«Обнаружены ошибки» при использовании ldapscripts

Ниже я показываю свою конфигурацию OpenLDAP. Это свежая установка OpenLDAP на свежую установку Debian Stretch.

Я не могу использовать ldapscripts. Независимо от того, что я делаю, я получаю ошибки, показанные в конце текста ниже.

root@my-host:~# ldapsearch -b 'dc=test,dc=mydomain,dc=com' -x # extended LDIF # # LDAPv3 # base <dc=test,dc=mydomain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #  # test.mydomain.com dn: dc=test,dc=mydomain,dc=com objectClass: top objectClass: dcObject objectClass: organization o: test.mydomain.com dc: test  # admin, test.mydomain.com dn: cn=admin,dc=test,dc=mydomain,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator  # search result search: 2 result: 0 Success  # numResponses: 3 # numEntries: 2 

/etc/ldap/ldap.conf

root@my-host:~# cat /etc/ldap/ldap.conf # # LDAP Defaults #  # See ldap.conf(5) for details # This file should be world readable but not world writable.  #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666  BASE dc=test,dc=mydomain,dc=com URI ldap://localhost  #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never  # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt 

/etc/ldapscripts/ldapscripts.conf

root@my-host:~# cat /etc/ldapscripts/ldapscripts.conf # Copyright (C) 2005 Gana▒l LAPLANCHE - Linagora # Copyright (C) 2006-2016 Gana▒l LAPLANCHE # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA.  # Note for Debian users: # On Debian system ldapscripts will try to parse and use nslcd config. # Look on commented variables and description lines started with DEBIAN. # But you could override it's values here.   # LDAP server # DEBIAN: value from /etc/nslcd.conf (uri) is used. SERVER="ldap://localhost"  # Suffixes # DEBIAN: values from /etc/nslcd.conf (base maps) are used. SUFFIX="dc=test,dc=mydomain,dc=com" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)  # Authentication type # DEBIAN: value from /etc/nslcd.conf (sasl_mech) is used. # If empty, use simple authentication # Else, use the value as an SASL authentication mechanism SASLAUTH="" #SASLAUTH="GSSAPI"  # Simple authentication parameters # The following BIND* parameters are ignored if SASLAUTH is set BINDDN="cn=admin,dc=test,dc=mydomain,dc=com" # The following file contains the raw password of the BINDDN # Create it with something like : echo -n 'secret' > $BINDPWDFILE # WARNING !!!! Be careful not to make this file world-readable BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" # For older versions of OpenLDAP, it is still possible to use # unsecure command-line passwords by defining the following option # AND commenting the previous one (BINDPWDFILE takes precedence) #BINDPWD="secret"  # Start with these IDs *if no entry found in LDAP* GIDSTART="10000" # Group ID UIDSTART="10000" # User ID MIDSTART="20000" # Machine ID  # Group membership management # ObjectCLass used for groups # Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !) # Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup). # Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis, # the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration. GCLASS="posixGroup" # Leave "posixGroup" here if not sure ! # When using groupOfNames or groupOfUniqueNames, creating a group requires an initial # member. Specify it below, you will be able to remove it once groups are populated. #GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"  # User properties # DEBIAN: values from /etc/adduser.conf are used. USHELL="/bin/bash" #UHOMES="/home/%u" # You may use %u for username here CREATEHOMES="no" # Create home directories and set rights ? #HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. #HOMEPERMS="755" # Default permissions for home directories  # User passwords generation # Command-line used to generate a password for added users. # You may use %u for username here ; special value "<ask>" will ask for a password interactively # WARNING !!!! This is evaluated, everything specified here will be run ! # WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy). # In this case, consider using /dev/urandom instead. #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" #PASSWORDGEN="pwgen" #PASSWORDGEN="echo changeme" #PASSWORDGEN="echo %u" #PASSWORDGEN="<ask>" PASSWORDGEN="pwgen"  # User passwords recording # you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS # (useful when performing a massive creation / net rpc vampire) # WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! # WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! RECORDPASSWORDS="no" PASSWORDFILE="/var/log/ldapscripts_passwd.log"  # Where to log : local file and/or syslog LOGTOFILE="yes" LOGFILE="/var/log/ldapscripts.log" LOGTOSYSLOG="no" SYSLOGFACILITY="local4" SYSLOGLEVEL="info"  # Temporary folder #TMPDIR="/tmp"  # Various binaries used within the scripts # Warning : they also use uuencode, date, grep, sed, cut, which... # Please check they are installed before using these scripts # Note that many of them should come with your OS  # OpenLDAP client commands LDAPSEARCHBIN="/usr/bin/ldapsearch" LDAPADDBIN="/usr/bin/ldapadd" LDAPDELETEBIN="/usr/bin/ldapdelete" LDAPMODIFYBIN="/usr/bin/ldapmodify" LDAPMODRDNBIN="/usr/bin/ldapmodrdn" LDAPPASSWDBIN="/usr/bin/ldappasswd"  # OpenLDAP client common additional options # This allows for adding more configuration options to the OpenLDAP clients, e.g. '-ZZ' to enforce TLS #LDAPBINOPTS="-ZZ"  # OpenLDAP ldapsearch-specific additional options # The following option disables long-line wrapping (which makes the scripts bug # when handling long lines). The option was introduced in OpenLDAP 2.4.24, so # comment it if you are using OpenLDAP < 2.4.24. LDAPSEARCHOPTS="-o ldif-wrap=no" # And here is an example to activate paged results #LDAPSEARCHOPTS="-E pr=500/noprompt"  # Character set conversion : $ICONVCHAR <-> UTF-8 # Comment ICONVBIN to disable UTF-8 conversion #ICONVBIN="/usr/bin/iconv" #ICONVCHAR="ISO-8859-15"  # Base64 decoding # Comment UUDECODEBIN to disable Base64 decoding #UUDECODEBIN="/usr/bin/uudecode"  # Getent command to use - choose the ones used # on your system. Leave blank or comment for auto-guess. # GNU/Linux #GETENTPWCMD="getent passwd" #GETENTGRCMD="getent group" # FreeBSD #GETENTPWCMD="pw usershow" #GETENTGRCMD="pw groupshow" # Auto GETENTPWCMD="" GETENTGRCMD=""  # You can specify custom LDIF templates here # Leave empty to use default templates # See *.template.sample for default templates #GTEMPLATE="/path/to/ldapaddgroup.template" #UTEMPLATE="/path/to/ldapadduser.template" #MTEMPLATE="/path/to/ldapaddmachine.template" GTEMPLATE="" UTEMPLATE="" MTEMPLATE="" 

/etc/ldapscripts/ldapscripts.passwd

root@my-host:/etc/ldapscripts# cat ldapscripts.passwd secret 

/etc/nslcd.conf

root@my-host:/etc# cat nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details.  # The user and group nslcd should run as. uid nslcd gid nslcd  # The location at which the LDAP server(s) should be reachable. uri ldap://localhost  # The search base that will be used for all queries. base dc=test,dc=mydomain,dc=com  # The LDAP protocol version to use. #ldap_version 3  # The DN to bind with for normal lookups. binddn cn=annonymous,dc=test,dc=mydomain,dc=com #bindpw secret  # The DN used for password modifications by root. rootpwmoddn cn=admin,dc=test,dc=mydomain,dc=com  # SSL options #ssl off #tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt  # The search scope. #scope sub 

/etc/nscd.conf

root@my-host:/etc# cat /etc/nscd.conf # # /etc/nscd.conf # # An example Name Service Cache config file. This file is needed by nscd. # # Legal entries are: # # logfile <file> # debug-level <level> # threads <initial #threads to use> # max-threads <maximum #threads to use> # server-user <user to run server as instead of root> # server-user is ignored if nscd is started with -S parameters # stat-user <user who is allowed to request statistics> # reload-count unlimited|<number> # paranoia <yes|no> # restart-interval <time in seconds> # # enable-cache <service> <yes|no> # positive-time-to-live <service> <time in seconds> # negative-time-to-live <service> <time in seconds> # suggested-size <service> <prime number> # check-files <service> <yes|no> # persistent <service> <yes|no> # shared <service> <yes|no> # max-db-size <service> <number bytes> # auto-propagate <service> <yes|no> # # Currently supported cache names (services): passwd, group, hosts, services #   # logfile /var/log/nscd.log # threads 4 # max-threads 32 # server-user nobody # stat-user somebody debug-level 0 # reload-count 5 paranoia no # restart-interval 3600  enable-cache passwd no positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes  enable-cache group no positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes  enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432  enable-cache services no positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432  enable-cache netgroup no positive-time-to-live netgroup 28800 negative-time-to-live netgroup 20 suggested-size netgroup 211 check-files netgroup yes persistent netgroup yes shared netgroup yes max-db-size netgroup 33554432 

И, наконец, в результате ошибки ...

root@my-host:~# ldapinit -s Error(s) encountered while creating regular OUs Error(s) encountered during LDAP initialization root@my-host:~# root@my-host:~# root@my-host:~# root@my-host:~# ldapinit Error(s) encountered while creating root DN Error(s) encountered while creating regular OUs Error(s) encountered during LDAP initialization root@my-host:/etc# ldapaddgroup test-user 7000 Error adding group test-user to LDAP 

/var/log/ldapscripts.log действительно показывает жалобу на «неверные учетные данные». Однако это происходит независимо от того, поместил ли я свой действительный пароль cn = admin в /etc/ldapscripts/ldapscripts.passwd или я добавил туда слово «secret».

/var/log/ldapscripts.log

root@my-host:/var/log# cat ldapscripts.log Feb 06 11:58:07 inf-3 ldapscripts: ldapinit(my-username): /usr/sbin/ldapinit ldap_bind: Invalid credentials (49) -> Error(s) encountered while creating root DN ldap_bind: Invalid credentials (49) -> Error(s) encountered while creating regular OUs -> Error(s) encountered during LDAP initialization Feb 06 15:03:47 inf-3 ldapscripts: ldapaddgroup(my-username): /usr/sbin/ldapaddgroup test-user 7000 ldap_bind: Invalid credentials (49) -> Error adding group test-user to LDAP 

Обратите внимание на появление моего имени пользователя (my-username) в приведенном выше выводе журнала. Это несмотря на тот факт, что я выполнил все команды OpenLDAP после su -l root .

Какой шаг мне не хватает, чтобы успешно использовать ldapscripts?