root@my-host:~# cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 BASE dc=test,dc=mydomain,dc=com URI ldap://localhost #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
/etc/ldapscripts/ldapscripts.conf
root@my-host:~# cat /etc/ldapscripts/ldapscripts.conf # Copyright (C) 2005 Gana▒l LAPLANCHE - Linagora # Copyright (C) 2006-2016 Gana▒l LAPLANCHE # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Note for Debian users: # On Debian system ldapscripts will try to parse and use nslcd config. # Look on commented variables and description lines started with DEBIAN. # But you could override it's values here. # LDAP server # DEBIAN: value from /etc/nslcd.conf (uri) is used. SERVER="ldap://localhost" # Suffixes # DEBIAN: values from /etc/nslcd.conf (base maps) are used. SUFFIX="dc=test,dc=mydomain,dc=com" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX) # Authentication type # DEBIAN: value from /etc/nslcd.conf (sasl_mech) is used. # If empty, use simple authentication # Else, use the value as an SASL authentication mechanism SASLAUTH="" #SASLAUTH="GSSAPI" # Simple authentication parameters # The following BIND* parameters are ignored if SASLAUTH is set BINDDN="cn=admin,dc=test,dc=mydomain,dc=com" # The following file contains the raw password of the BINDDN # Create it with something like : echo -n 'secret' > $BINDPWDFILE # WARNING !!!! Be careful not to make this file world-readable BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" # For older versions of OpenLDAP, it is still possible to use # unsecure command-line passwords by defining the following option # AND commenting the previous one (BINDPWDFILE takes precedence) #BINDPWD="secret" # Start with these IDs *if no entry found in LDAP* GIDSTART="10000" # Group ID UIDSTART="10000" # User ID MIDSTART="20000" # Machine ID # Group membership management # ObjectCLass used for groups # Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !) # Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup). # Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis, # the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration. GCLASS="posixGroup" # Leave "posixGroup" here if not sure ! # When using groupOfNames or groupOfUniqueNames, creating a group requires an initial # member. Specify it below, you will be able to remove it once groups are populated. #GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX" # User properties # DEBIAN: values from /etc/adduser.conf are used. USHELL="/bin/bash" #UHOMES="/home/%u" # You may use %u for username here CREATEHOMES="no" # Create home directories and set rights ? #HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. #HOMEPERMS="755" # Default permissions for home directories # User passwords generation # Command-line used to generate a password for added users. # You may use %u for username here ; special value "<ask>" will ask for a password interactively # WARNING !!!! This is evaluated, everything specified here will be run ! # WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy). # In this case, consider using /dev/urandom instead. #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" #PASSWORDGEN="pwgen" #PASSWORDGEN="echo changeme" #PASSWORDGEN="echo %u" #PASSWORDGEN="<ask>" PASSWORDGEN="pwgen" # User passwords recording # you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS # (useful when performing a massive creation / net rpc vampire) # WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! # WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! RECORDPASSWORDS="no" PASSWORDFILE="/var/log/ldapscripts_passwd.log" # Where to log : local file and/or syslog LOGTOFILE="yes" LOGFILE="/var/log/ldapscripts.log" LOGTOSYSLOG="no" SYSLOGFACILITY="local4" SYSLOGLEVEL="info" # Temporary folder #TMPDIR="/tmp" # Various binaries used within the scripts # Warning : they also use uuencode, date, grep, sed, cut, which... # Please check they are installed before using these scripts # Note that many of them should come with your OS # OpenLDAP client commands LDAPSEARCHBIN="/usr/bin/ldapsearch" LDAPADDBIN="/usr/bin/ldapadd" LDAPDELETEBIN="/usr/bin/ldapdelete" LDAPMODIFYBIN="/usr/bin/ldapmodify" LDAPMODRDNBIN="/usr/bin/ldapmodrdn" LDAPPASSWDBIN="/usr/bin/ldappasswd" # OpenLDAP client common additional options # This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS #LDAPBINOPTS="-ZZ" # OpenLDAP ldapsearch-specific additional options # The following option disables long-line wrapping (which makes the scripts bug # when handling long lines). The option was introduced in OpenLDAP 2.4.24, so # comment it if you are using OpenLDAP < 2.4.24. LDAPSEARCHOPTS="-o ldif-wrap=no" # And here is an example to activate paged results #LDAPSEARCHOPTS="-E pr=500/noprompt" # Character set conversion : $ICONVCHAR <-> UTF-8 # Comment ICONVBIN to disable UTF-8 conversion #ICONVBIN="/usr/bin/iconv" #ICONVCHAR="ISO-8859-15" # Base64 decoding # Comment UUDECODEBIN to disable Base64 decoding #UUDECODEBIN="/usr/bin/uudecode" # Getent command to use - choose the ones used # on your system. Leave blank or comment for auto-guess. # GNU/Linux #GETENTPWCMD="getent passwd" #GETENTGRCMD="getent group" # FreeBSD #GETENTPWCMD="pw usershow" #GETENTGRCMD="pw groupshow" # Auto GETENTPWCMD="" GETENTGRCMD="" # You can specify custom LDIF templates here # Leave empty to use default templates # See *.template.sample for default templates #GTEMPLATE="/path/to/ldapaddgroup.template" #UTEMPLATE="/path/to/ldapadduser.template" #MTEMPLATE="/path/to/ldapaddmachine.template" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
root@my-host:/etc# cat nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://localhost # The search base that will be used for all queries. base dc=test,dc=mydomain,dc=com # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn cn=annonymous,dc=test,dc=mydomain,dc=com #bindpw secret # The DN used for password modifications by root. rootpwmoddn cn=admin,dc=test,dc=mydomain,dc=com # SSL options #ssl off #tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub
/etc/nscd.conf
root@my-host:/etc# cat /etc/nscd.conf # # /etc/nscd.conf # # An example Name Service Cache config file. This file is needed by nscd. # # Legal entries are: # # logfile <file> # debug-level <level> # threads <initial #threads to use> # max-threads <maximum #threads to use> # server-user <user to run server as instead of root> # server-user is ignored if nscd is started with -S parameters # stat-user <user who is allowed to request statistics> # reload-count unlimited|<number> # paranoia <yes|no> # restart-interval <time in seconds> # # enable-cache <service> <yes|no> # positive-time-to-live <service> <time in seconds> # negative-time-to-live <service> <time in seconds> # suggested-size <service> <prime number> # check-files <service> <yes|no> # persistent <service> <yes|no> # shared <service> <yes|no> # max-db-size <service> <number bytes> # auto-propagate <service> <yes|no> # # Currently supported cache names (services): passwd, group, hosts, services # # logfile /var/log/nscd.log # threads 4 # max-threads 32 # server-user nobody # stat-user somebody debug-level 0 # reload-count 5 paranoia no # restart-interval 3600 enable-cache passwd no positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group no positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services no positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432 enable-cache netgroup no positive-time-to-live netgroup 28800 negative-time-to-live netgroup 20 suggested-size netgroup 211 check-files netgroup yes persistent netgroup yes shared netgroup yes max-db-size netgroup 33554432
Und zum Schluss die resultierenden Fehler ...
root@my-host:~# ldapinit -s Error(s) encountered while creating regular OUs Error(s) encountered during LDAP initialization root@my-host:~# root@my-host:~# root@my-host:~# root@my-host:~# ldapinit Error(s) encountered while creating root DN Error(s) encountered while creating regular OUs Error(s) encountered during LDAP initialization root@my-host:/etc# ldapaddgroup test-user 7000 Error adding group test-user to LDAP
In /var/log/ldapscripts.log wird eine Beschwerde wegen "ungültiger Berechtigungsnachweise" angezeigt. Dies geschieht jedoch, wenn ich mein aktuelles cn = admin-Passwort in /etc/ldapscripts/ldapscripts.passwd eingebe oder das Wort "secret" dort einsetze.
/var/log/ldapscripts.log
root@my-host:/var/log# cat ldapscripts.log Feb 06 11:58:07 inf-3 ldapscripts: ldapinit(my-username): /usr/sbin/ldapinit ldap_bind: Invalid credentials (49) -> Error(s) encountered while creating root DN ldap_bind: Invalid credentials (49) -> Error(s) encountered while creating regular OUs -> Error(s) encountered during LDAP initialization Feb 06 15:03:47 inf-3 ldapscripts: ldapaddgroup(my-username): /usr/sbin/ldapaddgroup test-user 7000 ldap_bind: Invalid credentials (49) -> Error adding group test-user to LDAP
Beachten Sie das Aussehen meines Benutzernamens (mein-Benutzername) in der obigen Protokollausgabe. Dies ist trotz der Tatsache, dass ich alle OpenLDAP-Befehle nach su -l root ausgeführt habe .
Welchen Schritt vermisse ich, um ldapscripts erfolgreich zu verwenden?
Die Downvote bemerkt. Welche zusätzlichen Informationen sind erforderlich, um meine Post nützlich und ansprechbar zu machen? Ich werde es gerne zur Verfügung stellen. Ich bin hier wirklich in einer Gegend festgefahren, in der ich auch sehr neu bin.
Dave vor 6 Jahren
0
1 Antwort auf die Frage
0
Antonello Piemonte
Hatte ein ähnliches Problem, dh derselbe Fehler: ldap_bind: Ungültige Anmeldeinformationen (49)
Die einzige Möglichkeit, dies zu lösen, bestand darin, die Datei ldapscripts.passwd zu löschen und zu verwenden