OpenLDAP certificate creation fails...

...with the error message:

Failed to generate certificate : Unsupported file or mode >OpenLDAP Server at WebminCore::/usr/libexec/webmin/web-lib-funcs.pl line 8718

Status: 
Active

Comments

fakemoth's picture
Submitted by fakemoth on Sun, 03/15/2015 - 01:01

In fact nothing works in CentOS 7: Trying to create users and groups:

Failed to create new tree : Could not find a suitable object class for the new DN

So I am asking again (common dudes, it has been weeks): is this tutorial still OK for CentOS 7 http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/ and will I be able to import my users from the regular/local authentication method, via restoring a backup?

fakemoth's picture
Submitted by fakemoth on Mon, 03/16/2015 - 02:22

Yes, stock, I never use anything else. I did manage to create the certificate, using a smaller number of days (tried 10 years)? Why is that?

Anyway I really dropped your how to (created the certificate by hand), because for some reason one just can't create other trees with Webmin, as per your advises.

So I followed this http://www.knowledgepia.com/en/k-blog/linux-server/rhel7-configure-a-lda... where the users are ou=People and groups are ou=Groups. As I understand it this is the simplest (and recommended, it is in the RHEL exams) way to get started with openLDAP in RHEL/CentOS 7, because (once again) your how to is not working, please revise it. But is this OK for Virtualmin as you recommend dc=Users and dc=Groups? You have to clear these things for me, as I never used LDAP with Virtualmin.

One other thing, if you are so kind, please answer the most important question:

is Virtualmin capable to import in LDAP users and groups from a backup, made by another server, where the users and groups are local (regular Linux users)?

Will keep you posted about how it goes.

fakemoth's picture
Submitted by fakemoth on Tue, 03/17/2015 - 07:22

Hey - I seriously think that in an Enterprise product, one you are offering support for, you should pack the essentials by the book. Or at least document 'em and test them properly, not writing a "how to" in 2009 and expect it to work with RHEL 7 in 2015...

What can I say? When I love you, I love you, when I am supposed to hate you, I... post stuff like this :)

Here is another bubu:

nslcd[12988]: nslcd: /etc/nslcd.conf:146: unknown keyword: 'nss_base_passwd'
systemd[1]: nslcd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Naming services LDAP client daemon..
systemd[1]: Unit nslcd.service entered failed state.

It is because Webmin writes some the following syntax in nslcd.conf, it should look like this (I think, because that's the only way I can start the service... but read the next post?):

ssl start_tls
ldap_version 3
base passwd ou=People,dc=example,dc=ro
base shadow ou=People,dc=example,dc=ro
base group ou=Groups,dc=example,dc=ro
# Webmin
# nss_base_passwd ou=People,dc=example,dc=ro
# nss_base_shadow ou=People,dc=example,dc=ro
# nss_base_group ou=Groups,dc=example,dc=ro
[root@ns1 etc]# systemctl status nslcd.service
nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled)
   Active: active (running) since Tue 2015-03-17 13:16:53 EET; 17s ago
  Process: 15790 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 15791 (nslcd)
   CGroup: /system.slice/nslcd.service
           └─15791 /usr/sbin/nslcd
fakemoth's picture
Submitted by fakemoth on Tue, 03/17/2015 - 06:48

So now it was starting but when pressing "Validate configuration" button it spits out:

Connecting to LDAP server ..
.. connected to 127.0.0.1

Searching for users ..
.. no users found under base dc=example,dc=ro.

So it is one way or the other... Maybe the validation button sends some funky command? Please help, it would be nice of you to respond to LDAP AUTHENTICATION SERVER issues, and not stupid "how to upload on dropbox my backups so Condoleezza Rice can peak for the NSA" questions...

fakemoth's picture
Submitted by fakemoth on Tue, 03/17/2015 - 10:22

For the love of god... now the creation of trees works, I really don't know what solved it in the process of trying things...

And I can create users through the Ldap Users and Groups module; so why is not working the "Validating LDAP Configuration." ?

So, to answer your question about importing LDAP users from a backup - yes, this will work fine assuming that user creation in LDAP is working. This can be used as a way to migrate domains from local files to LDAP - backup the domain, delete it, and then restore.

Regarding that "no users found under base dc=example,dc=ro" message, if you browse your LDAP DB are there any user objects yet under that base? The validation process checks if a user object exists in order to check if he shows up us a valid Unix user. However, if you haven't created any users yet then this check is expected to fail.

fakemoth's picture
Submitted by fakemoth on Wed, 03/18/2015 - 10:51

Regarding backups thanks for clearing this up!

I did created/deleted/imported local users, quite a few times, and checked every time, but the answer it's still the same; so it is not that.

  1. To be clear - what is the correct syntax in nslcd.conf? With what Webmin writes into it "nss_base_passwd ..." the validation passes but the service doesn't start. With what I found somewhere on the net "base passwd ..." the service starts OK but the validation fails... Of course I am worried about this behavior, but all the references are about CentOS 6 on the web, and in 7 there are quite a few changes, the LDAP, interoperability with Windows AD and ID Manger stuff are of course part of this...

  2. Another weirdness: I don't think it's normal, in LDAP Users and Groups module, when deleting a user to delete the group if it has the SAME name, why is this happening?

Deleting user fakemoth ..
Deleting from other modules ..
.. done
Deleting LDAP user entry ..
.. done

Removing from groups ..
.. done

Deleting this user's group ..
.. done

Deleting home directory ..
.. done
  1. And the LDAP users and Groups module doesn't appear in the System menu, it's still in the Un-used Modules menu, no matter how many times I click Refresh modules.
  1. I've been looking into this, and found that Virtualmin does not currently support the format of the new nslcd.conf file properly - the format for per-database bases has changed to be like :
base   passwd ou=People,dc=example,dc=com
  1. Deletion of the group when the user of the same name is removed is by design - this is to handle the common case in which each new user gets a primary group of the same name.

  2. Check that the path referenced in the /etc/webmin/ldap-client/config by the auth_ldap line actually exists.

I'll update this ticket with further details once problem (1) is fixed in the Webmin code.

fakemoth's picture
Submitted by fakemoth on Thu, 03/19/2015 - 01:46

Hmm so what should I do? Now the users are in dc=Users,dc=example,dc=ro dc=Groups,dc=example,dc=ro should I move back to ou=People,dc=example,dc=ro ou=Groups,dc=example,dc=ro?

So as I understand it you will solve the bug with LDAP on CentOS 7, but shall I wait until you will also update the docs, as this is my only reference? It is essential (guess for you too) to write a clear and tested how to, else you will got a lot of silly (repetitive) questions from your users on the matter...

Things you should cover:

-for Centos/RHEL/Scientific 7 make separate sections, like for Debian;

-how to configure a basic LDAP; how to clear an improper configuration, and also how to back it up;

-how to configure the sistem to be a server and a client; how to configure it to be only one of them; also how to sync/replicate and use a second LDAP server, because if the main one has problems, no more auth for us;

-how to configure and use Webmin with LDAP;

-how to configure Virtualmin for LDAP and also all the involved services (postfix, proftpd with sftp module, mysql, apache and so on, where applicable); maybe help people with a simple question in the installer and set things accordingly: local auth or LDAP... will this machine be a LDAP server or do you use an external one?

-how to use NFS (this is barely mentioned anywhere) with Virtualmin&Cloudmin and LDAP, either local sharing or with an external storage (a very common scenario); I mean !properly! so all the files and directories have good/apropriate permissions and uid/gid. It is a recipe for a (web hosting) disaster to use NFS without LDAP. Get into NFSv4 storyline also... Kerberos maybe?

-how to plan and implement redundancy and disaster recovery (this maybe should be a series of very well documented articles).

-what your products can do and what can't do; and keeping the docs up to date.

-none of these are outside the scope of using Virtualmin and Cloudmin, but surely are the bases for using them!

Yeah, I know: easy to request, harder to actually do it. But these things should be really cleared for us. And just think about the amount of problems/questions you won't be dealing with if you write this down!

fakemoth's picture
Submitted by fakemoth on Thu, 03/19/2015 - 01:52

A feature request here: in System > PAM authentication please confirm the deletion of mechanism by popping up a question as I had the impression I am deleting a step and deleted the whole mechanism... and no prompt :D luckily I was working on two servers, and I restored from the other :D

Yes, updating the doc is in progress. I may be able to offer some suggestions on this ticket though, if you can tell me about the kind of setup you trying to achieve. Are you looking to setup a pair of web hosting systems that do load balancing or failover?

Using NFS for home directories is a bit problematic, as regular Linux quotas can't be used.

fakemoth's picture
Submitted by fakemoth on Fri, 03/20/2015 - 00:37

Exactly - trying to use a centralized storage with two other servers, have a private ticket about all that stuff with lots of info, remember, but communications ceased there :)

So to address some of the issues with the LDAP client support in CentOS 7, I've created a 1.741 development version of Webmin that fixes the problems setting the LDAP base. You can download it from http://download.webmin.com/devel/rpm/

fakemoth's picture
Submitted by fakemoth on Sun, 03/22/2015 - 02:03

Thanks! I will test it as soon as possible.

fakemoth's picture
Submitted by fakemoth on Thu, 04/02/2015 - 04:25

Mmmm, so what am I supposed to be testing? The docs are still the old ones, was keeping an eye on them. The errors are still the same. What exactly is fixed (BTW now I am on CentOS 7.1)?

The /etc/webmin/ldap-client/config files holds this:

pam_ldap=
auth_ldap=/etc/nslcd.conf
secret=/etc/ldap.secret
ldap_tls=2
init_name=nslcd
ldap_hosts=
ldap_port=
ldap_pass=
ldap_user=

This update should fix the setting of the LDAP based on CentOS 7, and your config file looks fine.

Which error are you still getting?

fakemoth's picture
Submitted by fakemoth on Sat, 04/04/2015 - 02:07

The check, still can't find users:

Connecting to LDAP server .. .. connected to 127.0.0.1

Searching for users .. .. no users found under base dc=example,dc=ro.

Please note I have users under dc=Users,dc=example,dc=ro dc=Groups,dc=example,dc=ro.

Ok so this is going nowhere; your documentation, product, support doesn't help me with this setup, I wasted weeks waiting for advices as a paying customer.

Will go for stupid setups like ISCSI. And regular authentication.