| |
| |
| |
|
Page: 1 2
Comments:
<0> is here someone with vintela experience?
<1> .
<1> what is vintela?
<0> tdi, use slave servers or local files. btw, late stable versions of openldap does not crash usualy, but there are some notorious old versions. Sometimes a corrupt database is to blame (can u export (and reread) the database using slapcat/slapadd?)
<0> www.vintela.com
<0> some kind of tool our company mgt says I have to use for single sign on.
<2> tiswat: i simulated the crash
<2> i use files too
<2> but the fallback does not _really_ work
<1> tiswat: oh, it's some micros~1 stuff
<0> Yep, the sitee is not that informative but it seems to me that it ****s if I have to use that as sso on 150 unix nodes.
<0> (and about 20 are tru64, which is not supported)
<1> i remember reading their white paper a year or more ago
<1> i thought "windows ****, goodbye"
<3> tiswat: kerberos - good, proprietary windows-based **** - not good
<1> micros~1 has it's own flavors of kerberos
<0> I am affraid that it will be an other mgt desision without any impact analysis. I talked to the vintella guys but they only know how to sell. Not what it is doing. :-(
<0> s/ll/l
<3> true, so why pay for a product when you already have kerberos on AD and can get mit/heimdal for free on *nix
<0> I hoped that someone kan tell me that I am wrong.....But if someone tells me to login on a ADS which puts me through to a unix box, I think that ldap lesson 1 was missed by the guy.
<0> tdi, how did you simmulate the crash? what version are u using? etc. etc. If you want some clear answers you have to be more informative.
<0> Well, Gagatan, we are not using kerberos (jet) only ldaps on ssl. But I also could not see the advantages.
<2> tiswat: ill compile a detailed info in a second
<2> tiswat: http://pastebin.ca/79911 these are my system-auth and nsswitch, version i run is : 2.2.28-r3, gentoo linux
<2> i simulated the crash by kill -9 PID
<2> after that i could not sshd to the machine
<2> i would like to fallback to files when ldap fails
<0> I dont have a proper pam configuration here. But the login problems are caused by pam and not by ldap or nss. I presume that you are using a ssh account that also exists localy. 2.2.28 is pretty old. IHMO 2.2.26 was a very unstable version in our site.
<2> tiswat: the newest is 2.3.34 in my system
<0> But my pam (at the office, I'm home know) looks very different.
<2> yes it depends more or less on the system
<0> There are also options available to deny users using the host directive. Google for that.
<2> kk, thanks
<2> but in your opinion migration to 2.3.34 is a good idea?
<0> pam-great|pam-****s|pam-great|pam-****s|pam-great|pam-****s|pam-great|pam-****s| pam-great...... I am alway in doubt. :P. Bu I realy dont like the differences and capabilaties between different OS-es
<0> I'm using 2.3.20 1 master 20 syncrepl slaves. no problems since 3 months or so.
<1> lots of slaves
<0> yes.... bad network....
<0> most linux nodes are also ldap server.
<1> i used to be repsonsible for about 1200 ldap servers worldwide
<0> max slaves?
<1> nowadays, that is only one area under my responsibilities
<1> i didn't use openldap at all
<0> netscape?
<1> yeah, currently
<1> next upgrade will be redhat, since redhat bought netscape directory server.
<0> also nice but a bit slower. It is easyer to manage though,, which is a big + ihmo.
<2> i am responsilbe for one :)
<1> a bit slower than what?
<0> openldap
<2> but i care abiut it :)
<1> i don't believe that, and i think you can't prove it
<1> netscape ds was handling 1500 queries per second when openldap only handled 9. now, they are about the same in terms of performance, imo.
<0> (openldap w/h logging!) Logging is killing on oour environment. w/h nscd nodes wil be very slooooow.
<1> log on seperate disks
<1> nobody who cares about peformance puts a database and it's log on the same disk
<0> I know netscape has good (and readable) logs. Loglevel -1 (once tried) gives about 10 gigs logging in 15 minutes. on the master.
<1> netscape logs are largely identical to OL logs
<0> Are they nowadays? I used netscape 3.0 in the late '90 but I do not recall that. I tried fedora at home but due to java problems and a x86_64, I stoped that project after 3 nights.
<1> OL project was only started in 1999
<1> took it some time to get up to speed
<2> i try to migrate, did the backup and all needed things as in docs
<2> when i issue slapadd i get
<2> /etc/openldap/schema/core.schema: line 128: Duplicate attributeType: "2.5.4.13"
<2> slapadd: bad configuration file!
<2> this an attribute: description
<0> late 90's. Not sure it was that late in the 90's. I know there were some stupid bugs about chicken/egg constructions. It would not fire up w/h a database. It was hard to build a database w/ a gui...
<0> And now I'm gui-less
<0> :-)
<2> and i am openldapless :)
<0> tdi I you know how to edit schema's: remove the duplicate. Or download proper schema files for gentoo
<2> there is no dulicate in this schema
<0> past midnight here. g' night all
<2> gnight
<4> tdi: consider that some schema entries are built into the slapd itself
<4> best to use the core.schema that came with the version you are now using
<2> yes i use it
<2> the new one
<2> i commented them out
<2> gentoo developers spoiled the default configs i think
<2> i caanot generate an index
<2> ok done :)
<2> thanks for help everyone
<5> would it be possible to share a kerberos keytab between several computers?
<5> it would be tedious to generate 20 principals on the kdc for 20 clients
<5> I guess no .. does anyone have experience with similar setups?
<6> ruxpin, the whole point of kerberos is lost if you share principals ...
<7> I need help reading an ldap server address found here http://pastebin.ca/80308
<7> updated link w/ question http://pastebin.ca/80310
<6> no idea
<6> there is no registrar for DNs, so, not authorative way to know where an LDAP server for a specific suffix is
<7> yes but you should be able to make it out I thought from the information I provided at the link
<6> one can guess, but you didn't ask what my guess was ...
<7> what is your guess
<6> if the suffix used dc-style naming, I would have a better chance at guessing
<7> did you see my first or second link ?
<6> only the 2nd
<7> ok
<7> maybe someone else will be able to help thx for your efferts thus far
<6> and, .usps.com may be a better guess
<6> there's no SRV record for _ldap._tcp.usps.gov
<6> or _ldap._tcp.usps.com
<6> so .. your guess is as good as mine
<7> thx again
<8> hey there. im setting up an ldap server for user authentication on the lan. ive got it to actually read the database, but when i try and su to a user from the database, i get "Authentication service cannot retrieve authentication info". i can finger the users on the ldap database though so i know they're there... any ideas?
<6> bobulator, have you done any pam configuration?
<8> no
<8> haha
<8> i dont think ive installed the pam module yet. will it be on automatically?
<6> also, does 'getent p***wd $username' work for a user in ldap ?
<6> no, you will need to configure pam
<6> what OS/distro are you using ?
<8> ubuntu client, debian server
<8> and getent works, yes
<6> ok, then you will probably need to edit the files /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-p***word (not exactly sure)
<8> cool, on the client or server?
<6> whichever machines need to auth users from LDAP
<8> ok
<8> man.auth just has
<8> *pam.auth
<8> auth required pam_unix.so nullok_secure
<8> common-auth even
<8> argh
<8> common-account: account required pam_unix.so
<8> common-p***word: p***word required pam_unix.so nullok obscure min=4 max=8 md5
<8> hmm i seem to remeber thinking all the p***words are {crypt}, could that be it?
<6> no, you need to use pam_ldap.so in those files
<8> ooh
<8> just switch them round? or can i use both?
<8> and do i need to install libpam-ldap on all the clients too?
<6> yes
<8> do i want to make a local root database admin?
<8> probably not?
<6> I don't know the specifics of the debian openldap setup
<8> k cool :)
<6> and I'm not sure what they mean by that
<6> it probably means the insecure practice of storing the rootpw in /etc/ldap.secret
<6> which I would avoid
<8> ok
<8> cool, so how can i add pam_ldap to those files then? presumably i need both pam_unix and pam_ldap if im going to authenticate both local suers and ldap users?
<6> you'll have to google it ... I don't have time now teach pam ...
<8> ok, thanks for your help :) as always, just need the right place to look...
<6> but, usually you want something like "sufficient pam_unix, sufficient pam_ldap, required pam_deny"
<8> cool. sounds like a barrel of worms...
<8> anyway, thanks again for your help. back in an hour or 8...
<9> hi there
<9> could use a little help please
<9> when i try to login to ldap using a normal user it displays "(Invalid credentials)" on the client side
<9> but p***wd is correct
<9> on the server side "error=Resource Temporarily unavailable"
Return to
#ldap
or
Go to some related
logs:
bittorrent edunbuntu
tightvnc connection refused 111
Gensnack
#perl
xgl dual big desktop
itmorr
#perl
building Xorg 7
synchronize 2 databases php-script
ubuntu acer 8200
|
|