Hello!
I have been working to migrate a bunch of older systems into a single Zentyal installation. Right now I have a few systems set up a long time ago for things like email, instant messaging with jabber, firewall, ect. To migrate them all to a single system seems like a perfect fit for Zentyal! In testing, everything works ok except one. LDAP.
I _only_ have Linux systems. No BSD. No Unix. No apple. No windows. Just CentOS 5, Red Hat 5, Several versions of Fedora, Ubuntu 10.04 LTS, and Debian Lenny. So when I want LDAP to work, I only care about Linux and I can't get any of them to work.
Now I have read TONS of documentation.
http://doc.zentyal.org/en/directory.htmlhttp://trac.zentyal.org/wiki/Document/Documentation/ZentyalDesktop/UbuntuI have even read forums and found others in similar situations, however, some of them are old, some are new, and I didn't feel comfortable hi-jacking someone elses thread with my problems especially when I don't know how related our answers may or may not be. There are also a few out there that don't even have replies. Here are a few examples.
http://www.mail-archive.com/ebox-user@lists.ebox-platform.com/msg00082.htmlhttp://forum.zentyal.org/index.php?topic=3861.0http://forum.zentyal.org/index.php?topic=5942.0I have read a lot more documentation, but I wanted to give a sample of where I am getting the information for the work I have done.
Still, even with all of this documentation, I can't get this to work. I have spent a week toying around with LDAP and Zentyal and I am getting very frustrated so any help that will fix this issue would be greatly appreciated.
Here I have taken two machines and documented the full process. Can someone tell me what I have done wrong?
First, the zentyal system. I chose 'Install (delete all disk)'. I went through the standard options for locality, keyboard, ect. I set the hostname to zentyal.test.local. The user is ldapadmin. Because I want this running as a gateway/firewall, I have two network cards. Eth0 runs to a switch which has the second computer attached. Eth1 goes out to the internet.
As soon as the install was complete (and before I installed any modules) I did an update from the web interface. Since the update includes a new Linux kernel, I rebooted into it.
I installed Zentyal with the following modules: firewall, network configuration, network objects, network services, dhcp service, and users and groups. I only want to test the LDAP right now.
The installation has a host name of zentyal.test.local and I chose to make it a standalone server. The network is eth1 external and set to DHCP. Eth0 is internal and set to 10.1.1.1.
First I enabled everything in module status. Network, Firewall, DHCP, Events, Logs, Users and Groups, and User Corner. Smashed all the many save buttons.
Next, DHCP for the other system. Don't care too much about these settings, so the only thing I did under the DHCP menu was add a range for eth0 (my internal network) for 10.1.1.10-10.1.1.20. Then hit save a bunch more times... This is solely for the purpose of my client machine getting an IP I don't have to configure.
Firewall->Packet filter->Filtering rules from internal networks to zentyal->Edit LDAP->Change Decision from Deny to Accept. Then change, then save....then save yet again.
Now pop over to the command line. In order to enable roaming profiles (something I would like to do) then according to the official documentation (second of my links ^^^ up there ^^^) I have to install scponly and unison. sudo apt-get install unison scponly. There will be a security warning. I don't like security warnings, so I took the installers advice and disabled that particular chrooted feature.
Office->User and Group->LDAP settings
Enable Pam -> checked
Default Login Shell -> scponly
Change->save->save
Also, under that same tab that is where my ldap info is stored.
Base DN: dc=zentyal,dc=test,dc=local
Root DN: cn=ebox,dc=zentyal,dc=test,dc=local
Password: uS.yacyZyefLcXcG
Users DN: ou=Users,dc=zentyal,dc=test,dc=local
Groups DN: ou=Groups,dc=zentyal,dc=test,dc=local
Office->User and Group->Groups
I added a group called users.
Office->User and Group->Users
I added a user called 'Thisis Atest' with the username of 'testingldap' and set him to the users group I just created.
As I understand it, this user should be all setup and ready to log in to an LDAP system.
So now for the client.
I couldn't get CentOS 5, nor Debian Lenny to authenticate against the LDAP server. Their built in tools just wouldn't connect. Then I found the link to the zentyal-desktop. It isn't much of a reach to believe that if zentyal has a desktop program then it *should* just connect to the LDAP Zentyal server. So I did a fresh clean install of Ubuntu 10.04 LTS. I set the user in the install to be ldapadmin. Once the install was complete, I ran updates and added the zentayl repository (found in the links I posted above). So DHCP is working and so is access to the internet. So far things are looking good on the client.
When I ran 'apt-get install zentyal-desktop' I got a series of questions for which I used the above LDAP info to answer.
LDAP URI:ldap:///10.1.1.1:389/
[Edit]: I am now putting ldap instead of ldapi. Still don't know how correct the change is, but it works now.
Distiguished name of search base: dc=zentyal,dc=test,dc=local
LDAP version: 3
Make root database admin: checked
Does LDAP database require login: unchecked
[Edit]: If you don't check this, then it won't ask for an unprivileged user. I can't find evidence that Zentyal creates this user by default. If you want this option, I think you will have to create it yourself.
Root LDAP account: cn=ebox,dc=zentyal,dc=test,dc=local
Root LDAP password: uS.yacyZyefLcXcG
Zentyal Server Address: 10.1.1.1
Zentyal server LDAP mode: Unchecked
[EDIT]: Unless you have Zentyal in a master-slave setup, this needs to be unchecked. I mis-read this earlier. Sorry.
According to the documentation I found, I have to edit /etc/zentyal-desktop/zentyal-desktop.conf and set roaming-profiles = yes. Then the documentation says to reboot. So I did.
Now supposedly magic happens here.
At the login screen I type in the new user testingldap (the user created on the zentyal server). There is a REALLY long pause before the password screen pops up. Then I type in the user password. Another REALLY long pause. Now I am back at the login screen. Well, maybe there is something screwy and I need to log into the command line version first. Alt+Ctrl+F1 and type in testingldap and password. Nope. No errors. No messages. Just get the prompt returned back to me.
Time to log in with the ldapadmin account that I created. No long pauses with the user, but it take about 2 minutes after displaying the motd banner before I get a shell prompt. When it does connect, I see that it generated my ssh-keys, an error about host key verification failed, asks if I want to store 10.1.1.1's host key, and this error:
Connected [//ldapdesktop/home/ldapadmin -> //zentyal//home/ldapadmin]
Looking for changes
Uncaught exeption Sys_error("Broken Pipe")
Fatal error: exception Sys_error("Broken Pipe")
If I try to log in with ldapadmin through GDM (the GUI) then it pauses so long that it times out and goes back to the menu. I don't even get a chance to type in a password. However, the command line works. I get errors about lock files, but even if I delete them I still get the errors on next login. I also get errors when running sudo now: "/bin/sh failed: exit code 1".
[Edit]: See note below about Mr Minty.
In /var/log/auth.log there are a TON of errors like the following:
Can't connect to LDAP server
Can't contact LDAP server
failed to bind to LDAP server
could not search LDAP server
I also found this error "pam_succeed_if(gdm:auth) error retrieving information about user testingldap".
Everything I try at this point seems to only break more things. There are two things I am REALLY confused about:
1) Ping zentyal.test.local fails. I assume this is because I don't have a name service running on Zentyal. So I added it to /etc/hosts. The reason I did so was because I thought maybe LDAP was trying to connect over the name instead of the IP. However, once I add it to /etc/hosts I can ping it by name but the errors still persist. Why? Why can't it connect to the ldap server when it OBVIOUSLY connects via ssh at login on the command line.
2) Obviously, it partially works. The existing user was able to log in and connect to 10.1.1.1 and there had to be some sort of authentication verification process that went on for ldapadmin, but why not for the testingldap user? The whole point of this is so that I only have to manage users in Zentyal and NOT on every host on every Linux OS variation.
Why doesn't this just work? Why isn't this straight forward? I am doing this by the documentation. I am using the Zentyal server LDAP AND the provided packages for Ubuntu. It would be one thing if this documentation worked precisely as it should for the server and client but didn't work as well for other Linux distros. At least in that case the documentation would be correct for the supported platforms, but I am doing everything according to the documentation using the supported platforms and it doesn't work. It is very very frustrating...
Any help to get this working would be very appreciated. Also, if you want log files in addition to all the work I just posted above, I can post them. I just don't see anything too unique or special in them that hasn't already been mentioned.
Thanks.
Ed.
[Edit]: Thanks to MrMinty here:
http://forum.zentyal.org/index.php?topic=5961.0Using his script I got Ubuntu 10.04 to use LDAP. I still have a million questions and have not been able to make much progress with anything but Ubuntu, but at least I have it working with Ubuntu now. I still have a few odd things in the log file and logins still take ~10 seconds but it works for the GUI.
I will update if I get more information/fixes for future visitors of this thread.
Topic: LDAP does not function. (Read 8785 times)