<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.</div><div><br></div><div>Thanks</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com">chandank.kumar@gmail.com</a>><br><span style="font-weight:bold">Reply-To: </span> "General discussion list for the 389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Date: </span> Thursday, December 20, 2012 4:07 PM<br><span style="font-weight:bold">To: </span> "General discussion list for the 389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [389-users] How to set up 389 client<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><p dir="ltr">First of all on the client side what as you using sssd or ldap pan module?
</p><p dir="ltr">To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide.
</p><div class="gmail_quote">On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." <<a href="mailto:Rohit.Chaudhari@jhuapl.edu">Rohit.Chaudhari@jhuapl.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word"><div>Hey Chandan,</div><div><br></div><div>I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?</div><div><br></div><div>Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly
created user. Have you tried doing this before?</div><div><br></div><div>When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head
on this for way too long!</div><div><br></div><div>Thanks,</div><div><br></div><div>Rohit</div><div><br></div><span><div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none"><span style="font-weight:bold">From: </span>Chandan Kumar <<a href="mailto:chandank.kumar@gmail.com" target="_blank">chandank.kumar@gmail.com</a>><br><span style="font-weight:bold">Reply-To: </span>"General discussion list for the 389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Date: </span>Thursday, December 13, 2012 1:57 PM<br><span style="font-weight:bold">To: </span>"General discussion list for the 389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Subject: </span>Re: [389-users] How to set up 389 client<br></div><div><br></div><div><div><div>Unknown CA means the certificate that you have copied to client machine is not trusted.</div><div><br></div><div>Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path. </div><div><br></div>
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
<div><br></div><div>Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.</div><div><br></div><div>In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect. <br><br>
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div style="font-family:Calibri,sans-serif;font-size:14px">I recall setting it up like the instructions stated and when I ran wireshark I got the following error:</div><div style="font-family:Calibri,sans-serif;font-size:14px"><br></div><div style="font-family:Calibri,sans-serif;font-size:14px"><span style="font-family:verdana;font-size:13px">TLSv1 Alert (Level: Fatal, Description: Unknown CA)</span></div><div style="font-family:Calibri,sans-serif;font-size:14px"><span style="font-family:verdana;font-size:13px"><br></span></div><div><font face="verdana"><span style="font-size:13px">The procedure is as follows:</span></font></div><div><font face="verdana"><span style="font-size:13px">Create new user in LDAP server</span></font></div><div><font face="verdana"><span style="font-size:13px">Create POSIX attributes for that new user</span></font></div><div><font face="verdana"><span style="font-size:13px">Try to log into local box that authenticates against LDAP server with new user for first time</span></font></div><div><font face="verdana"><span style="font-size:13px">It prevents me from logging in successfully (I've had this work before in CentOS)</span></font></div><div><font face="verdana"><span style="font-size:13px"><br></span></font></div><div><font face="verdana"><span style="font-size:13px">Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?</span></font></div><div><font face="verdana"><span style="font-size:13px"><br></span></font></div><div><font face="verdana"><span style="font-size:13px">Thanks,</span></font></div><div><font face="verdana"><span style="font-size:13px"><br></span></font></div><div><font face="verdana"><span style="font-size:13px">Rohit</span></font></div><div style="font-family:Calibri,sans-serif;font-size:14px"><br></div><span style="font-size: 14px; font-family: Calibri, sans-serif; "><div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none"><span style="font-weight:bold">From: </span>Chandan Kumar <<a>chandank.kumar@gmail.com</a>><br><span style="font-weight:bold">Reply-To: </span>"General discussion list for the 389 Directory server project." <<a>389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Date: </span>Thursday, December 13, 2012 11:57 AM<br><span style="font-weight:bold">To: </span>"General discussion list for the 389 Directory server project." <<a>389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Subject: </span>Re: [389-users] How to set up 389 client<br></div><div><br></div><div><div>Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
<div><br></div><div>The most annoying error what I know is the "peer is not trusted.".</div><div><br></div><div>What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.</div><div><br><a href="http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html" target="_blank">http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html</a>.</div><div><br></div><div><br>
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word"><div>This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?</div><div><br></div><div>Thanks,</div><div><br></div><div>Rohit</div><div><br></div><span><div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none"><span style="font-weight:bold">From: </span>Chandan Kumar <<a>chandank.kumar@gmail.com</a>><br><span style="font-weight:bold">Reply-To: </span>"General discussion list for the 389 Directory server project." <<a>389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Date: </span>Thursday, December 13, 2012 11:50 AM<br><span style="font-weight:bold">To: </span>"General discussion list for the 389 Directory server project." <<a>389-users@lists.fedoraproject.org</a>><br><span style="font-weight:bold">Subject: </span>Re: [389-users] How to set up 389 client<br></div><div><br></div><div><div>Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
<div><br></div><div><a href="http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html" target="_blank">http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html</a></div><div><br></div><div>These are exact steps that I followed and worked with self signed certificates.</div><div><br><br>
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word"><div>Hello everyone,</div><div><br></div><div>How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the
client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.</div><div><br></div><div>Rohit</div></div></blockquote></div><br><br>
-- <br><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div><br></div></div></span></div></blockquote></div><br><br>
-- <br><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div><br></div></div></span></div></blockquote></div><br><br>
-- <br><br><div>--</div><div><a href="http://about.me/chandank" target="_blank">http://about.me/chandank</a><br></div><br></div></div></span></div><br>
--<br>
389 users mailing list<br><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div></span></body></html>