Author Topic: [SOLVED]Having trouble with LDAP -can you help?  (Read 29376 times)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
[SOLVED]Having trouble with LDAP -can you help?
« on: May 09, 2013, 11:19:46 am »
Hi,
I'm an IT teacher trying to build my own departmental network for teaching computer science.
I already have a firewall/gateway (clearos) called collossus.computing.lan 192.168.0.2 - this has 2 nics and connects my network to the school network to provide my network with internet access
A DNS server (Raspberry Pi running dnsmasq) called lexicon.computing.lan 192.168.0.3
LTSP server (running edubuntu) called lovelace.computing.lan 192.168.0.10

DHCP seems to work, internet is shared, local users can log in to lovelace via thin clients. All the machines seem to have proper FQDNs etc.

I want to extend the network to put an LTSP server in each classroom. Obviously I need an SSO solution. I've been trying various implementations of LDAP - I've been working very hard trying to get this to work for quite a long time without success. I found out about zentyal and it's "users / groups / ldap" from web trawling in desperation.

I now have a new installation of zentyal running on a server called "athena" on 192.168.0.4. I have configured the settings for users and groups by going through the "office" basic setup.

These are my ldap settings as shown in the web interface

Base DN:    dc=computing,dc=lan
Root DN:    cn=zentyal,dc=computing,dc=lan
Password:    xxxxxxxxxxxxxxxxxxxxxxxxx
Read-only root DN:    cn=zentyalro,dc=computing,dc=lan
Read-only password:    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Users DN:    ou=Users,dc=computing,dc=lan
Groups DN:    ou=Groups,dc=computing,dc=lan

Before I go any further configuring my ltsp server to authenticate I am trying to check if it will work by running from the terminal in the zentyal server.

athena_admin@athena:~$ ldapsearch -x -b dc=computing,dc=lan

However I just get
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Even just ldapsearch on its own just gives me this.

What have I done wrong?

« Last Edit: May 21, 2013, 03:06:06 pm by morphy_richards »

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #1 on: May 09, 2013, 11:42:05 am »
Have you tried specifiying -H:ldap://your.zentyal-ldap-server:390 parameter?

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #2 on: May 09, 2013, 12:08:15 pm »
Thanks for your reply.

Trying that gives ...

athena_admin@athena:~$ ldapsearch -H:ldap://192.168.0.4:390
Could not parse LDAP URI(s)=:ldap://192.168.0.4:390 (3)

...and ...

athena_admin@athena:~$ ldapsearch -H:ldap:athena.computing.lan:390
Could not parse LDAP URI(s)=:ldap:athena.computing.lan:390 (3)





jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #3 on: May 09, 2013, 12:09:42 pm »
my fault. Parameter is -H ldap:athena.computing.lan:390

christian

  • Guest
Re: Having trouble with LDAP -can you help?
« Reply #4 on: May 09, 2013, 12:11:00 pm »
- as default is SASL, you should use -W option (look at man ldapsearch)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #5 on: May 09, 2013, 12:19:28 pm »
athena_admin@athena:~$ ldapsearch -W ldap:athena.computing.lan:390
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Forgive my ignorance. In my previous attempts on other systems I have gone through installing slapd manually and configuring admin passwords.
Here I am not sure - on zentyal is the LDAP password

 LDAP information
Base DN:    dc=computing,dc=lan
Root DN:    cn=zentyal,dc=computing,dc=lan
Password:    xxxxx

As shown on the LDAP settings page? This is the one I tried to get the above result.

Thanks again.


christian

  • Guest
Re: Having trouble with LDAP -can you help?
« Reply #6 on: May 09, 2013, 12:29:23 pm »
ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"

well, my baseDN might be wrong... depends on what you have set up

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #7 on: May 09, 2013, 12:32:03 pm »
ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"

well, my baseDN might be wrong... depends on what you have set up

Thank you!
;D

ldapsearch -H ldap://athena.computing.lan:390 -x -D "cn=zentyal,dc=computing,dc=lan" -W -b "dc=computing,dc=lan"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=computing,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# computing.lan
dn: dc=computing,dc=lan
...
...

etc
 8)

christian

  • Guest
Re: Having trouble with LDAP -can you help?
« Reply #8 on: May 09, 2013, 12:42:11 pm »
you're welcome.
So much easy when right syntax is used  ;)

Still this is  very basic search. Depening on what you' re directory contains, you may have to refine filter, baseDN etc.. but I'm sure you will succeed.

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #9 on: May 09, 2013, 01:03:06 pm »
Thanks again.

My slow and sometimes painful journey continues.

I've followed through the tutorial described here:    Topic: HOWTO: Ubuntu client with LDAP authentication and pam_mount for mounting $HOME

and on my edubuntu ltsp server I now have the following /etc/ldap.conf file

Code: [Select]
base dc=system,dc=lan

uri ldap://192.168.0.4:390

ldap_version 3

binddn cn=zentyalro,dc=computing,dc=lan

bindpw xxxx

scope sub
bind_policy soft
pam_password md5

nss_base_passwd         ou=Users,dc=computing,dc=lan?one
nss_base_passwd         ou=Computers,dc=computing,dc=lan?one
nss_base_shadow         ou=Users,dc=computing,dc=lan?one
nss_base_group          ou=Groups,dc=computing,dc=lan?one
nss_schema              rfc2307bis
nss_map_attribute uniqueMember member
nss_reconnect_tries 2
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data

Running this command  from ssh to my ltsp server
lovelace_admin@lovelace:~$ ldapsearch -D "uid=test1,ou=Users,dc=computing,dc=lan"  -LLL  -W  uid=test1  homeDirectory

Promtps me for the LDAP password. I copy this from the LDAP settings page and paste but get an
ldap_bind: Invalid credentials (49)

To test the password I go back to another zentyal terminal and retry it. And it works.
Should I use a different password here?


edit - base dc is wrong at the top of the file ....
« Last Edit: May 09, 2013, 01:04:48 pm by morphy_richards »

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #10 on: May 09, 2013, 01:10:45 pm »
fixed the dn at the top of the file to read

base dc=computing, dc=lan

Still getting the invalid credentials when I sue that password though.

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #11 on: May 09, 2013, 01:13:53 pm »
Apologies for all this noise.
I have it now, I should be using the read only DN

Hopefully will be able to sort the rest out myself. Thanks again.  :)

morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #12 on: May 09, 2013, 01:28:49 pm »
Really nearly almost there now. I have got further with zentyal community edition in 2 days than I have in about 2 months trying with standard Ubuntu and Debian...

I've added
 <volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

to /etc/security/pam_mount.conf.xml on my ltsp server

I can now ssh into it using my ldap test account "test1"

athena_admin@athena:~$ ssh test1@lovelace
test1@lovelace's password:
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic i686)
[...]
Last login: Thu May  9 12:24:43 2013 from athena.computing.lan
Could not chdir to home directory /home/test1: No such file or directory
test1@lovelace:/$

However it does exist

athena_admin@athena:~$ ls /home
athena_admin  test1

I have enabled PAM in LDAP / PAM settings on the web interface and the default login shell is bash.


morphy_richards

  • Zen Apprentice
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: Having trouble with LDAP -can you help?
« Reply #13 on: May 09, 2013, 04:10:24 pm »
Looking at /var/log/auth.log

Code: [Select]
May  9 14:57:28 lovelace sshd[12428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=test1
May  9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): getting password (0x00000388)
May  9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): pam_get_item returned a password
May  9 14:57:28 lovelace sshd[12428]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTAT
May  9 14:57:28 lovelace sshd[12428]: Accepted password for test1 from 127.0.0.1 port 42187 ssh2
May  9 14:57:28 lovelace sshd[12428]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
May  9 14:57:28 lovelace sshd[12428]: pam_mount(mount.c:69): Messages from underlying mount program:
May  9 14:57:28 lovelace sshd[12428]: pam_mount(mount.c:73): Unable to find suitable address.
May  9 14:57:28 lovelace sshd[12428]: pam_mount(pam_mount.c:521): mount of test1 failed

edit - it says here uid=0

but if i try
id test1
I get
Code: [Select]
lovelace_admin@lovelace:/$ id test1
uid=2001(test1) gid=1901(__USERS__) groups=2001(test group),1901(__USERS__)

syslog just says
Code: [Select]
May  9 15:06:33 lovelace kernel: [91361.942857] CIFS VFS: Error connecting to socket. Aborting operation
May  9 15:06:33 lovelace kernel: [91361.943375] CIFS VFS: cifs_mount failed w/return code = -111

My /etc/security/pam_mount.conf.xml

Code: [Select]
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="1" />

                <!-- Volume definitions -->

<volume user="*" fstype="cifs" server="192.168.0.4" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />

                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>
« Last Edit: May 09, 2013, 04:14:40 pm by morphy_richards »

christian

  • Guest
Re: Having trouble with LDAP -can you help?
« Reply #14 on: May 09, 2013, 04:26:00 pm »
does this help ?