LDAP FAQs

• Summary
• Your screen seems to show more attributes then mine?
• How do I get a list of all the systems with FQDNs LDAP knows about?
• How do I know what Netgroup a user or host is in?
• My command prompt shows “I have no name!”
• How do I know what LDAP sudo rights a user has?
• How do I know what LOCAL sudo rights a user has?
• Determining if an account is locked due to rejected password
• How do I get a list of all the systems with FQDNs LDAP knows about?
• Passwords with storage scheme are not allowed
• Common error messages and meanings
  • Server is unwilling to perform
  • Permission denied
  • Invalid credentials
  • Constraint violation
  • Sorry, user <user> may not run sudo on <machine name>

Summary

This is an area for answers to common scenarios that may not really fit into other sections.

Your screen seems to show more attributes then mine?

This relates to the Apache Directory Studio and how it displays attributes for a given record. By default it only shows schema related attributes. In other words, the values that are common to any LDAP server and that are used by an application. Examples of these are objectClass, uid, and userPassword.

There are also attributes that get added to a record that are specific to the LDAP server and are used internally by the server for record keeping. These are called operational attibutes and some examples of these are passwordRetryCount, modifyTimestamp, and creatorsName.

An easy way to distinguish the two types of attributes is that the operational attributes are shown in italics.

To enable them, edit your connection properties and choose the “Broswer Options” tab. In the Features section check the box marked “Fetch operational attributes while browsing” then click the OK button to save your settings.

How do I get a list of all the systems with FQDNs LDAP knows about?

ldapsearch -x -b "ou=Netgroups,dc=example,dc=com" -s one "(nisNetgroupTriple=\(*,,\))"|grep nisNetgroupTriple|cut -d' ' -f2|cut -c2-|cut -d',' -f1|sed -n '/\./p'

Note: Replace dc=example,dc=com above with your actual LDAP domain information.

How do I know what Netgroup a user or host is in?

You can do some creative queries to answer these types of questions. A basic knowledge of LDAP attributes is required for this.

i=<name>; ldapsearch -x "(nisNetgroupTriple=*$i*)" |grep -E "dn|nisNetgroupTriple.+$i"

Replace “<name>” with the user or hosts’s name. Example:

i=testuser; ldapsearch -x "(nisNetgroupTriple=*$i*)" |grep -E "dn|nisNetgroupTriple.+$i"

My command prompt shows “I have no name!”

This is caused when the ldap related configuration files are not readable by users. To solve this, make sure the following files are world readable:

/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/nsswitch.conf

How do I know what LDAP sudo rights a user has?

Note: This procedure will only tell you what rights are defined in LDAP. A user may have more rights on a given machine based on the local /etc/sudoers. See the next FAQ on figuring that out.

First, we need to determine what Netgroups a user belongs to since most sudo rights are granted to groups and not individual users. I will use the user “testuser” as an example.

i=testuser; ldapsearch -x "(nisNetgroupTriple=*$i*)" |grep -E "dn|nisNetgroupTriple.+$i"

This returns:

filter: (nisNetgroupTriple=*testuser*)
dn: cn=TestDBAUsers,ou=Netgroups,dc=example,dc=com
nisNetgroupTriple: (,testuser,)

Next, we want to check if this user has any rights directly.

i=testuser; ldapsearch -x "(sudoUser=*$i*)" |grep -E "dn|sudoUser.+$i"

As expected, they don’t.

filter: (sudoUser=*testuser*)

Now, we want to check the Netgroup the user belongs to that was returned with the first command above.

i=TestDBAUsers; ldapsearch -x "(sudoUser=*$i*)" |grep -E "dn|sudoUser.+$i"

This will tell us what sudo rule the Netgroup belongs to.

filter: (sudoUser=*TestDBAUsers*)
dn: cn=TestDBA_OracleHosts,ou=SUDOers,dc=example,dc=com
sudoUser: +TestDBAUsers

And now we can examine the sudo rule itself.

ldapsearch -x "(cn=TestDBAUsers_OracleHosts)"

The results below will tell us what commands are allowed to be run (sudoCommand) and on which machines (sudoHost). It is important to remember that both sudoCommand and sudoHost can appear multiple times. Also, sudoHost can be either an individual machine or, as in this case, a Netgroup of machines.

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (cn=TestDBAUsers_OracleHosts)
# requesting: ALL
#

# TestDBAUsers_OracleHosts, SUDOers, example.com
dn: cn=TestDBAUsers_OracleHosts,ou=SUDOers,dc=example,dc=com
objectClass: sudoRole
objectClass: top
cn: TestDBAUsers_OracleHosts
sudoUser: +TestDBAUsers
sudoHost: +OracleHosts
sudoCommand: /bin/su - oracle

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

How do I know what LOCAL sudo rights a user has?

Regardless of which way you choose to check, you need to be logged in to the machine in question. The easy to read version is:

sudo -ll -U <user ID>

This has the advantage of listing both the user’s local and LDAP rights. The downside is it doesn’t work everywhere. The next version gives the same output as above and will often work when the previous command does not.

sudo sudo -ll -U <user ID>

This will prompt you for your password before giving up the information. If all else fails, you can just look at the sudoers file:

sudo cat /etc/sudoers

This can be the hardest to read since the format is a free flowing one and lines often wrap several times with only a tiny comma to determine when one command ends and the next begins.

Determining if an account is locked due to rejected password

Users frequently lock themselves out of systems because of mistyping their password three (3) times. You can check for this with a simple for loop. Start by creating a text file with the FQDN of all the LDAP servers listed, one per line.

dirmaster1.example.com
dirmaster2.example.com

If you call the file ldap-host-list, then you can run the following query to get the results. Note: This is specific to 389-ds and its descendants.

$ for i in `cat ldap-host-list`; do echo $i; ldapsearch -x -H ldaps://$i -b "uid=testuser,ou=people,dc=example,dc=com" -s base -LLL passwordRetryCount; done

Replace “testuser” with the actual user ID you are interested in. You will see results similar to the following:

dirmaster1.example.com
dn: uid=testuser,ou=People,dc=example,dc=com
passwordRetryCount: 3

dirmaster2.example.com
dn: uid=testuser,ou=People,dc=example,dc=com
passwordRetryCount: 0

If the attribute is missing or is < 3, then the account is not locked on that LDAP server. If passwordRetryCount = 3 then you need to reset it. Note: 3 is value that was set in the password policy for failed passwords. Your policy may specify something different. Please substitue accordingly.

The reset is done by running the following command.

ldapmodify -x -H ldaps://dirmaster1.example.com -D "cn=Directory Manager" -W

This will prompt you for the password and then sit awaiting commands. Enter the following:

dn: uid=testuser,ou=people,dc=example,dc=com
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 0

Replace “testuser” with your locked user’s ID. Also, replace the zero (0) with a number < 3 and not = to the value returned for dirmaster1 in your query above.

Make sure you enter a blank like at the end to tell ldapmodify to go ahead and process what you told it. You should get an output similar to the following:

modifying entry "uid=testuser,ou=people,dc=example,dc=com"

Press to tell ldapmodify you are done.

You can verify your handiwork by re-running your ldapsearch from above.

How do I get a list of all the systems with FQDNs LDAP knows about?

ldapsearch -x -b "ou=Netgroups,dc=example,dc=com" -s one "(nisNetgroupTriple=\(*,,\))"|grep nisNetgroupTriple|cut -d' ' -f2|cut -c2-|cut -d',' -f1|sed -n '/\./p'

Passwords with storage scheme are not allowed

When the user tries to change their password and they get an error similar to the following:

LDAP password information update failed: Constraint violation
invalid password syntax - passwords with storage scheme are not allowed
passwd: Permission denied

This is caused by an invalid pam_password setting in /etc/ldap.conf. pam_password MUST be set to clear for password enforcement to work correctly.

Common error messages and meanings

Server is unwilling to perform

• Example:

  pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=com" (Server is unwilling to perform)
  Failed password for testuser from 10.12.24.80 port 55689 ssh2
  

• Meaning: The failed password part is a red herring. The “Server is unwilling to perform” is the key. It means that the account has been inactivated. Verify that the account should not be inactive before activating it.

Permission denied

• Example:

  pam_sss(sshd:auth): received for user testuser: 6 (Permission denied)
  

• Meaning: This is a generic message from the sssd system and may mean the account is locked or the user entered the wrong password.

Invalid credentials

• Example:

  pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)
  

• Meaning: This means the wrong password was entered.

Constraint violation

• Example:

  pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=com" (Constraint violation)
  

• Meaning: This means the account has been locked. Usually from too many failed login attempts.

Sorry, user <user> may not run sudo on <machine name>

• Example:

  sudo: pam_unix(sudo:auth): authentication failure;
  

• Meaning: If this is an Ubuntu machine verify the sudo-ldap package has been installed:

  sudo apt-get install sudo-ldap