Re: Directory Server LDAP/LDIF import - working yet not working???

From: Gary Tay Teng Teck (garyttt_at_singnet.com.sg)
Date: 12/01/04 

Date: Thu, 02 Dec 2004 00:05:03 +0800

John_B wrote:
> Jesse DeFer wrote:
>
>> I've never had luck with ldapsearch displaying ACI's even binding as
>> Directory Manager, there is probably an ACI preventing it. Use the
>> directory server console, it will display them. It sounds like you
>> already have the ACI in there.
>
>
> Okay, I compiled the nss_ldap and pam_ldap into /usr/local and made the
> pam_ldap link to the compiled version.
>
> After doing some poking around, I went into the ACIs for the domain
> through the console, wiped out both of the ACIs from before, and re-ran
> the command to add the ACI. It took it without a problem, but there's
> still no difference. ldap_cachemgr is showing no cached entries, so I
> doubt that it's interfering with it.
>
> I'm going to re-modify the pam.conf now that I've compiled those and see
> if anything changes.
>
> ... waiting ...
>
> No luck, BUT I did notice this in /var/adm/messages.
>
> Nov 30 16:19:14 v100test ldapclient[331]: [ID 476951 user.error] Unable
> to load new information from configuration file
> '/var/ldap/ldap_client_file' ('Version mismatch, expected cache version
> '1.0' but encountered version '2.0'. (at or near line 1).
> Nov 30 16:19:14 v100test ').
> Nov 30 16:46:12 v100test login: pam_ldap: missing file "/etc/ldap.conf"
> Nov 30 16:46:12 v100test login: [ID 596611 auth.alert] pam_ldap: missing
> file "/etc/ldap.conf"
>
> I have the patch installed to bring the Solaris 8 client up to version
> 2.0 (rev 38 where is only needs rev 18), so I can't figure out why this
> message should be popping up. Why would it be expecting version 1.0?
>
> As to the second message, there is no mention of an /etc/ldap.conf in
> the book. Why is it looking for it?
>
> Also, I just bit the bullet and changed my password through the console,
> but there is still no indicator of whether the account itself is locked
> or not. No difference, unfortunately. I still can't log in.
>
> Wow. This is really annoying, but I do appreciate all of you sticking
> with me on this one. I need all of the support that I can get with this
> issue...and at least I'm learning things as I go along.
>
> -- John

===
Pls check the ldap_cachemgr, could it handle version 2
ldap_client_file?, I hv ldapv2 Patch 108993-38 installed and my
ldap_cachemgr is of this file size:

-r-xr-xr-x 1 root bin 44760 Nov 2 14:24 /usr/lib/ldap/ldap_cachemgr

Also check the file size of ldapclient, my ldapv2 version has the
following file size:

-r-xr-xr-x 2 root bin 124660 Nov 2 14:24 /usr/sbin/ldapclient

What about yours? if yours are different from mine I doubt that you have
properly installed 108993-38.

===
A sample version 2 ldap_client_file:

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example.com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= sol8profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 2
... add lines if u hv service descriptors ...

===
/etc/ldap.conf is the config file for PADL's nss_ldap+pam_ldap.

Example of /etc/ldap.conf, pls refer to:
"Installing and configuring OpenSSH with pam_ldap for Solaris9" at
http://web.singnet.com.sg/~garyttt

U would need to comment out SSL/TLS lines (as u don't use it) and add

ssl no

U may need to un-comment out and use iPlanet DS specific:

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

Good lucks.

====
Gary