Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Questions on 389 configuration (http://www.linux-archive.org/fedora-directory/682868-questions-389-configuration.html)

Juan Asensio Sánchez 07-12-2012 10:54 AM

Questions on 389 configuration
 
Hi

We are using these attributes for a (very basic) configuration of
LDAPI (just root -> Directory Manager):

# LDAPI
nsslapd-ldapifilepath: /var/run/dirsrv/slapd-XXXX.socket
nsslapd-ldapilisten: on
nsslapd-ldapiautobind: on
nsslapd-ldapimaprootdn: cn=Directory Manager
nsslapd-ldapimaptoentries: off
nsslapd-ldapientrysearchbase: dc=XXXXX,dc=es

Then, we search this way:

ldapsearch -Y EXTERNAL -H
ldapi://%2fvar%2frun%2fdirsrv%2fslapd-XXXX.socket -b "dc=XXXXX,dc=es"
-s one "(objectClass=organization)" o

/etc/nslcd.conf is used with nsswitch.conf to make LDAP users and
groups available to the system, so, if configured in PAM, they can
access the system. pam_ldap.conf (I've never used it), should be to
configure PAM to use LDAP as an option to retrieve users and passwords
to authenticate the users.

Regards.


2012/7/12 Alberto Suárez <asuapaz@gobiernodecanarias.org>:
> Hi,
>
> I have finished configuring 389 on Centos 6.2. and it seems to work ok now.
> Not a conceptually difficult exercise, but a very complex exercise in
> practice, due to the many details that have to be born in mind which either
> are not well documented (IMHO) or scatterd in several docs, plus the tricky
> changes introduced by Centos 6.2.
>
> My intention is to prepare a doc in spanish explaining how to set the thing
> up from the beginning and make it available to anyone who needs it.
>
> However I still have some doubts after having gone through the installation
> an configuration of the product:
>
> 1. Autobind and LDAPI. From my understanding, Centos 6.2 wants you to use
> SSL, but on the other hand there is LDAPI which is meant to be faster and
> more secure. In my case, the client and LDAP will be sitting on the same
> machine, so I do not see the point in using SSL as opposed to ldapi. How do
> you configure 389 to use ldapi and not SSL? I enabled LDAPI and configured
> Autobind following the instructions given in RHDS 9.0 documentation, but I
> do not se how it is (if it is) used.
>
> 2. Is there some doc that explains the various directives found in
> /etc/pam_ldap.conf and /etc/nslcd.conf files? I have configured some in
> order to get it to work, but I do not understand well its purpose. The man
> page does not cover every directive and it is not quite explanatory, anyway.
>
> Thank you.
>
> Alberto
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 07-12-2012 01:30 PM

Questions on 389 configuration
 
On 07/12/2012 04:13 AM, Alberto Suárez wrote:

Hi,

I have finished configuring 389 on Centos 6.2. and it seems to work ok
now. Not a conceptually difficult exercise, but a very complex
exercise in practice, due to the many details that have to be born in
mind which either are not well documented (IMHO) or scatterd in
several docs, plus the tricky changes introduced by Centos 6.2.


My intention is to prepare a doc in spanish explaining how to set the
thing up from the beginning and make it available to anyone who needs it.


However I still have some doubts after having gone through the
installation an configuration of the product:


1. Autobind and LDAPI. From my understanding, Centos 6.2 wants you to
use SSL, but on the other hand there is LDAPI which is meant to be
faster and more secure. In my case, the client and LDAP will be
sitting on the same machine, so I do not see the point in using SSL as
opposed to ldapi. How do you configure 389 to use ldapi and not SSL? I
enabled LDAPI and configured Autobind following the instructions given
in RHDS 9.0 documentation, but I do not se how it is (if it is) used.


To test it, you have to use an ldapi URL like this:
ldapmodify -x -H ldapi://pathtosocket.socket -D "cn=directory manager"
-w password -a


Where pathtosocket.socket is the full absolute path of the socket file,
with the '/' replaced with '%2F'


The access log will tell you if the connection is using ldapi

I don't know if pam/nss ldap supports ldapi.


2. Is there some doc that explains the various directives found in
/etc/pam_ldap.conf and /etc/nslcd.conf files? I have configured some
in order to get it to work, but I do not understand well its purpose.
The man page does not cover every directive and it is not quite
explanatory, anyway.

man pam_ldap

I don't know abotu nslcd.


Thank you.

Alberto
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 11:52 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.