OpenLDAP,dnsmasq auf dem Raspberry PI

Alle weiteren Dienste, die nicht in die drei oberen Foren gehören.
Antworten
debiannutzer2017
Beiträge: 1
Registriert: 05.01.2017 11:09:06

OpenLDAP,dnsmasq auf dem Raspberry PI

Beitrag von debiannutzer2017 » 05.01.2017 11:18:20

Guten Tag, werte Community

Ich benutze in meinem Netzwerk einen Raspberry Pi mit Raspbian als Firewall / OpenLDAP / DNS / DHCP
Die Problematik liegt nun darin dass die 3 Clients massive Probleme mit dem Internet haben.
Die Kommunikation mit dem Raspberry PI ist jedoch ohne Probleme möglich.
An der Firewallkonfiguration wird es vermutlich nicht liegen.
Ich habe die Befürchtung, dass sich dnsmasq und OpenLDAP in die Quere kommen.
Sicher bin ich mir allerdings nicht.

Oft funktioniert die Kommunikation auch mit dem Internet allerdings nur mit Seiten welche schonmal geladen worden sind.
Ich vermute daher dass der DNS probleme macht.

Anbei möchte ich noch den Inhalt meiner Konfigdateien mit euch teilen:

Dazu noch angemerkt dass der RPI 2 Interfaces hat: eth1 & eth0. Eth0 geht ins Interne Netzwerk (192.168.88.0) und eth1 ins Netzwerk des Routers (192.168.178.0).
Der Pi hat auf Interface eth0 die IP Adresse 192.168.88.1

Folgende configs liegen auf dem Server (Raspberry Pi)
/etc/dnsmasq.conf

Code: Alles auswählen

#Standart DHCP Interface
interface=eth0

#Block DHCP
no-dhcp-interface=eth1

#Bind stuff
bind-interfaces

#Alternative DNS Server
server=213.73.91.35
server=/localnet/213.73.91.35

#IP Address bereich und Lease time
dhcp-range=interface:eth0,192.168.88.20,192.168.88.40,infinite

/etc/ldap/ldap.conf

Code: Alles auswählen

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE	dc=moonbase,dc=richter
URI	ldap://server.moonbase.richter
#ldap://moonbase.richter:389
ldap://192.168.88.1:389
#ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

# TLS certificates (needed for GnuTLS)
TLS_CACERT	/etc/ssl/certs/ca-certificates.crt

/etc/resolv.conf

Code: Alles auswählen

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search Speedport_W_724V_Typ_A_05011603_00_009

zusätzlich noch ein netstat von dem RPI

netstat -tulpn

Code: Alles auswählen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      21093/slapd     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      20819/dnsmasq   
tcp        0      0 192.168.88.1:53         0.0.0.0:*               LISTEN      20819/dnsmasq   
tcp        0      0 169.254.205.229:53      0.0.0.0:*               LISTEN      20819/dnsmasq   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      488/sshd        
tcp6       0      0 :::389                  :::*                    LISTEN      21093/slapd     
tcp6       0      0 :::80                   :::*                    LISTEN      19876/apache2   
tcp6       0      0 ::1:53                  :::*                    LISTEN      20819/dnsmasq   
tcp6       0      0 fe80::a39b:c8e0:a2e2:53 :::*                    LISTEN      20819/dnsmasq   
tcp6       0      0 :::22                   :::*                    LISTEN      488/sshd        
udp        0      0 0.0.0.0:29543           0.0.0.0:*                           1608/dhclient   
udp        0      0 127.0.0.1:53            0.0.0.0:*                           20819/dnsmasq   
udp        0      0 192.168.88.1:53         0.0.0.0:*                           20819/dnsmasq   
udp        0      0 169.254.205.229:53      0.0.0.0:*                           20819/dnsmasq   
udp        0      0 0.0.0.0:67              0.0.0.0:*                           20819/dnsmasq   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           20103/dhclient  
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1608/dhclient   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           413/dhcpcd      
udp        0      0 192.168.178.102:123     0.0.0.0:*                           517/ntpd        
udp        0      0 169.254.205.229:123     0.0.0.0:*                           517/ntpd        
udp        0      0 192.168.88.1:123        0.0.0.0:*                           517/ntpd        
udp        0      0 127.0.0.1:123           0.0.0.0:*                           517/ntpd        
udp        0      0 0.0.0.0:123             0.0.0.0:*                           517/ntpd        
udp        0      0 0.0.0.0:39214           0.0.0.0:*                           20103/dhclient  
udp6       0      0 :::7045                 :::*                                1608/dhclient   
udp6       0      0 :::546                  :::*                                413/dhcpcd      
udp6       0      0 ::1:53                  :::*                                20819/dnsmasq   
udp6       0      0 fe80::a39b:c8e0:a2e2:53 :::*                                20819/dnsmasq   
udp6       0      0 fe80::a39b:c8e0:a2e:123 :::*                                517/ntpd        
udp6       0      0 2003:6f:8e7a:c807:9:123 :::*                                517/ntpd        
udp6       0      0 fe80::8aca:81a3:5ad:123 :::*                                517/ntpd        
udp6       0      0 ::1:123                 :::*                                517/ntpd        
udp6       0      0 :::123                  :::*                                517/ntpd        
udp6       0      0 :::36667                :::*                                20103/dhclient  


Folgende configs liegen auf dem client:
/etc/resolv.conf

Code: Alles auswählen

# Generated by NetworkManager
nameserver 192.168.88.1
/etc/openldap/ldap.conf

Code: Alles auswählen

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

TLS_CACERTDIR /etc/openldap/certs

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON	on

URI ldap://192.168.88.1
BASE dc=moonbase,dc=richter
/etc/nscd.conf
#
# /etc/nscd.conf

Code: Alles auswählen

#
# An example Name Service Cache config file.  This file is needed by nscd.
#
# Legal entries are:
#
#	logfile			<file>
#	debug-level		<level>
#	threads			<initial #threads to use>
#	max-threads		<maximum #threads to use>
#	server-user             <user to run server as instead of root>
#		server-user is ignored if nscd is started with -S parameters
#       stat-user               <user who is allowed to request statistics>
#	reload-count		unlimited|<number>
#	paranoia		<yes|no>
#	restart-interval	<time in seconds>
#
#       enable-cache		<service> <yes|no>
#	positive-time-to-live	<service> <time in seconds>
#	negative-time-to-live   <service> <time in seconds>
#       suggested-size		<service> <prime number>
#	check-files		<service> <yes|no>
#	persistent		<service> <yes|no>
#	shared			<service> <yes|no>
#	max-db-size		<service> <number bytes>
#	auto-propagate		<service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#


#	logfile			/var/log/nscd.log
#	threads			4
#	max-threads		32
	server-user		nscd
#	stat-user		somebody
	debug-level		0
#	reload-count		5
	paranoia		no
#	restart-interval	3600

	enable-cache		passwd		yes
	positive-time-to-live	passwd		600
	negative-time-to-live	passwd		20
	suggested-size		passwd		211
	check-files		passwd		yes
	persistent		passwd		yes
	shared			passwd		yes
	max-db-size		passwd		33554432
	auto-propagate		passwd		yes

	enable-cache		group		yes
	positive-time-to-live	group		3600
	negative-time-to-live	group		60
	suggested-size		group		211
	check-files		group		yes
	persistent		group		yes
	shared			group		yes
	max-db-size		group		33554432
	auto-propagate		group		yes

	enable-cache		hosts		yes
	positive-time-to-live	hosts		3600
	negative-time-to-live	hosts		20
	suggested-size		hosts		211
	check-files		hosts		yes
	persistent		hosts		yes
	shared			hosts		yes
	max-db-size		hosts		33554432

	enable-cache		services	yes
	positive-time-to-live	services	28800
	negative-time-to-live	services	20
	suggested-size		services	211
	check-files		services	yes
	persistent		services	yes
	shared			services	yes
	max-db-size		services	33554432

	enable-cache		netgroup	yes
	positive-time-to-live	netgroup	28800
	negative-time-to-live	netgroup	20
	suggested-size		netgroup	211
	check-files		netgroup	yes
	persistent		netgroup	yes
	shared			netgroup	yes
	max-db-size		netgroup	33554432
/etc/nslcd.conf

Code: Alles auswählen

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid ldap

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.88.1

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
base dc=moonbase,dc=richter

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  member           msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  member           posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
#map    passwd homeDirectory "/home/$cn"
#map    passwd gecos         displayName
#map    passwd loginShell    "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  gidNumber        gid
# This comment prevents repeated auto-migration of settings.
ssl no
tls_cacertdir /etc/openldap/certs



Ich danke euch vielmals im voraus.

Falls ich eine wichtige conf vergessen habe schreibt mir bitte welche ich nachreichen kann.

Antworten

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 4 Gäste