Issue Starting Admin Server after Enabling SSL in Admin Server.
by Yogesh Sharma
Hi,
My 389-ds is using SSL in Directory Server. Once I checked the checkbox in
Admin Server to use SSL and try to restart it (admin) it is failing. The
logs says as below:
[Tue Sep 23 05:20:35 2014] [notice] SELinux policy enabled; httpd running
as context unconfined_u:system_r:httpd_t:s0
[Tue Sep 23 05:20:36 2014] [crit] sslinit: NSS is required to use LDAPS,
but security initialization failed [-12285:Unable to find the certificate
or key necessary for authentication.]. Cannot start server
[root@vm-ser-master-01 admin-serv]# certutil -d /etc/dirsrv/admin-serv -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
[root@vm-ser-master-01 admin-serv]#
[root@vm-ser-master-01 admin-serv]# certutil -d
/etc/dirsrv/slapd-vm-ser-master-01/ -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ca.initd.in CT,,
server-cert u,u,u
[root@vm-ser-master-01 admin-serv]#
I also tried disbaling SSL to revert back but it is failing and No messages
in Log. Please suggest further to fix or revert this.
*Best Regards,__________________________________________*
*Yogesh Sharma*
9 years, 8 months
No sample entries means no suffix/BaseDN?
by David Barr
Good morning!
In the current EPEL version of 389-ds, if I go through config-ds-admin.pl, option 3, these questions are included:
```
Suffix [dc=localdomain]:
Do you want to install the sample entries? [no]:
Type the full path and filename, the word suggest, or the word none [suggest]:
```
If I take the defaults listed, I get my Base DN (“dc=localdomain”) and all of the suggested ou=People and ou=Groups entries.
If I give the keyword “none” to the suggested entries item, I don’t get any of the suggestions. Nor do I get my Suffix/Base DN! My expectation is that I would get my Base DN in any case, since the configuration script asks for it.
If this is deliberate behavior, how would I craft the LDIF to create my Base DN? Specifically, how would I identify it as the Base DN to 389-ds?
If this is not deliberate behavior, I have a more detailed example I can submit to https://fedorahosted.org/389/newticket, or wherever.
Thanks!
David
--
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
Integrity*Commitment*Communication*Support
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
Pavlov walks into a bar. The phone rings and he says,
"Damn! I forgot to feed the dog!"
9 years, 8 months
installing 389-ds-base-1.3.2.2 on CentOS using repositories
by Luigi Santangelo
Hi all,
I'm trying to install 389-ds-base 1.3.2.2 or higher on my Centos 6.5 Server
because I need SyncRepl (released starting from that version).
I installed epel Repo. Running yum install 389\*, the 389-ds-base version
installed is 1.2.11.15. I tried with --enablerepo=epel-testing option but
to no avail.
In which repository can I find the binary of 389-ds-base 1.3.2.2 or higher?
Is it available only as source code?
Thanks in advance.
Regards,
Luigi
9 years, 8 months
Upgrading DS 389 via RPM
by Chris Taylor
I am running DC 389 version 1.2.11.15 release 32.el6_5 and want to upgrade via RPM to 34.el6_5. After I run the RPM is there anything else I need to do?
Thanks,
Chris
9 years, 8 months
Schema attributes for email
by Kevin Kelly
Good evening 389-DS users.
We are in the processes of combining three different LDAP environments
into one. Two are OpenLDAP and one is 389. Fortunately importing the
OpenLDAP data into 389 has gone relatively smoothly.
Amongst the many requirements that we have for this project is the need to have the following attributes in the schema:
mailHost
mailLocalAddress
mailRoutingAddress
A quick Google search lead me to the 60sendmail.ldif file as well as several sites that said the 50ns-mail.ldif and 60sendmail.ldif cannot both exist in the same schema at the same time.
The problem I am running into is that one group uses the mailMessageStore attribute that is part of the 50ns-mail.ldif file. If 50ns-mail.ldif is removed from my schema, how would I be able to still make use of mailMessageStore attribute? Can I extract this from 50ns-mail.ldif and add it to the 99user.ldif file? Would I also need to add the objectClasses from 50ns-mail.ldif to the 99user.ldif file?
Any advice you can provide me would be greatly appreciated.
Best regards,
Kevin Kelly
9 years, 8 months
Stuck in read only mode
by Chris Taylor
I am having an issue where I have two 389-ds servers stuck in read only mode. I am running version 1.2.11.15 in an MMR setup. I had created a new OU and imported a bunch of user accounts via ldif file which was successful. Then I went and tried to create a create a browsing index (via the GUI console).
This eventually timed out and I had to manually close the window. I then went and did the same thing on my other server not thinking anything of it. I now see that both systems are stuck in read only mode.
I can't seem to put them in write mode via the GUI and the only thing that I have in the error logs is the following.
Backend instance: 'userRoot' is already in the middle of another task and cannot be disturbed.
What are my next steps? Do I just restart slapd, go back in and turn off read only mode (if possible). Or is there a way to kill this hung-up index task.
Any help would be appreciated.
Thanks,
Chris
9 years, 8 months
Export the object definitions only
by Ghiurea, Isabella
Hi Gurus,
I would like to know how can I export only the objects definitons aka :roles, ac's definitons not the DS data content, we would like to be able have a copy of definition for development purpose.
Thank you
Isabella
9 years, 8 months
Announcing 389 Directory Server 1.2.11.32
by Noriko Hosoi
389 Directory Server 1.2.11.32
The 389 Directory Server team is proud to announce 389-ds-base version
1.2.11.32.
This release is only available in binary form for EL5 (EPEL5) and EL6 -
see Download#RHEL6/EPEL6
<http://www.port389.org/docs/389ds/download.html> for more details.
The new packages and versions are:
* 389-ds-base-1.2.11.32-1
A source tarball is available for download at Download Source
<http://www.port389.org/binaries/389-ds-base-1.2.11.32.tar.bz2>
Highlights in 1.2.11.32
* several bug fixes including a security bug
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds*
|yum install 389-ds|
After install completes, run *setup-ds-admin.pl* to set up your
directory server.
|setup-ds-admin.pl|
To upgrade, use *yum upgrade*
|yum upgrade|
After upgrade completes, run *setup-ds-admin.pl -u* to update your
directory server/admin server/console information.
|setup-ds-admin.pl -u|
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 1.2.11.29
* Bug 1129660 - Adding users to user group throws Internal server error.
* Ticket 346 - Fixing memory leaks
* Ticket 346 - Slow ldapmodify operation time for large quantities of
multi-valued attribute values
* Ticket 415 - winsync doesn’t sync DN valued attributes if DS DN
value doesn’t exist
* Ticket 443 - Deleting attribute present in
nsslapd-allowed-to-delete-attrs returns Operations error
* Ticket 616 - High contention on computed attribute lock
* Ticket 47331 - Self entry access ACI not working properly
* Ticket 47426 - Coverity issue with last commit(move
compute_idletimeout out of handle_pr_read_ready)
* Ticket 47426 - move compute_idletimeout out of handle_pr_read_ready
* Ticket 47446 - logconv.pl memory continually grows
* Ticket 47457 - default nsslapd-sasl-max-buffer-size should be 2MB
* Ticket 47649 - Server hangs in cos_cache when adding a user entry
* Ticket 47670 - Aci warnings in error log
* Ticket 47692 - single valued attribute replicated ADD does not work
* Ticket 47707 - 389 DS Server crashes and dies while handles paged
searches from clients
* Ticket 47713 - Logconv.pl with an empty access log gives lots of errors
* Ticket 47736 - Import incorrectly updates numsubordinates for
tombstone entries
* Ticket 47750 - Creating a glue fails if one above level is a
conflict or missing
* Ticket 47764 - Problem with deletion while replicated
* Ticket 47767 - Nested tombstones become orphaned after purge
* Ticket 47770 - #481 breaks possibility to reassemble memberuid list
* Ticket 47771 - Cherry pick issue parentsdn freed twice
* Ticket 47771 - Move parentsdn initialization to avoid crash
* Ticket 47771 - Performing deletes during tombstone purging results
in operation errors
* Ticket 47772 - empty modify returns LDAP_INVALID_DN_SYNTAX
* Ticket 47772 - fix coverity issue
* Ticket 47773 - mem leak in do_bind when there is an error
* Ticket 47774 - mem leak in do_search - rawbase not freed upon
certain errors
* Ticket 47780 - Some VLV search request causes memory leaks
* Ticket 47781 - Server deadlock if online import started while server
is under load
* Ticket 47782 - Parent numbordinate count can be incorrectly updated
if an error occurs
* Ticket 47787 - A replicated MOD fails (Unwilling to perform) if it
targets a tombstone
* Ticket 47793 - Server crashes if uniqueMember is invalid syntax and
memberOf plugin is enabled.
* Ticket 47804 - db2bak.pl error with changelogdb
* Ticket 47809 - find a way to remove replication plugin errors
messages “changelog iteration code returned a dummy entry with csn
%s, skipping …”
* Ticket 47813 - managed entry plugin fails to update member pointer
on modrdn operation
* Ticket 47813 - remove “goto bail” from previous commit
* Ticket 47817 - The error result text message should be obtained just
prior to sending result
* Ticket 47820 - 1.2.11 branch: coverity errors
* Ticket 47821 - deref plugin cannot handle complex acis
* Ticket 47824 - paged results control is not working in some cases
when we have a subsuffix.
* Ticket 47831 - server restart wipes out index config if there is a
default index
* Ticket 47858 - Internal searches using
OP_FLAG_REVERSE_CANDIDATE_ORDER can crash the server
* Ticket 47861 - Certain schema files are not replaced during upgrade
* Ticket 47862 - Repl-monitor.pl ignores the provided connection
parameters
* Ticket 47862 - repl-monitor fails to convert “*” to default values
* Ticket 47863 - New defects found in 389-ds-base-1.2.11
* Ticket 47869 - unauthenticated information disclosure (Bug 1123477)
* Ticket 47872 - Filter AND with only one clause should be optimized
* Ticket 47874 - Performance degradation with scope ONE after some load
* Ticket 47875 - dirsrv not running with old openldap
9 years, 8 months
Announcing 389 Directory Server 1.3.3.0
by Noriko Hosoi
389 Directory Server 1.3.3.0
The 389 Directory Server team is proud to announce 389-ds-base version
1.3.3.0.
Fedora packages are available from the Fedora 21 and Rawhide repositories.
The new packages and versions are:
* 389-ds-base-1.3.3.0-1
A source tarball is available for download at Download Source
<http://www.port389.org/binaries/389-ds-base-1.3.3.0.tar.bz2>
Highlights in 1.3.3.0
* First cut of 389-ds-base-1.3.3.
Installation and Upgrade
See Download <http://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory server.
setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide
<http://www.port389.org/docs/389ds/legacy/install-guide.html> for more
information about the initial installation, setup, and upgrade
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 1.3.2.23
* Ticket 53 - Need to update supported locales Cleaning up typos and
format.
* Ticket 538 - hardcoded sasl2 plugin path in ldaputil.c, saslbind.c
* Ticket 555 - add fixup-memberuid.pl script
* Ticket 605 - support TLS 1.1
* Ticket 605 - support TLS 1.1 - Fixing “Coverity 12415 - Logically
dead code”
* Ticket 605 - support TLS 1.1 - adding backward compatibility
* Ticket 605 - support TLS 1.1 - lower the log level for the supported
NSS version range
* Ticket 381 - Recognize compressed log files
* Ticket 47368 - Fix Jenkins errors
* Ticket 47368 - Fix coverity issues
* Ticket 47368 - IPA server dirsrv RUV entry data excluded from
replication
* Ticket 47368 - fix memory leaks
* Ticket 47398 - memberOf on a user is converted to lowercase
* Ticket 47422 - With 1.3.04 and subtree-renaming OFF, when a user is
deleted after restarting the server, the same entry can’t be added
* Ticket 47436 - 389-ds-base - shebang with /usr/bin/env
* Ticket 47437 - Some attributes in cn=config should not be multivalued
* Ticket 47451 - Remove old code from linked attr plugin
* Ticket 47451 - add/enable/disable/remove plugins without server restart
* Ticket 47453 - configure SASL/GSSAPI/Kerberos without server restart
* Ticket 47457 - default nsslapd-sasl-max-buffer-size should be 2MB
* Ticket 47466 - Fix coverity issue
* Ticket 47491 - Update systemd service file to use PartOf directive
* Ticket 47499 - if nsslapd-cachememsize set to the number larger than
the RAM available, should result in proper error message.
* Ticket 47519 - memory leaks in access control
* Ticket 47521 - Complex filter in a search request doen’t work as
expected.
* Ticket 47525 - Allow memberOf to use an alternate config area
* Ticket 47525 - Don’t modify preop entry in memberOf config
* Ticket 47525 - Fix memory leak
* Ticket 47525 - Need to add locking around config area access
* Ticket 47529 - Automember plug-in should treat MODRDN operations as
ADD operations
* Ticket 47530 - dbscan on entryrdn should show all matching values
* Ticket 47530 - dbscan on entryrdn should show all matching values
* Ticket 47535 - Logconv.pl - RFE - add on option for a minimum etime
for unindexed search stats
* Ticket 47535 - update man page
* Ticket 47552 - logconv: unindexed report should list bind dn
* Ticket 47553 - Enhance ACIs to have more control over MODRDN operations
* Ticket 47555 - db2bak.pl issue when specifying non-default directory
* Ticket 47570 - slapi_ldap_init unusable during independent plugin
development
* Ticket 47573 - schema push can be erronously prevented
* Ticket 47574 - start dirsrv after ntpd
* Ticket 47579 - add dbmon.sh
* Ticket 47582 - agmt_count in Replica could become (PRUint64)-1
* Ticket 47586 - Need to rebind after a stop (fix to run direct python
script)
* Ticket 47602 - Make ldbm_back_seq independently support transactions
* Ticket 47602 - txn commit being performed too early
* Ticket 47603 - Allow RI plugin to use alternate config area
* Ticket 47603 - should not modify pre op entry during config validation
* Ticket 47608 - change slapi_entry_attr_get_bool to handle “on”/”off”
values, support default value
* Ticket 47618 - Enable normalized DN cache by default
* Ticket 47619 - cannot reindex retrochangelog
* Ticket 47628 - port testcases to new DirSrv interface
* Ticket 47636 - errorlog-level 16384 is listed as 0 in cn=config
* Ticket 47644 - Managed Entry Plugin - transaction not aborted upon
failure to create managed entry
* Ticket 47651 - Finaliser to remove instances backups
* Ticket 47654 - Cleanup old memory leaks reported from valgrind
* Ticket 47654 - Fix regression (deadlock/crash)
* Ticket 47654 - fix double free
* Ticket 47655 - Improve replication total update logging
* Ticket 47657 - add schema test suite and tests for Ticket #47634
* Ticket 47659 - ldbm_usn_init: Valgrind reports Invalid read / SIGSEGV
* Ticket 47664 - Page control does not work if effective rights
control is specified
* Ticket 47667 - Allow nsDS5ReplicaBindDN to be a group DN
* Ticket 47668 - test: port ticket47490_test to Replica/Agreement
interface (47600)
* Ticket 47675 - logconv errors when search has invalid bind dn
* Ticket 47701 - Make retro changelog trim interval programmable
* Ticket 47701 - Make retro changelog trim interval programmable
* Ticket 47710 - Missing warning for invalid replica backoff configuration
* Ticket 47711 - improve dbgen rdn generation, output and man page.
* Ticket 47712 - betxn: retro changelog broken after cancelled transaction
* Ticket 47714 - [RFE] Update lastLoginTime also in Account Policy
plugin if account lockout is based on passwordExpirationTime.
* Ticket 47725 - compiler error on daemon.c
* Ticket 47727 - Updating nsds5ReplicaHost attribute in a replication
agreement fails with error 53
* Ticket 47746 - ldap/servers/slapd/back-ldbm/dblayer.c: possible
minor problem with sscanf
* Ticket 47752 - Don’t add unhashed password mod if we don’t have an
unhashed value
* Ticket 47756 - Improve import logging and abort processing
* Ticket 47756 - fix coverity issues
* Ticket 47761 - Return all attributes in rootdse without explicit request
* Ticket 47790 - Integer config attributes accept invalid values at
server startup
* Ticket 47791 - Negative value of nsSaslMapPriority is not reset to
lowest priority
* Ticket 47803 - syncrepl crash if attribute list is non-empty
* Ticket 47805 - syncrepl doesn’t send notification when attribute in
search filter changes
* Ticket 47808 - If be_txn plugin fails in ldbm_back_add, adding entry
is double freed
* Ticket 47810 - investigate betxn plugins to ensure they return the
correct error code
* Ticket 47812 - logconv.pl missing -U option from usage
* Ticket 47815 - Add operations rejected by betxn plugins remain in cache
* Ticket 47819 - Fix memory leak
* Ticket 47819 - Improve tombstone purging performance
* Ticket 47823 - attribute uniqueness enforced on all subtrees
* Ticket 47827 - Fix coverity issue 12695
* Ticket 47827 - online import crashes server if using verbose error
logging
* Ticket 47829: memberof scope: allow to exclude subtrees
* Ticket 47832 - attrcrypt_generate_key calls
slapd_pk11_TokenKeyGenWithFlags with improper macro
* Ticket 47838 - harden the list of ciphers available by default
* Ticket 47843 - Fix various typos in manpages & code
* Ticket 47844 - Fix hyphens used as minus signed and other manpage
mistakes
* Ticket 47846 - server crashes deleting a replication agreement
* Ticket 47852 - Updating winsync one-way sync does not affect the
behaviour dynamically
* Ticket 47853 - Missing newline at end of the error log messages in
memberof
* Ticket 47853 - client hangs in add if memberof fails
* Ticket 47855 - Fix previous commit
* Ticket 47855 - clear tmp directory at the start of each test
* Ticket 47859 - Coverity: 12692 & 12717
* Ticket 47876 - coverity defects in slapd/tools/mmldif.c
* Ticket 47879 - coverity defects in
plugins/replication/windows_protocol_util.c
* Coverity Issue 12033
* Update test cases due to new modules: Schema, tasks, plugins and index
* bump autoconf to 2.69, automake to 1.13.4, libtool to 2.4.2
* fix assertion failure introduced with fix for ticket 47667
* fix compiler error with alst coverity commit
* fix coverity issue 12621
9 years, 8 months
sudo works for individual user not for group
by jose dancer
Set up to two VMs called ldap.lab.local and client.ldap.local
Configs/Info for ldap.lab.local:
[root@ldap etc]# cat /etc/centos-release
CentOS release 6.5 (Final)
[root@ldap etc]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.lab.local
BASE dc=lab,dc=local
TLS_REQCERT allow
[root@ldap etc]# rpm -qa |grep 389
389-ds-1.2.2-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
[root@ldap etc]# ldapsearch -x -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# lab.local
dn: dc=lab,dc=local
objectClass: top
objectClass: domain
dc: lab
# Directory Administrators, lab.local
dn: cn=Directory Administrators,dc=lab,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, lab.local
dn: ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, lab.local
dn: ou=People,dc=lab,dc=local
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, lab.local
dn: ou=Special Users,dc=lab,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, lab.local
dn: cn=Accounting Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, lab.local
dn: cn=HR Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, lab.local
dn: cn=QA Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, lab.local
dn: cn=PD Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# SUDOers, lab.local
dn: ou=SUDOers,dc=lab,dc=local
ou: SUDOers
objectClass: top
objectClass: organizationalunit
# root, SUDOers, lab.local
dn: cn=root,ou=SUDOers,dc=lab,dc=local
cn: root
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: root
# test, lab.local
dn: uid=test,dc=lab,dc=local
givenName: test
sn: test
loginShell: /bin/bash
uidNumber: 600
gidNumber: 10
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: test
gecos: test
cn: test
homeDirectory: /home/test
# defaults, SUDOers, lab.local
dn: cn=defaults,ou=SUDOers,dc=lab,dc=local
cn: defaults
objectClass: top
objectClass: sudorole
sudoOption: env_keep+=SSH_AUTH_SOCK
# test2, lab.local
dn: uid=test2,dc=lab,dc=local
givenName: test2
sn: test2
loginShell: /bin/bash
uidNumber: 654
gidNumber: 10
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: test2
cn: test2
homeDirectory: /home/test2
# wheel, lab.local
dn: cn=wheel,dc=lab,dc=local
gidNumber: 10
memberUid: test2
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: wheel
# wheel, SUDOers, lab.local
dn: cn=wheel,ou=SUDOers,dc=lab,dc=local
cn: wheel
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoUser: %wheel
sudoRunAsUser: ALL
# test, SUDOers, lab.local
dn: cn=test,ou=SUDOers,dc=lab,dc=local
cn: test
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: test
# search result
search: 3
result: 0 Success
# numResponses: 18
# numEntries: 17
Configs/Info for client.lab.local:
[root@client ~]# cat /etc/centos-release
CentOS release 6.5 (Final)
[root@client ~]# rpm -qa |grep sssd
sssd-1.9.2-129.el6_5.4.x86_64
sssd-client-1.9.2-129.el6_5.4.x86_64
[root@client ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.lab.local
BASE dc=lab,dc=local
TLS_REQCERT allow
[root@client ~]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=lab,dc=local
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=lab,dc=local
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.lab.local/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
debug_level=6
[autofs]
[ssh]
[pac]
--
[test@client ~]$ sudo -l
[sudo] password for test:
Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK
User test may run the following commands on this host:
(ALL) ALL
[test@client ~]$
As you can see, sudo work for user 'test'. Now let's try 'test2':
[test2@client ~]$ sudo -l
[sudo] password for test2:
User test2 is not allowed to run sudo on client.
[test2@client ~]$
--
Output of ldap.lab.local:/var/log/dirsrv/slapd-ldap/access is:
[root@ldap slapd-ldap]# cat access
[07/Sep/2014:10:07:42 -0700] conn=103 op=25 SRCH base="dc=lab,dc=local" scope=2 filter="(&(uid=test2)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn memberOf nsUniqueId modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap"
[07/Sep/2014:10:07:42 -0700] conn=103 op=25 RESULT err=0 tag=101 nentries=1 etime=0
[07/Sep/2014:10:07:42 -0700] conn=103 op=26 SRCH base="dc=lab,dc=local" scope=2 filter="(&(member=uid=test2,dc=lab,dc=local)(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber nsUniqueId modifyTimestamp modifyTimestamp"
[07/Sep/2014:10:07:42 -0700] conn=103 op=26 RESULT err=0 tag=101 nentries=0 etime=0 notes=P
[07/Sep/2014:10:07:42 -0700] conn=108 fd=69 slot=69 connection from 192.168.199.98 to 192.168.199.99
[07/Sep/2014:10:07:42 -0700] conn=108 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[07/Sep/2014:10:07:42 -0700] conn=108 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[07/Sep/2014:10:07:42 -0700] conn=108 SSL 128-bit AES
[07/Sep/2014:10:07:42 -0700] conn=108 op=1 BIND dn="uid=test2,dc=lab,dc=local" method=128 version=3
[07/Sep/2014:10:07:42 -0700] conn=108 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test2,dc=lab,dc=local"
[07/Sep/2014:10:07:42 -0700] conn=108 op=2 UNBIND
[07/Sep/2014:10:07:42 -0700] conn=108 op=2 fd=69 closed - U1
[root@ldap slapd-ldap]#
--
Both 'test' and 'test2' login fine with LDAP authentication.
If it matters, ldap.lab.local has a self-signed certificate which was created by setupssl2.sh.
Thanks for any suggestions.
9 years, 8 months