RE: Re: ssh connection to an ldap server

From: fatima riadi (ftmriadi_at_yahoo.fr)
Date: 03/21/05

  • Next message: fatima riadi: "RE: Re: ssh connection to an ldap server" 
    Date: Mon, 21 Mar 2005 18:53:51 +0100 (CET)
To: "Tay, Gary" <Gary_Tay@platts.com>

    That's it!!

    Thank you very much Gary for your help.

    Now, I am able to connect to my LDAP server.

    Just another question please: is it necessary to write
    the bindpw password in clear text in /etc/ldap.conf?

    Tank you again.

     --- "Tay, Gary" <Gary_Tay@platts.com> a écrit :
    > I noticed that:
    >
    > 1) You did not provide binddn and bindpw in
    > /etc/ldap.conf
    >
    > # The distinguished name to bind to the server with.
    > # Optional: default is to bind anonymously.
    > #binddn cn=exampleuser,dc=example,dc=com
    > binddn cn=nssldap,ou=DSA,dc=example,dc=com
    >
    > # The credentials to bind with.
    > # Optional: default is no credential.
    > bindpw pw_in_clear_text
    >
    > 2) Your rootbinddn in /etc/ldap.conf should be
    > "cn=Manager,dc=example,dc=com", i.e. tally with
    > slapd.conf
    >
    > # The distinguished name to bind to the server with
    > # if the effective user ID is root. Password is
    > # stored in /etc/ldap.secret (mode 600)
    > rootbinddn cn=Manager,dc=example,dc=com
    >
    > Gary
    >
    > -----Original Message-----
    > From: fatima riadi [mailto:ftmriadi@yahoo.fr]
    > Sent: Mon 3/21/2005 11:57 PM
    > To: Tay, Gary
    > Cc: secureshell@securityfocus.com
    > Subject: RE: Re: ssh connection to an ldap server
    >
    >
    >
    > --- "Tay, Gary" <Gary_Tay@platts.com> a écrit :
    > > If you suspect pam_ldap, show us the
    > > /etc/nsswitch.conf and /etc/pam.d/system-auth
    > and/or
    > > /etc/pam.d/sshd.
    > >
    >
    >
    ======================================================
    > Here is my slapd.conf file content:
    >
    > include /etc/openldap/schema/core.schema
    > include /etc/openldap/schema/cosine.schema
    > include
    > /etc/openldap/schema/inetorgperson.schema
    > include /etc/openldap/schema/nis.schema
    > include /etc/openldap/schema/samba.schema
    > include
    >
    > /etc/openldap/schema/redhat/rfc822-MailMember.schema
    > include
    > /etc/openldap/schema/redhat/autofs.schema
    >
    >
    > # Allow LDAPv2 client connections. This is NOT the
    > default.
    > allow bind_v2
    >
    > # Do not enable referrals until AFTER you have a
    > working directory
    > # service AND an understanding of referrals.
    > #referral ldap://root.openldap.org
    >
    > pidfile /var/run/slapd.pid
    > #argsfile //var/run/slapd.args
    >
    > access to attr=userPassword
    > by self write
    > by * auth
    > access to dn="ou=users,dc=example,dc=com"
    > by self write
    > by dn="cn=nssldap,ou=DSA,dc=example,dc=com"
    > read
    > by users auth
    > by anonymous read
    > access to * by self write
    > by * read
    >
    >
    >
    #######################################################################
    > # ldbm and/or bdb database definitions
    >
    >
    #######################################################################
    >
    > database ldbm
    > suffix "dc=example,dc=com"
    > rootdn "cn=Manager,dc=example,dc=com"
    > rootpw
    > {SSHA}Cu0mazfs7JKjmJaCrZQszD1G7ijRpIKO
    >
    > # The database directory MUST exist prior to
    > running
    > slapd AND
    > # should only be accessible by the slapd and slap
    > tools.
    > # Mode 700 recommended.
    > directory /var/lib/ldap
    >
    > # Indices to maintain for this database
    > index objectClass eq,pres
    > index ou,cn,mail,surname,givenname eq,pres,sub
    > index uidNumber,gidNumber,loginShell eq,pres
    > index uid,memberUid eq,pres,sub
    > index nisMapName,nisMapEntry eq,pres,sub
    > index sambaSID,sambaDomainName,sambaPrimaryGroupSID
    > eq
    >
    >
    ======================================================
    > /etc/pam.d/sshd
    >
    > #%PAM-1.0
    > auth required pam_stack.so
    > service=system-auth
    > auth required pam_nologin.so
    > account required pam_stack.so
    > service=system-auth
    > password required pam_stack.so
    > service=system-auth
    > session required pam_stack.so
    > service=system-auth
    > session required pam_limits.so
    > session optional pam_console.so
    >
    >
    ======================================================
    >
    > > pam_ldap works with nss_ldap, also show
    > > /etc/ldap.conf.
    >
    > And this is my /etc/ldap.conf file:
    >
    > # Your LDAP server. Must be resolvable without
    > using
    > LDAP.
    > host 127.0.0.1
    >
    > # The distinguished name of the search base.
    > base dc=example,dc=com
    >
    > # Another way to specify your LDAP server is to
    > provide an
    > # uri with the server name. This allows to use
    > # Unix Domain Sockets to connect to a local LDAP
    > Server.
    > #uri ldap://127.0.0.1/
    > #uri ldaps://127.0.0.1/
    > #uri ldapi://%2fvar%2frun%2fldapi_sock/
    > # Note: %2f encodes the '/' used as directory
    > separator
    >
    > # The LDAP version to use (defaults to 3
    > # if supported by client library)
    > #ldap_version 3
    >
    > # The distinguished name to bind to the server
    > with.
    > # Optional: default is to bind anonymously.
    > #binddn cn=exampleuser,dc=example,dc=com
    >
    > # The credentials to bind with.
    > # Optional: default is no credential.
    > #bindpw secret
    >
    > # The distinguished name to bind to the server with
    > # if the effective user ID is root. Password is
    > # stored in /etc/ldap.secret (mode 600)
    > rootbinddn cn=nssldap,ou=DSA,dc=example,dc=com
    >
    > # The port.
    > # Optional: default is 389.
    > #port 389
    >
    > # The search scope.
    > #scope sub
    > #scope one
    > #scope base
    >
    > # Search timelimit
    > #timelimit 30
    >
    > # Bind timelimit
    > #bind_timelimit 30
    >
    > # Idle timelimit; client will close connections
    > # (nss_ldap only) if the server has not been
    > contacted
    > # for the number of seconds specified below.
    > #idle_timelimit 3600
    >
    > # Filter to AND with uid=%s
    > #pam_filter objectclass=account
    >
    > # The user ID attribute (defaults to uid)
    > #pam_login_attribute uid
    >
    > # Search the root DSE for the password policy
    > (works
    > # with Netscape Directory Server)
    > #pam_lookup_policy yes
    >
    === message truncated ===

            

            
                    
    Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
    Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/

  • Next message: fatima riadi: "RE: Re: ssh connection to an ldap server"

    Relevant Pages

    • [UNIX] Hardening the BIND DNS Server
      ... Hardening the BIND DNS Server ... Your Domain Name Service is the road sign to your systems on the Internet. ...
      (Securiteam)
    • Re: PDC Is not replicating !!
      ... Manage to change the Driver issue to boot the server. ... Starting test: Connectivity ... Starting test: Replications ... LDAP Bind. ...
      (microsoft.public.win2000.active_directory)
    • Re: Mail server security - best practices?
      ... Both BIND and qmail are pretty secure, ... and mail on a server that's 'half-internal' in that you seem not to ... I still employ IMAP-SSL on the private server, ...
      (comp.unix.bsd.openbsd.misc)
    • Re: DNS Poisoning, pharming, pollution
      ... running Windows 2003 and have the "secure cache against pollution" setting ... the next thing to look for would be a malicious program on the server. ... >> Every server is configured with our ISP's DNS resolvers as forwarders. ... but I don't think we're running BIND. ...
      (microsoft.public.windows.server.dns)
    • Re: bind hack?
      ... He writes BIND 9. ... rfcs as documentation and therefor basis for design it is a shitload ... dns server software developed, tested and finally deployed. ... security dilemma since this monoculture defines the standard. ...
      (FreeBSD-Security)