FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 12-18-2010, 01:47 PM
Maurice James
 
Default Client setup

Hi all,
** I’m running FC14 and I’m having a hell of a time trying to get my client authenticating to my 389-ds server.
Here are the specs
389-ds server: FC13
Client machines are a mix of FC 13 and FC14
I have SSL set up and listening on port 636. I used system-config-authentication to set up the client. When I run getent passwd <username> there is not output on the client, but I see a query in the server. Am I missing a step?
*
*
*
*
*
*
*
*
*
*
*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 12-18-2010, 02:11 PM
brandon
 
Default Client setup

On 12/18/2010 07:47 AM, Maurice James wrote:





Hi all,

** I’m running FC14 and I’m having a hell
of a time trying to get my client authenticating to my 389-ds
server.

Here are the specs

389-ds server: FC13

Client machines are a mix of FC 13 and FC14

I have SSL set up and listening on port
636. I used system-config-authentication to set up the client.
When I run getent passwd <username> there is not output
on the client, but I see a query in the server. Am I missing a
step?





FC13 moved from nscd to sssd, and it has been difficult to use basic
389ds ever since, at least for me because I used a fairly locked
down and secured directory server which also forces the use of LDAPS
as it is the only means I could get to work which guaranteed SSL
with a private CA and didn't break everything (I tried to use
ldap/389 w/TLS required, but other things broke for some reason--it
has been a year or two since I did this, so perhaps things have
improved).



Also, if you are using SSL, make sure your cert's are all verifying
correctly (include the server cert), or for debugging, disable cert
verification (/etc/ldap.conf:tls_checkpeer no,
/etc/openldap/ldap.conf:TLS_REQCERT never, /etc/sssd/ldap.conf:ldap_tls_reqcert
= allow).



I used a fixed ldap.conf (below). I put this in place prior to
running system-config-authentication, then fix it up again after.*
system-config-authentication changes the file below and breaks
things with ldaps, and changes the password to md5, not clear.*
Basically look at your ldap.conf between old and new versions,
verify 'ssl', 'tls*' and 'uri' match what they need to be for your
configuration, and then lastly review the configs in
/etc/sssd/sssd.conf and make sure they are in parity.* YMMV.



-----------------------------------------------

base dc=arkham

pam_lookup_policy yes

pam_groupdn cn=xxxx,ou=Groups,dc=arkham

pam_member_attribute uniquemember

pam_min_uid 5000

scope sub

timelimit 10

bind_timelimit 10

idle_timelimit 3600

bind_policy soft

nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm



# do not use anonymous bind

binddn cn=proxyhost,ou=Hosts,dc=arkham

bindpw xxxxx



uri ldaps://ds1.arkham



tls_cacertdir /etc/openldap/cacerts





# send passsord back to DS (to change) in clear

pam_password clear

-----------------------------------------------





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 12-19-2010, 04:13 PM
Maurice James
 
Default Client setup

Hi Brandon,
***** Here are my two config files. Am I missing something?
*
***ldap.conf:*****
#
# LDAP Defaults
#
*
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
*
#BASE** dc=example,dc=com
#URI*** ldap://ldap.example.com ldap://ldap-master.example.com:666
*
#SIZELIMIT***** 12
#TIMELIMIT***** 15
#DEREF********* never
URI ldaps://whitebox.tierre.net
BASE dc=tierre,dc=net
TLS_CHECKPEER no
TLS_REQCERT never
TLS_CACERTDIR /etc/openldap/cacerts
*
pam_lookup_policy yes
pam_groupdn ou=Home,dc=tierre,dc=net
pam_member_attribute uniquemember
pam_min_uid 5000
pam_password clear
scope sub
timelimit 10
bind_timelimit 10
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd.gdm
*
binddn cn=Configuration Administrator
bindpw xxxxxx
*
*
***sssd.conf****
[domain/default]
ldap_tls_reqcert = allow
ldap_default_bind_dn = cn=admin
ldap_default_authtok_type = password
ldap_dfault_authtok = 1saturday
auth_provider = ldap
cache_credentials = True
ldap_id_use_start_tls = False
debug_level = 0
ldap_search_base = dc=tierre,dc=net
krb5_realm = EXAMPLE.COM
chpass_provider = ldap
id_provider = ldap
ldap_uri = ldaps://whitebox.tierre.net
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
*
*
*
*
*
*
*
*
*
*
*
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of brandon
Sent: Saturday, December 18, 2010 10:11 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Client setup
*
On 12/18/2010 07:47 AM, Maurice James wrote:
Hi all,
** I’m running FC14 and I’m having a hell of a time trying to get my client authenticating to my 389-ds server.
Here are the specs
389-ds server: FC13
Client machines are a mix of FC 13 and FC14
I have SSL set up and listening on port 636. I used system-config-authentication to set up the client. When I run getent passwd <username> there is not output on the client, but I see a query in the server. Am I missing a step?

FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds ever since, at least for me because I used a fairly locked down and secured directory server which also forces the use of LDAPS as it is the only means I could get to work which guaranteed SSL with a private CA and didn't break everything (I tried to use ldap/389 w/TLS required, but other things broke for some reason--it has been a year or two since I did this, so perhaps things have improved).

Also, if you are using SSL, make sure your cert's are all verifying correctly (include the server cert), or for debugging, disable cert verification (/etc/ldap.conf:tls_checkpeer no, /etc/openldap/ldap.conf:TLS_REQCERT never, /etc/sssd/ldap.conf:ldap_tls_reqcert = allow).

I used a fixed ldap.conf (below). I put this in place prior to running system-config-authentication, then fix it up again after.* system-config-authentication changes the file below and breaks things with ldaps, and changes the password to md5, not clear.* Basically look at your ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match what they need to be for your configuration, and then lastly review the configs in /etc/sssd/sssd.conf and make sure they are in parity.* YMMV.

-----------------------------------------------
base dc=arkham
pam_lookup_policy yes
pam_groupdn cn=xxxx,ou=Groups,dc=arkham
pam_member_attribute uniquemember
pam_min_uid 5000
scope sub
timelimit 10
bind_timelimit 10
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm

# do not use anonymous bind
binddn cn=proxyhost,ou=Hosts,dc=arkham
bindpw xxxxx

uri ldaps://ds1.arkham

tls_cacertdir /etc/openldap/cacerts


# send passsord back to DS (to change) in clear
pam_password clear
-----------------------------------------------
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 12-21-2010, 07:02 PM
Aaron Hagopian
 
Default Client setup

Are the accounts you are trying to use setup with the objectClass: posixAccount and the required attributes (homeDirectory, uidNumber etc..)

2010/12/19 Maurice James <midnightsteel@msn.com>


Hi Brandon,


***** Here are my two config files. Am I missing something?
*
***ldap.conf:*****


#
# LDAP Defaults
#
*


# See ldap.conf(5) for details
# This file should be world readable but not world writable.


*
#BASE** dc=example,dc=com
#URI*** ldap://ldap.example.com ldap://ldap-master.example.com:666


*
#SIZELIMIT***** 12
#TIMELIMIT***** 15


#DEREF********* never
URI ldaps://whitebox.tierre.net


BASE dc=tierre,dc=net
TLS_CHECKPEER no
TLS_REQCERT never


TLS_CACERTDIR /etc/openldap/cacerts
*
pam_lookup_policy yes


pam_groupdn ou=Home,dc=tierre,dc=net
pam_member_attribute uniquemember
pam_min_uid 5000


pam_password clear
scope sub
timelimit 10


bind_timelimit 10
idle_timelimit 3600
bind_policy soft


nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd.gdm


*
binddn cn=Configuration Administrator
bindpw xxxxxx


*
*
***sssd.conf****
[domain/default]


ldap_tls_reqcert = allow
ldap_default_bind_dn = cn=admin
ldap_default_authtok_type = password


ldap_dfault_authtok = 1saturday
auth_provider = ldap
cache_credentials = True


ldap_id_use_start_tls = False
debug_level = 0
ldap_search_base = dc=tierre,dc=net


krb5_realm = EXAMPLE.COM
chpass_provider = ldap


id_provider = ldap
ldap_uri = ldaps://whitebox.tierre.net


krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts


*
*
*
*


*
*
*
*


*
*
*
*


From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of brandon


Sent: Saturday, December 18, 2010 10:11 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Client setup


*
On 12/18/2010 07:47 AM, Maurice James wrote:
Hi all,
** I’m running FC14 and I’m having a hell of a time trying to get my client authenticating to my 389-ds server.


Here are the specs
389-ds server: FC13
Client machines are a mix of FC 13 and FC14
I have SSL set up and listening on port 636. I used system-config-authentication to set up the client. When I run getent passwd <username> there is not output on the client, but I see a query in the server. Am I missing a step?



FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds ever since, at least for me because I used a fairly locked down and secured directory server which also forces the use of LDAPS as it is the only means I could get to work which guaranteed SSL with a private CA and didn't break everything (I tried to use ldap/389 w/TLS required, but other things broke for some reason--it has been a year or two since I did this, so perhaps things have improved).



Also, if you are using SSL, make sure your cert's are all verifying correctly (include the server cert), or for debugging, disable cert verification (/etc/ldap.conf:tls_checkpeer no, /etc/openldap/ldap.conf:TLS_REQCERT never, /etc/sssd/ldap.conf:ldap_tls_reqcert = allow).



I used a fixed ldap.conf (below). I put this in place prior to running system-config-authentication, then fix it up again after.* system-config-authentication changes the file below and breaks things with ldaps, and changes the password to md5, not clear.* Basically look at your ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match what they need to be for your configuration, and then lastly review the configs in /etc/sssd/sssd.conf and make sure they are in parity.* YMMV.



-----------------------------------------------
base dc=arkham
pam_lookup_policy yes
pam_groupdn cn=xxxx,ou=Groups,dc=arkham
pam_member_attribute uniquemember
pam_min_uid 5000
scope sub
timelimit 10


bind_timelimit 10
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm

# do not use anonymous bind
binddn cn=proxyhost,ou=Hosts,dc=arkham


bindpw xxxxx

uri ldaps://ds1.arkham

tls_cacertdir /etc/openldap/cacerts


# send passsord back to DS (to change) in clear
pam_password clear
-----------------------------------------------



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 06:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org