Здравствуйте!!

ASP Linux.

OpenLdap, PAM.

Настроил ЛДАП. Импортировал группы и пользователей из /etc/{passwd|shadow|group},  с помощью /usr/share/openldap/migrate_xxx. EXTENDED_SCHEMA = 0.
Если использовать EXTENDED_SCHEMA=1 то ни одна запись не добавляется.

Все данные добавились, с помощью ldap_search данные вижу.
Запустил authconfig, указал LDAP аутентификация без TLS (OpenLdap так же настроен).

При наборе команды "passwd some_user" passwd очень долго висит и ничего не делает.
После чего сообщает "unknown username some_user" (через ldapsearch все ищется).

У меня несколько вопросов:
1. Нет ли какого-нибудь щедрого человека с аськой или mail.ru агентом, чтобы я проконсультировался с Вами? )
2. Какая последовательность действий по настройке? Правильно ли я понимаю, что после настройки аутентификации в LDAP системных пользователей, Postfix (и saslauthd) не должны знать, что используется LDAP, поскольку они проходят авторизацию через PAM?

--------------------------------------------------
[root@server etc]# ldapsearch -x -b "dc=example,dc=ru" "(uid=some_user)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=ru> with scope subtree
# filter: (uid=some_user)
# requesting: ALL
#

# putin_ai, People, example.ru
dn: uid=some_user,ou=People,dc=example,dc=ru
uid: some_user
cn: some_user
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e2Nye=====
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/_example/some_user

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
--------------------------------------------------------

---------------------------
/etc/ldap.conf

# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
base dc=EXAMPLE,dc=ru

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/  
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

binddn        cn=Manager,dc=EXAMPLE,dc=ru
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
bindpw {SSHA}***************************************/8F

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=EXAMPLE,dc=ru

# The port.
# Optional: default is 389.
port 389

# The search scope.
#scope sub
scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account
#;PURITANEC_CONFIG
pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember
#;PURITANEC_CONFIG
pam_member_attribute gid

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX        base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd    ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd        ou=People,dc=EXAMPLE,dc=ru?one
nss_base_shadow        ou=People,dc=EXAMPLE,dc=ru?one
nss_base_group        ou=Group,dc=EXAMPLE,dc=ru?one
nss_base_hosts        ou=Hosts,dc=EXAMPLE,dc=ru?one
#nss_base_services    ou=Services,dc=example,dc=com?one
#nss_base_networks    ou=Networks,dc=example,dc=com?one
#nss_base_protocols    ou=Protocols,dc=example,dc=com?one
#nss_base_rpc        ou=Rpc,dc=example,dc=com?one
#nss_base_ethers    ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks    ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases    ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup    ou=Netgroup,dc=example,dc=com?one

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute    rfc2307attribute    mapped_attribute
#nss_map_objectclass    rfc2307objectclass    mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
ssl no
#tls_cacertdir /etc/openldap/cacerts

#####################
#####################
##
##
## /etc/openldap/ldap.conf

# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=EXAMPLE,dc=ru
URI    ldap://localhost

#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
HOST 127.0.0.1
#TLS_CACERTDIR /etc/openldap/cacerts

#database    bdb
suffix        "dc=EXAMPLE,dc=ru"
rootdn        "cn=Manager,dc=EXAMPLE,dc=ru"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw {SSHA}*********************************/8F

index cn, sn, uid, gidnumber pres, eq, approx

index objectclass pres,eq

dbcachesize 500000

index default none

#TLS_CACERTDIR /etc/openldap/cacerts

###################
###################
###################
##
##
## /etc/openldap/slapd.conf
##
##
## ## ## ## ## ## ## #
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/misc-mail.schema

# Define global ACLs to disable default read access.

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

#pidfile        /usr/var/run/slapd.pid
#argsfile    /usr/var/run/slapd.args
pidfile    /var/run/slapd.pid
argsfile    /var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth

#;PURITANEC_CONFIG
# access to * by * search

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to * by dn="uid=root,dc=EXAMPLE,dc=ru" write
    by * read

access  to dn.regex=".*,ou=mail,dc=EXAMPLE,dc=ru"
    by self write
    by anonymous auth
    by dn.regex=".*,cn=Manager,dc=EXAMPLE,dc=ru" write
    by dn="ou=mail,ou=services,dc=EXAMPLE,dc=ru" read
    by dn="ou=sasl,ou=services,dc=EXAMPLE,dc=ru" read
    

access to attrs=userPassword
    by self write
    by anonymous auth
    by dn="uid=root,dc=EXAMPLE,dc=ru" write
    by dn.regex=".*,cn=Manager,dc=EXAMPLE,dc=ru" write
    by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database    bdb
suffix        "dc=EXAMPLE,dc=ru"
rootdn        "cn=Manager,dc=EXAMPLE,dc=ru"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw {SSHA}f31BRnhQsAeY0lEvg1cPDUqkcPMTC/8F

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/lib/ldap

# Indices to maintain for this database
#index uid                pres,eq,sub

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname            eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

#suffix        "dc=my-domain,dc=com"
#rootdn        "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw        secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
#directory    /usr/var/openldap-data
# Indices to maintain
#index    objectClass    eq