“Erro (s) encontrado (s) durante o uso de ldapscripts

0

Abaixo, mostro minha configuração do OpenLDAP. Esta é uma nova instalação do OpenLDAP em uma nova instalação do Debian Stretch.

Não consigo usar ldapscripts. Independentemente do que eu faça, recebo os erros mostrados no final do texto abaixo.

root@my-host:~# ldapsearch -b 'dc=test,dc=mydomain,dc=com' -x
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=mydomain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.mydomain.com
dn: dc=test,dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: test.mydomain.com
dc: test

# admin, test.mydomain.com
dn: cn=admin,dc=test,dc=mydomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

/etc/ldap/ldap.conf

root@my-host:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE    dc=test,dc=mydomain,dc=com
URI     ldap://localhost

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

/etc/ldapscripts/ldapscripts.conf

root@my-host:~# cat /etc/ldapscripts/ldapscripts.conf
#  Copyright (C) 2005 Gana▒l LAPLANCHE - Linagora
#  Copyright (C) 2006-2016 Gana▒l LAPLANCHE
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

# Note for Debian users:
# On Debian system ldapscripts will try to parse and use nslcd config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.


# LDAP server
# DEBIAN: value from /etc/nslcd.conf (uri) is used.
SERVER="ldap://localhost"

# Suffixes
# DEBIAN: values from /etc/nslcd.conf (base maps) are used.
SUFFIX="dc=test,dc=mydomain,dc=com" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

# Authentication type
# DEBIAN: value from /etc/nslcd.conf (sasl_mech) is used.
# If empty, use simple authentication
# Else, use the value as an SASL authentication mechanism
SASLAUTH=""
#SASLAUTH="GSSAPI"

# Simple authentication parameters
# The following BIND* parameters are ignored if SASLAUTH is set
BINDDN="cn=admin,dc=test,dc=mydomain,dc=com"
# The following file contains the raw password of the BINDDN
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"

# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID

# Group membership management
# ObjectCLass used for groups
# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
# When using  groupOfNames or groupOfUniqueNames, creating a group requires an initial
# member. Specify it below, you will be able to remove it once groups are populated.
#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"

# User properties
# DEBIAN: values from /etc/adduser.conf are used.
USHELL="/bin/bash"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="no"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories

# User passwords generation
# Command-line used to generate a password for added users.
# You may use %u for username here ; special value "<ask>" will ask for a password interactively
# WARNING    !!!! This is evaluated, everything specified here will be run !
# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
#                 In this case, consider using /dev/urandom instead.
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN="<ask>"
PASSWORDGEN="pwgen"

# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"

# Where to log : local file and/or syslog
LOGTOFILE="yes"
LOGFILE="/var/log/ldapscripts.log"
LOGTOSYSLOG="no"
SYSLOGFACILITY="local4"
SYSLOGLEVEL="info"

# Temporary folder
#TMPDIR="/tmp"

# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, which...
# Please check they are installed before using these scripts
# Note that many of them should come with your OS

# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"

# OpenLDAP client common additional options
# This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS
#LDAPBINOPTS="-ZZ"

# OpenLDAP ldapsearch-specific additional options
# The following option disables long-line wrapping (which makes the scripts bug
# when handling long lines). The option was introduced in OpenLDAP 2.4.24, so
# comment it if you are using OpenLDAP < 2.4.24.
LDAPSEARCHOPTS="-o ldif-wrap=no"
# And here is an example to activate paged results
#LDAPSEARCHOPTS="-E pr=500/noprompt"

# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"

# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"

# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""

# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

/etc/ldapscripts/ldapscripts.passwd

root@my-host:/etc/ldapscripts# cat ldapscripts.passwd
secret

/etc/nslcd.conf

root@my-host:/etc# cat nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://localhost

# The search base that will be used for all queries.
base dc=test,dc=mydomain,dc=com

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=test,dc=mydomain,dc=com
#bindpw secret

# The DN used for password modifications by root.
rootpwmoddn cn=admin,dc=test,dc=mydomain,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

/etc/nscd.conf

root@my-host:/etc# cat /etc/nscd.conf
#
# /etc/nscd.conf
#
# An example Name Service Cache config file.  This file is needed by nscd.
#
# Legal entries are:
#
#       logfile                 <file>
#       debug-level             <level>
#       threads                 <initial #threads to use>
#       max-threads             <maximum #threads to use>
#       server-user             <user to run server as instead of root>
#               server-user is ignored if nscd is started with -S parameters
#       stat-user               <user who is allowed to request statistics>
#       reload-count            unlimited|<number>
#       paranoia                <yes|no>
#       restart-interval        <time in seconds>
#
#       enable-cache            <service> <yes|no>
#       positive-time-to-live   <service> <time in seconds>
#       negative-time-to-live   <service> <time in seconds>
#       suggested-size          <service> <prime number>
#       check-files             <service> <yes|no>
#       persistent              <service> <yes|no>
#       shared                  <service> <yes|no>
#       max-db-size             <service> <number bytes>
#       auto-propagate          <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#


#       logfile                 /var/log/nscd.log
#       threads                 4
#       max-threads             32
#       server-user             nobody
#       stat-user               somebody
        debug-level             0
#       reload-count            5
        paranoia                no
#       restart-interval        3600

        enable-cache            passwd          no
        positive-time-to-live   passwd          600
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           no
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           no
        positive-time-to-live   hosts           3600
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        no
        positive-time-to-live   services        28800
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432

        enable-cache            netgroup        no
        positive-time-to-live   netgroup        28800
        negative-time-to-live   netgroup        20
        suggested-size          netgroup        211
        check-files             netgroup        yes
        persistent              netgroup        yes
        shared                  netgroup        yes
        max-db-size             netgroup        33554432

E, finalmente, os erros resultantes ...

root@my-host:~# ldapinit -s
Error(s) encountered while creating regular OUs
Error(s) encountered during LDAP initialization
root@my-host:~#
root@my-host:~#
root@my-host:~#
root@my-host:~# ldapinit
Error(s) encountered while creating root DN
Error(s) encountered while creating regular OUs
Error(s) encountered during LDAP initialization
root@my-host:/etc# ldapaddgroup test-user 7000
Error adding group test-user to LDAP

/var/log/ldapscripts.log mostra uma reclamação sobre "credenciais inválidas". No entanto, isso acontece se eu colocar minha senha cn = admin real em /etc/ldapscripts/ldapscripts.passwd ou se eu colocar a palavra "secret" lá.

/var/log/ldapscripts.log

root@my-host:/var/log# cat ldapscripts.log
Feb 06 11:58:07 inf-3 ldapscripts: ldapinit(my-username): /usr/sbin/ldapinit
ldap_bind: Invalid credentials (49)
  -> Error(s) encountered while creating root DN
ldap_bind: Invalid credentials (49)
  -> Error(s) encountered while creating regular OUs
  -> Error(s) encountered during LDAP initialization
Feb 06 15:03:47 inf-3 ldapscripts: ldapaddgroup(my-username): /usr/sbin/ldapaddgroup test-user 7000
ldap_bind: Invalid credentials (49)
  -> Error adding group test-user to LDAP

Observe a aparência do meu nome de usuário (meu-nome de usuário) na saída de log acima. Isso ocorre apesar de eu ter executado todos os comandos do OpenLDAP após su -l root .

Qual o passo que estou faltando para usar com sucesso ldapscripts?

    
por Dave 06.02.2018 / 23:28

1 resposta

0

Teve um problema semelhante, ou seja, o mesmo erro: ldap_bind: credenciais inválidas (49)

e a única maneira de resolvê-lo é excluir o ldapscripts.passwd e usar

# echo -n "mypassword" > /etc/ldapscripts/ldapscripts.passwd

(antes de editar o arquivo diretamente com o vi digitando a senha). HTH.

    
por 24.10.2018 / 10:46