<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:black;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi Brandon,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Here are my two config files. Am I missing something?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>***ldap.conf:*****<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'># LDAP Defaults<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'># See ldap.conf(5) for details<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'># This file should be world readable but not world writable.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#BASE dc=example,dc=com<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#URI ldap://ldap.example.com ldap://ldap-master.example.com:666<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#SIZELIMIT 12<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#TIMELIMIT 15<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#DEREF never<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>URI ldaps://whitebox.tierre.net<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>BASE dc=tierre,dc=net<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>TLS_CHECKPEER no<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>TLS_REQCERT never<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>TLS_CACERTDIR /etc/openldap/cacerts<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>pam_lookup_policy yes<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>pam_groupdn ou=Home,dc=tierre,dc=net<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>pam_member_attribute uniquemember<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>pam_min_uid 5000<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>pam_password clear<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>scope sub<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>timelimit 10<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>bind_timelimit 10<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>idle_timelimit 3600<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>bind_policy soft<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>nss_initgroups_ignoreusers<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd.gdm<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>binddn cn=Configuration Administrator<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>bindpw xxxxxx<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>***sssd.conf****<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>[domain/default]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_tls_reqcert = allow<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_default_bind_dn = cn=admin<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_default_authtok_type = password<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_dfault_authtok = 1saturday<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>auth_provider = ldap<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>cache_credentials = True<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_id_use_start_tls = False<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>debug_level = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_search_base = dc=tierre,dc=net<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>krb5_realm = EXAMPLE.COM<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>chpass_provider = ldap<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>id_provider = ldap<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_uri = ldaps://whitebox.tierre.net<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>krb5_kdcip = kerberos.example.com<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ldap_tls_cacertdir = /etc/openldap/cacerts<o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] <b>On Behalf Of </b>brandon<br><b>Sent:</b> Saturday, December 18, 2010 10:11 AM<br><b>To:</b> General discussion list for the 389 Directory server project.<br><b>Subject:</b> Re: [389-users] Client setup<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On 12/18/2010 07:47 AM, Maurice James wrote: <o:p></o:p></p><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal> I’m running FC14 and I’m having a hell of a time trying to get my client authenticating to my 389-ds server.<o:p></o:p></p><p class=MsoNormal>Here are the specs<o:p></o:p></p><p class=MsoNormal>389-ds server: FC13<o:p></o:p></p><p class=MsoNormal>Client machines are a mix of FC 13 and FC14<o:p></o:p></p><p class=MsoNormal>I have SSL set up and listening on port 636. I used system-config-authentication to set up the client. When I run getent passwd <username> there is not output on the client, but I see a query in the server. Am I missing a step?<o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds ever since, at least for me because I used a fairly locked down and secured directory server which also forces the use of LDAPS as it is the only means I could get to work which guaranteed SSL with a private CA and didn't break everything (I tried to use ldap/389 w/TLS required, but other things broke for some reason--it has been a year or two since I did this, so perhaps things have improved).<br><br>Also, if you are using SSL, make sure your cert's are all verifying correctly (include the server cert), or for debugging, disable cert verification (/etc/ldap.conf:tls_checkpeer no, /etc/openldap/ldap.conf:TLS_REQCERT never, /etc/sssd/ldap.conf:ldap_tls_reqcert = allow).<br><br>I used a fixed ldap.conf (below). I put this in place prior to running system-config-authentication, then fix it up again after. system-config-authentication changes the file below and breaks things with ldaps, and changes the password to md5, not clear. Basically look at your ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match what they need to be for your configuration, and then lastly review the configs in /etc/sssd/sssd.conf and make sure they are in parity. YMMV.<br><br>-----------------------------------------------<br>base dc=arkham<br>pam_lookup_policy yes<br>pam_groupdn cn=xxxx,ou=Groups,dc=arkham<br>pam_member_attribute uniquemember<br>pam_min_uid 5000<br>scope sub<br>timelimit 10<br>bind_timelimit 10<br>idle_timelimit 3600<br>bind_policy soft<br>nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm<br><br># do not use anonymous bind<br>binddn cn=proxyhost,ou=Hosts,dc=arkham<br>bindpw xxxxx<br><br>uri <a href="ldaps://ds1.arkham">ldaps://ds1.arkham</a><br><br>tls_cacertdir /etc/openldap/cacerts<br><br><br># send passsord back to DS (to change) in clear<br>pam_password clear<br>-----------------------------------------------<o:p></o:p></span></p></div></body></html>