Hi Jan kara,
This ticket is follow up of ticket #116 concerning user lookup using LDAP. I am still seeing the same problems.
After migrating our server to CentOS 6, i had to setup quotas again. I downloaded the latest version from the git repository (git://git.code.sf.net/p/linuxquota/code linuxquota-code) and did the following to compile the code:
aclocal
autoconf
./configure --enable-ldapmail=yes
make
make install
I am using the following warnquota.conf ldap configuration:
LDAP_MAIL = true
LDAP_URI = ldaps://<ldap sever="">:636
LDAP_BINDDN = cn=grid_query,dc=hpcv,dc=sara,dc=nl
LDAP_BINDPW = <password>
LDAP_BASEDN = ou=Users,dc=hpcv,dc=sara,dc=nl
LDAP_SEARCH_ATTRIBUTE = uid
LDAP_MAIL_ATTRIBUTE = mail
LDAP_DEFAULT_MAIL_DOMAIN = <default domain="">
When i run warnquota, email is still send to <user>@<default domain=""> in stead of the email adrdress that should be retreived from LDAP. As my knowledge of C is very basic, i find it hard to debug warnquota.c.
Before, when our ldap database wasn't protected with a password, it worked perfectly. Apparently, the use of LDAP_BINDDN and LDAP_BINDPW messes things up and warnquota is not able to retreive any emails anymore and uses the "default domain" in stead.
I hope you can help me,
Regards,
Ernst Pijper
Anonymous
Sorry for not getting to you earlier. Does warnquota print any error message? Also can you post config.h from your system?
Hi Jan Kara,
Been very busy so completely forgot about this :(
When i run warnquota, there are no error messages. Also i can not find any error messages under /var/log. I attached the config.h file you asked for.
Is there any way i can help to debug the problem?
Hum, so your config.h shows that you didn't compile quota-tools with LDAP support (there is line / #undef USE_LDAP_MAIL_LOOKUP / in config.h). Is this really the config.h used for compilation? Can you check what configure script reported when trying to configure LDAP libraries?
Hi Jan Kara,
Not sure what happened there so today i decided to install from the latest git source. First of all, i had some problems compiling the code. This is what i did:
got the following warning:
config.status: WARNING: 'po/Makefile.in.in' seems to ignore the --datarootdir setting
So i added the line datarootdir = @datarootdir@ to po/Makefile.in.in just above the line datadir = @datadir@. Now configure went ok.
got the following error:
rquota.c:6:20: error: rquota.h: No such file or directory
installing quota-devel did not solve this problem so i replaced #include "rquota.h" with #include rpcsvc/quota.h" in quota.c quotaops.c rquota.c rquota_client.c rquota_server.c rquota_svc.c setquota.c. Then make went through ok.
To test i edited my quota with setquota such that i exceeded my quota. Then run warnquota:
root# warnquota -s
warnquota: Entry not found for client root.
warnquota: Entry not found for client root.
warnquota: Entry not found for client root.
Emails were sent to the local account on the machine where i ran the above command and not to email addresses from the ldap database.
Let me know i can do anything to debug.
Thanks,
Ernst
So rquota.h should get autogenerated using rpcgen from rquota.x. I'd be interested why it doesn't happen for you. Can you have a look? But that's a separate issue.
The errors about client root likely come from the CC line you don't seem to set in your warnquota.conf. Can you set CC_TO to something sensible just to see whether there will still be any messages? (BTW: I've just pushed out modification to warnquota to don't add CC when it is set to empty string).
Finally, looking into the code, are you sure the attribute is named 'mail' in LDAP? Because the only way how I could see warnquota using default domain without any error message is when we don't find the attribute we were asked for.
If the attribute name is right, please try running with the debug patch I'll attach in a moment.
Patch for debugging which LDAP attributes we saw.
I apllied your patch and this is what i see:
Searching for attribute: 'mail'
Seeing attr: 'cn'
Seeing attr: 'objectClass'
Seeing attr: 'uid'
Seeing attr: 'uidNumber'
Seeing attr: 'gidNumber'
Seeing attr: 'givenName'
Seeing attr: 'sn'
Seeing attr: 'homeDirectory'
Seeing attr: 'loginShell'
Seeing attr: 'surfsaraToken'
If i query the ldap database using ldapsearch, i get this:
# ernstp, Users, hpcv.sara.nl
dn: uid=ernstp,ou=Users,dc=hpcv,dc=sara,dc=nl
cn: Ernst Pijper
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: SURFsara
objectClass: entrustIGUser
uid: ernstp
uidNumber: 36545
gidNumber: 32173
givenName: Ernst
sn: Pijper
homeDirectory: /home/ernstp
loginShell: /bin/bash
mail: <email address>
surfsaraToken: entrust
So some how warnquota is not seeing the mail attribute (where i'm just assuming for the moment that it is actually there because i can see if i do a ldapsearch).
Concerning the CC_TO, if i set it to something sensible, the warning messages do indeed disappear. However, warnquota will now lookup the CC_TO value in the ldap database as well. So, for example, if i set CC_TO = support@mydomain.nl it will give the following warning:
warnquota: Entry not found for client support@mydomain.nl
because there is no user 'support@mydomain.nl' in the ldap database. I would personally prefer if i could use a complete email address in CC_TO
I will look into the rquota.h problem a bit more. Any suggestions on where/how to debug this would be welcome. During what step should rquota.h be created?
Below is the output of the autogen and configure step:
root# ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: running: autopoint --force
Copying file ABOUT-NLS
Copying file config.rpath
Creating directory m4
Copying file m4/codeset.m4
Copying file m4/gettext.m4
Copying file m4/glibc21.m4
Copying file m4/iconv.m4
Copying file m4/intdiv0.m4
Copying file m4/inttypes-pri.m4
Copying file m4/inttypes.m4
Copying file m4/inttypes_h.m4
Copying file m4/isc-posix.m4
Copying file m4/lcmessage.m4
Copying file m4/lib-ld.m4
Copying file m4/lib-link.m4
Copying file m4/lib-prefix.m4
Copying file m4/nls.m4
Copying file m4/po.m4
Copying file m4/progtest.m4
Copying file m4/stdint_h.m4
Copying file m4/uintmax_t.m4
Copying file m4/ulonglong.m4
Copying file mkinstalldirs
Copying file po/Makefile.in.in
Copying file po/Makevars.template
Copying file po/Rules-quot
Copying file po/boldquot.sed
Copying file po/en@boldquot.header
Copying file po/en@quot.header
Copying file po/insert-header.sin
Copying file po/quot.sed
Copying file po/remove-potcdate.sin
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:40: installing
./config.guess' configure.ac:40: installing
./config.sub'configure.ac:19: installing
./install-sh' configure.ac:19: installing
./missing'Makefile.am: installing
./depcomp' autoreconf: Leaving directory
.'14:26 ui.grid.sara.nl:/root/tmp/linuxquota-code
root# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for cc... cc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of cc... gcc3
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets $(MAKE)... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.20... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking whether NLS is requested... yes
checking for msgfmt... /usr/bin/msgfmt
checking for gmsgfmt... /usr/bin/msgfmt
checking for xgettext... /usr/bin/xgettext
checking for msgmerge... /usr/bin/msgmerge
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for ld used by GCC... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for shared library run path origin... done
checking whether NLS is requested... yes
checking for GNU gettext in libc... yes
checking whether to use NLS... yes
checking where the gettext function comes from... libc
checking for ldap_initialize in -lldap... yes
checking for COM_ERR... yes
checking for EXT2FS... no
checking for DBUS... no
checking for LIBNL3... no
checking how to run the C preprocessor... cc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking tcpd.h usability... yes
checking tcpd.h presence... yes
checking for tcpd.h... yes
checking for rpcgen... /usr/bin/rpcgen
configure: creating ./config.status
config.status: creating Makefile
config.status: creating po/Makefile.in
config.status: WARNING: 'po/Makefile.in.in' seems to ignore the --datarootdir setting
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing default-1 commands
config.status: creating po/POTFILES
config.status: creating po/Makefile
configure:
==============================================================================
Build configuration:
bsd-behaviour: yes
ext2-direct: no
ldap-mail: yes
libwrap: yes
netlink: no
nls: yes
proc-mounts: /proc/mounts
rpc: yes
rpcsetquota: no
xfs-roothack: no
werror: no
==============================================================================
Thanks,
Ernst
I am also getting the error
"warnquota: Entry not found for client mmustermann. Not sending mail."
I am running Debian 8.6 64bit and the version of warnquota is:
$ warnquota --version
Quota-Hilfsprogramme Version 4.01.
Compiliert mit: USE_LDAP_MAIL_LOOKUP EXT2_DIRECT HOSTS_ACCESS RPC RPC_SETQUOTA BSD_BEHAVIOUR
Fehler an jack@suse.cz
the ldapsearch command works fine though and I have double-checked everything twice. I have no other ideas what else to try because ldapsearch works as expected and it finds the user and outputs the mail attribute (mail address). Why does warnquota fail to find the user?
I just downloaded into a separate folder the latest version 4.05 and did run
./autogen.sh
./configure
./make
and ./warnquota --version outputs the new 4.05 version but unfortunately I get the same error when running ./warnquota -us
Then I tried to apply the debug patch seen above with:
patch < 0001-warnquota-debug.patch
and I got a succeed message back:
patching file warnquota.c
Hunk #1 succeeded at 439 (offset 20 lines).
but I still get the simple error message when running ./warnquota -us
warnquota: Entry not found for client mmustermann. Not sending mail.
my /etc/warnquota.conf:
; ; and # type comments are allowed
MAIL_CMD = "/usr/sbin/sendmail -t"
FROM = "support@domain.tld"
SUBJECT = "Speicherplatz Kontigent ueberschritten!"
CC_TO =
SUPPORT = "support@domain.tld"
PHONE = "-123"
CHARSET = UTF-8
LDAP_URI = ldap://192.168.100.100:389
LDAP_BASEDN = "OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld"
LDAP_BINDDN = "CN=bindaccount,OU=serviceaccounts,DC=intra,DC=mydomain,DC=tld"
LDAP_BINDPW = "sup3rs3cr3t"
LDAP_SEARCH_ATTRIBUTE = uid
LDAP_MAIL_ATTRIBUTE = mail
LDAP_MAIL = "true"
I would have expect to see some debug messages. However, hope it'll get fixed soon because at the moment warnquota is useless. Our LDAP server is samba4 Active Directory and it does not allow anonymous binds by default. So I cannot (and even DON'T WANT to) enable anonymous logins to our LDAP server. Any thoughts how to solve this issue?
any help appreciated.
Well, at least in the previous case it seemed warnquota was able to find the user but openldap library was not returning 'mail' attribute for the user. Can you attach here your warnquota.conf, output of 'ldapsearch -v' for the problematic user and output of warnquota compiled with the debug patch attached in this bug? Thanks!
Our posts crossed :). Can you attach here output of 'ldapsearch -v' for the problematic user? Everything else is in your latest comment.
Hello Jan,
I'm performing a ldapsearch for the user mmustermann and return only its DN and the MAIL attribute value. See here ...
$ ldapsearch -H ldap://192.168.100.100 -W -D "CN=bindaccount,OU=serviceaccounts,DC=intra,DC=mydomain,DC=tld" -b "OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld" -Z -LLL "(uid=mmustermann)" mail -v
ldap_initialize( ldap://192.168.100.100:389/??base )
Enter LDAP Password:
filter: (uid=mmustermann)
requesting: mail
dn: CN=Mustermann\, Max,persons,OU=my OU,DC=intra,DC=mydomain,DC=tld
mail: max.mustermann@mydomain.tld
there are a lot lot of other attributes on an object as you know but we don't care about them now. Is this information helpful for letting you investigate further?
Greetings,
phaeno
Thanks for the output! Still I don't understand why LDAP query as constructed by warnquota doesn't return anything. Can you please attach here output of warnquota when run with attached patch (applies on top of stock 4.05 version)? Thanks!
obviously I'm doing something wrong when trying to apply the patch. I don't get any different output when executing. What I am doing is:
downloading the debug.patch into the downloaded folder of latest 4.05 version
and then create a backup of the original warnquota.c before applying the patch:
which outputs following result:
then I run...
./autogen.sh
./configure
./make
./warnquota --version
./warnquota -us
puzzled? why do I not get the debug output as expected?
Hu, no idea. You can try to edit the "Entry not found" message just to see whether indeed the modified source gets compiled & executed. If yes, please check in the source file you can see the debug prints (one printf() should be shortly before the "Entry not found" message). Finally if everything still looks fine, you can try to change printf(xxx) to fprintf(stderr, xxx) to see whether there isn't some problem with printing to stdout...
It get compiled correctly and the change is there. Here in detail what the warnquota.c looks like after being patched and when I modify the original line "Entry not found..." message
[...]
[...]
I run
and output is:
when I search through the file warnquota.c Nor I cannot find any match for string "ebug" in this file neither I do see a printf() line short before the usual "Entry not found..." line (which by the way I modified to "No LDAP record found for user ...").
On the last step I checked for your suggestion related to replace printf() with fprintf(). The whole warnquota.c file contains just 2 lines where a "printf()" command appears:
[...]
[...]
so I replaced those two lines containing printf() and not this sections looks like that:
[...]
[...]
but I still get a single output of:
OK, this shows that you actually applied the old version of the debug patch which adds debug prints only to processing of entry attributes but in your case we never get that far. I've now deleted the old version of the patch from this bug to avoid confusion so please download the new version and make sure you are apply it and not the old one. Thanks!
Ok thank you for the updated patch you provided. Now I get following output:
Hi again Jan,
after looking over and over I have a thought, maybe the lookup fails because the base DN needs to be put in quotation marks at all? listen, my base DN in real looks like that:
OU=persons,OU=users,OU=My Company Name GmbH,DC=intra,DC=my-domain,DC=de
in the stated examples above I changed the text for hiding sensitive private data.
OU=persons,OU=my OU,DC=intra,DC=mydomain,DC=tld
maybe the (white)space within the company name makes your warnquota tool to fail? Can you check your code to ensure it's quoted correctly? just a thought, maybe total useless but I thought to mention it.
OK, so the message "ldap_search_ext_s() returned 1" tells that ldap_search_ext_s() already failed and returned error (the error handling in warnquota() looks buggy in this regard). Error 1 is
LDAP_OPERATIONS_ERROR which doesn't tell much to me. Maybe from LDAP wiki this is relevant: "eDirectory: In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors." But still it doesn't tell me why eDirectory server doesn't like the query formed by warnquota. Can't you perhaps have a look at eDirectory logs what the server doesn't like about our query?
Spaces in the DN do not really matter and needn't be quoted. Warnquota doesn't really care as it treats DN as opaque string. So if what is printed in the message inside quotes is correct (is it?), warnquota didn't mangle anything. Only special characters like '=' or ',' inside entries need to be quoted so that ldap server does not interpret them as separators.
Ok, so no worries about the quoting part. But I don't know what else information to provide to you. The LDAP server we run is an ActiveDirectory builtin to samba4. It works fine with lots of other services which are bound to our AD server and they can perform successfully querys and pull data required for their operations. Had no issues so far. I don't know what eDirectory is, never heard of it before.
if you meant to check the logs on the LDAP server process ... well, I cannot find any logs produced on my samba4 server. I am not sure though how to enable debug log view to see LDAP queries hitting the samba4 AD/LDAP server. Isn't there any other option to see what warnquota does for the LDAP query? as mentioned before, even a manual ldapsearch command succeeds to get the necessary information (see my initial postings).
Yeah, I'm also puzzled why 'ldapsearch' works while what warnquota does doesn't... Warnquota does very similar thing to ldapsearch. One difference I can see is that warnquota requests all attributes while ldapsearch query you did only the 'mail' attribute. To simplify experimenting, I've created ldap_experiment.c which just parses the config file and does ldap query. You need to compile it like:
gcc -Wall -llber -lldap -o ldap_experiment ldap_experiment.c
Can you try running it like:
ldap_experiment /etc/warnquota.conf mmustermann
It should fail the same way as warnquota does. As a side note I've tested it against LDAP server in our company and it works there just fine.
I've spotted one more buggy error check. Attaching new version of ldap_experiment.c.
gcc ./ldap_experiment.c -o ldap_exp
then tried
make ldap_experiment