Crazy LDAP behaviour

Hi all,

I have a crazy problem in front of me. Before that let me explain my server set up.

I have a newly bought IBM server in my bro’s college with 1TB HDD and 4GB main memory, 2NIC.
I use Open SUSE13.1.
I need the server to serve following services

  1. Squid (Internet proxy for all clients (~100 clients))
  2. Windows domain Login / file sharing through Samba
  3. Apache
  4. MySQL (3,4 for LAMP learning).
  5. SSH

I also need following services in future
6. Linux client login through LDAP & NFS for file sharing in Linux machines

In order to achieve all, I had configured Open LDAP server in the same machine (created required certificates). Worked fine.
Configured LDAP client in the same machine.
Created LDAP users through User and Group Management ( Under LDAP filter)
Checked LDAP browser confirmed the presence of users
Configured samba with LDAP as authentication server.
Configured Squid with LDAP (basic_ldap_auth) and necessary permission at various user level.

Now coming to my Problem :

  1. Windows gets domain connection to the server but can’t login with any of LDAP users
  2. SSH will not login (even in the server itself)
  3. su username prompts “user does not exist” error in server
  4. Can’t login to the server with LDAP user under kdm.

However, Squid works great and when I run **basic_ldap_auth -b ou=people,dc=your,dc=domain ldapserver **with LDAP users , it greatly responds to OK and Error_SUCCESS.

Could you please guide me where I have gone wrong? How to correct?

By the way, I have one more experimental set up at home with exactly same configuration. But that works great in all services.

Thanks in advance.

Probably the most critical configuration you didn’t mention is how you configured your LDAP server…
I’m guessing that the school network where the server is located is a Microsoft AD network, but you didn’t make it clear that you made your LDAP server a member of the AD Domain (and why you even created a LDAP network).

You may also need to describe how the network clients are logged into their machines, with AD accounts or something else.

Or, if you’re configuring something else like a completely separate Domain, then you’d have to describe the Trust relationship.

TSU

I think I need to explain my network setup once again.

  1. I have a sever (Open SuSE 13.1) and ~200 or more clients (~70% windows & 30% Linux)
  2. ~ 40 windows clients have been used by staff. Server need to serve internet (Squid)
  3. Rest windows clients and linux clients are used in lab for various programming. Server need to serve File/Print Service (Samba) + Internet (Squid)
  4. Presently server is made samba PDC server and Windows machines are domain connected against the server. For linux clients, though ideally I needed similar setup, but as I still do not know the method, users are allowed for local login.

All these above need single authentication service. Hence I utilised LDAP. Now let me explain server setup

  1. Server is LDAP server
  2. Server itself is LDAP client also.
  3. for Samba, LDAP is used as user authentication source.
  4. For squid, LDAP is used as user authentication source.

LDAP server is configured for TLS & LDAP client (in server machine) also provides required certificate and there is no error shown while completing the setup.
LDAP browser shows everything perfect.
Ideally within the sever if I use su username, with the username being LDAP username entry, login should be possible. But it is not happening.
Login to KDM under LDAP username is not happening
ssh service not allowing username to login
but squid is taking the ldap username without any problem.

Hope now I am clear with my problem.
Thank you

First want to verify I mis-read your original post… Does some other network security(eg school LDAP or Windows Domain) exist on your network, particularly if that security manages any resources like network shares or even Internet access? I read in your original post about “Windows domain login” – Do you really mean “LDAP login from Windows machines” or “Windows Domain login” which is where I thought you were referring to school network security running something like Windows AD?

Your specific issues…

  • You may see useful errors in your syslog. Immediately after a failed login, run this from a root console
tail /var/log/messages
  • You are not posting your exact methods for login. Several ways are possible, ie using a GUI, using the format “Domain/Username” etc. You may want to verify you don’t have any syntax errors. Also, you may need to post <exactly> the result if there is an error (although that will likely also be posted to your syslog)
  • General troubleshooting practice suggests when you observe many different errors at once, you should look for what is common to all first. A particular configuration for all except squid may be a good place to start. Less likely but possible is if they are all separate, not connected errors. Also, if squid is authenticating properly, then you should verify its syntax is not significantly different than how you’re configuring other authentication.
  • Again, because you didn’t post your exact command, but “su username” won’t necessarily work. That by itself will look in your machine’s local username/password repository, <not> the Domain. You need to specify something like “su domain/domainname” although I’ve never actually executed a su command on a Domain user account. But, I hope you get the idea…

If the above isn’t enough for you to troubleshoot your problem, post the <exact> commands you are attempting and their results… Otherwise anything others post is largely guessing…

HTH,
TSU