doesn't seem to work).
Ralf Haferkemp replied:
Ok. So your ldapserver is listening on the normal LDAP server port and accepting connections (if using the hostname does not work, it seems that your name service configuration is somehow screwed, or a firewall is getting in your way).
---- linda: no FW. Just not config'ed. I let yast set it up, but I didn't do something right, or yast left it in a weird state, so it's "at where its at" -- messed up; I'm a complete newb to ldap. I can't really imagine what went wrong for you. Probably the best idea is to start over again by cleaning up a bit an rerunning the ldap-server configuration. You can do that by:
1. remove the opendldap2 package: rpm -e openldap2 2. remove the database: rm -rf /var/lib/ldap 3. remove the config directory: rm -rf /etc/openldap/slapd.d 4. remove the old config files: rm /etc/openldap/slapd.conf* rm /etc/sysconfig/openldap After that you should be ready to run the yast2 ldap-server module again.
Got books on it, but they all seem "greek" none of the examples fit, Probably your books are just not current enought to fit the openldap Version we ship. Recent openldap Version support to different configuration mechanisms. One is through the config files /etc/openldap/slapd.conf to other one is through a special ldap database (with the suffix cn=config) which is stored below /etc/openldap/slapd.d/. On openSUSE you can choose which mechanism to use through a setting in /etc/sysconfig/openldap. The YaST module has support only for the database mechanism.
no scripts or make files to move my /etc passwd+shad+group into it; Yeah, we don't have anything for that on the distro, but usually the available solution require a lot of manual tweaking anyways.
no way to understand 'how' to add other database items to it...alot of schema's and .ldif(?) files, but not sure how they relate. Not sure what you mean by this.
Am usually good w/tech books, but this is such a different language, I haven't gotten the mental points to hang the concepts on.
What still doesn't seem to work it the access via ldapi:// as used by the YaST ldap-server module. Did you check /etc/sysconfig/openldap as stated in my first mail? Also please check the command-line arguments that slapd is started with: ps axuw | grep slapd
ldap 25292 0.0 0.1 128852 14356 ? Ssl 00:43 0:09 /usr/lib/openldap/slapd -h ldap:// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=on --- I looked in the rc script and it doesn't appear to have any interfaces defined. I'm not sure where or what was suppose to add them. netstat shows ldap listening on port 389,
I'm not sure what (if any) the relation is between slapd and slpd, but slpd is listening on 192.168.3.1:427, the host's addr, and localhost:427. They are not related.
ldap is listening on 0.0.0.0(:389), which I guess(?) means it should accept connections coming from any network. Yes.
I changed that and added ldapi -- yast reads it as an empty database.
I added most of the ldif/schema's I could -- (at least the ones that didn't hang yast) -- You should open bug reports if there is really a schema file which hangs yast.
but I don't know how to setup a proper 'realm' (which is what I keep getting errors about), When do you get that error. As a result of which command?
nor how to merge my passwd/group/shad, netgroup, services, 'addressbook' info, samba authentication (running as a domain server for 1 workstation (my desktop) & occasional guests..). Have I missed any uses for it...it seems like it's supposed to be usable for just about everything... ;-)
So how do I get stuff into it and get authentication and services?
You can use yast2 ldap-client to setup LDAP authentication (nss and pam). yast2 users is able to manage users and groups on the ldap server. yast2 samba-server is AFAIK able to setup a samba server with an LDAP backend. -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ralf Haferkamp wrote:
but I don't know how to setup a proper 'realm' (which is what I keep getting errors about), When do you get that error. As a result of which command?
---- I'd have to go back and retry some of my experimenting ... But I think I'll try your 1st suggestion and reset everything. But in regards to this:
no scripts or make files to move my /etc passwd+shad+group into it; Yeah, we don't have anything for that on the distro, but usually the available solution require a lot of manual tweaking anyways.
--- That's almost a bug -- since I've seen more than one mention of scripts that should help moving existing data into a database. I'd really think SuSE 'should' provide something similar, I'm a very small site (only a few machines), but I'd like to get all of the standard /etc/passwd entries and group entries moved into the database. By far, about 75-85% of my (pw=89 lines, group=106 lines) came from the standard suse file and added packages (which add many). The problem I keep having is trying to keep my 3-4 machines in sync. So UID's and GID's are same across multiple machines. As part of my idea of 'security' separation, I am trying to create a separate group (w/ GID==UID) for each UID -- especially for daemons...that way I can add "admins" (me), to their groups so I can more easily mess with their files and not have to SU to root so much (well, it's a 'hope'/desire...:-)). At least I can read their configs and log files even if I have other set to none.... I'm also trying to make sure UID and GID's are equal to better support the Windows "advanced" (*cough*) concept of having only 1 namespace for UID and GID's (SID's). In a way, it yields the advantage of allowing any user to be part of a group associated with any service or daemon or other user for that matter... That and I just want to make sure that if I decide to map all of my linux id's into a windows space, nothing will collide... :-)...
So how do I get stuff into it and get authentication and services?
You can use yast2 ldap-client to setup LDAP authentication (nss and pam).
I have very few *real* users, but as I mentioned, I'd like to get all of the password files and such into ldap. Are the command-line ldap commands compatible with yast2's implementation? If I have to, I suppose I can write some scripts to put things in -- but only if the standard tools work "somehow"... If I can't use the standard tools, maybe I shouldn't use yast2 to setup an ldap server, since I can't be typing in all those entries by hand --- and 99% aren't real users -- I'd hate to think about a larger site trying to add 100's or thousands of user by hand. BTW, doesn't slapd do 'something' with slpd? Like announce itself or something? or announce 'services? or 'well known names'? now to go destroy my setup and start over!...oh what fun... (not that anything is working anyway...*sigh*)... Oh, this is where I got the idea that GSSAPI was deprecated: /etc/ssh/sshd_config # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. ------------- I had the impression that the protocol itself was flawed and deprecated -- does the SuSE LDAP use the newer "with-mic" protocol? -linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But in regards to this:
no scripts or make files to move my /etc passwd+shad+group into it;
Yeah, we don't have anything for that on the distro, but usually the available solution require a lot of manual tweaking anyways.
--- That's almost a bug -- since I've seen more than one mention of scripts that should help moving existing data into a database. There are the PADL Migration Tools, which is a set of Perl scripts to move /etc/passwd users to an LDAP database. But as those scripts need to be adjusted to fit the specific enviroment I see no point in packaging them on
Am Mittwoch 16 September 2009 02:18:52 schrieb Linda Walsh: [..] the distro. You can get them at www.padl.com.
I'd really think SuSE 'should' provide something similar, If you find a good working toolset for that, feel free to add a feature request to features.opensuse.org, or even better submit packages through the buildservice.
I'm a very small site (only a few machines), but I'd like to get all of the standard /etc/passwd entries and group entries moved into the database.
By far, about 75-85% of my (pw=89 lines, group=106 lines) came from the standard suse file and added packages (which add many). Migrating the system user and groups (everything with a uid or gid < 1000) from /etc/passwd and /etc/group to LDAP is a very bad idea. You will run into problems as pretty soon. Some of those users and groups are needed during booting when the network is not yet available, how's the system supposed to get the information from the LDAP server at that point? Not to mention the problems that turn up when the LDAP server is not reachable for other reasons.
The problem I keep having is trying to keep my 3-4 machines in sync. So UID's and GID's are same across multiple machines. AFAIK the important system users that are created as part of rpms always have the same uid's and gid's.
[..]
I'm also trying to make sure UID and GID's are equal to better support the Windows "advanced" (*cough*) concept of having only 1 namespace for UID and GID's (SID's). In a way, it yields the advantage of allowing any user to be part of a group associated with any service or daemon or other user for that matter... That and I just want to make sure that if I decide to map all of my linux id's into a windows space, nothing will collide... :-)... Mapping linux uids/gids to Windows SIDs is not easly possible. That's one reason why Samba exists. It can take care of that. You don't need to have a unique uid/gid namespace on the Linux side for that, btw.
--- I have very few *real* users, but as I mentioned, I'd like to get all of the password files and such into ldap. Which is generally a bad idea in most setups.
Are the command-line ldap commands compatible with yast2's implementation? Which ldap commands are you talking about. ldapadd and friends? They are really lowlevel, taking only LDIF as input. So yes, if you create a compatible LDIF you can create compatible users with that. Btw, you can try to use useradd, groupadd and friends for creating ldap users. See the man pages for details.
[..]
BTW, doesn't slapd do 'something' with slpd? Like announce itself or something? or announce 'services? or 'well known names'? slapd can register itself with slpd, yes.
Oh, this is where I got the idea that GSSAPI was deprecated: /etc/ssh/sshd_config # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. ------------- I had the impression that the protocol itself was flawed and deprecated -- does the SuSE LDAP use the newer "with-mic" protocol? I'd guess that command that comment is only specific to the way sshd used GSSAPI. What I know for sure is, that GSSAPI is not deprecated. It's very widely used.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Linda Walsh
-
Ralf Haferkamp