[389-users] Client setup

Maurice James midnightsteel at msn.com
Sun Dec 19 17:13:39 UTC 2010 

Hi Brandon,

      Here are my two config files. Am I missing something?

 

***ldap.conf:*****

#

# LDAP Defaults

#

 

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

 

#BASE   dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

 

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

URI ldaps://whitebox.tierre.net

BASE dc=tierre,dc=net

TLS_CHECKPEER no

TLS_REQCERT never

TLS_CACERTDIR /etc/openldap/cacerts

 

pam_lookup_policy yes

pam_groupdn ou=Home,dc=tierre,dc=net

pam_member_attribute uniquemember

pam_min_uid 5000

pam_password clear

scope sub

timelimit 10

bind_timelimit 10

idle_timelimit 3600

bind_policy soft

nss_initgroups_ignoreusers

root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd.
gdm

 

binddn cn=Configuration Administrator

bindpw xxxxxx

 

 

***sssd.conf****

[domain/default]

ldap_tls_reqcert = allow

ldap_default_bind_dn = cn=admin

ldap_default_authtok_type = password

ldap_dfault_authtok = 1saturday

auth_provider = ldap

cache_credentials = True

ldap_id_use_start_tls = False

debug_level = 0

ldap_search_base = dc=tierre,dc=net

krb5_realm = EXAMPLE.COM

chpass_provider = ldap

id_provider = ldap

ldap_uri = ldaps://whitebox.tierre.net

krb5_kdcip = kerberos.example.com

ldap_tls_cacertdir = /etc/openldap/cacerts

 

 

 

 

 

 

 

 

 

 

 

 

From: 389-users-bounces at lists.fedoraproject.org
[mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of brandon
Sent: Saturday, December 18, 2010 10:11 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Client setup

 

On 12/18/2010 07:47 AM, Maurice James wrote: 

Hi all,

   I'm running FC14 and I'm having a hell of a time trying to get my client
authenticating to my 389-ds server.

Here are the specs

389-ds server: FC13

Client machines are a mix of FC 13 and FC14

I have SSL set up and listening on port 636. I used
system-config-authentication to set up the client. When I run getent passwd
<username> there is not output on the client, but I see a query in the
server. Am I missing a step?


FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds
ever since, at least for me because I used a fairly locked down and secured
directory server which also forces the use of LDAPS as it is the only means
I could get to work which guaranteed SSL with a private CA and didn't break
everything (I tried to use ldap/389 w/TLS required, but other things broke
for some reason--it has been a year or two since I did this, so perhaps
things have improved).

Also, if you are using SSL, make sure your cert's are all verifying
correctly (include the server cert), or for debugging, disable cert
verification (/etc/ldap.conf:tls_checkpeer no,
/etc/openldap/ldap.conf:TLS_REQCERT never,
/etc/sssd/ldap.conf:ldap_tls_reqcert = allow).

I used a fixed ldap.conf (below). I put this in place prior to running
system-config-authentication, then fix it up again after.
system-config-authentication changes the file below and breaks things with
ldaps, and changes the password to md5, not clear.  Basically look at your
ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match
what they need to be for your configuration, and then lastly review the
configs in /etc/sssd/sssd.conf and make sure they are in parity.  YMMV.

-----------------------------------------------
base dc=arkham
pam_lookup_policy yes
pam_groupdn cn=xxxx,ou=Groups,dc=arkham
pam_member_attribute uniquemember
pam_min_uid 5000
scope sub
timelimit 10
bind_timelimit 10
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,
gdm

# do not use anonymous bind
binddn cn=proxyhost,ou=Hosts,dc=arkham
bindpw xxxxx

uri ldaps://ds1.arkham

tls_cacertdir /etc/openldap/cacerts


# send passsord back to DS (to change) in clear
pam_password clear
-----------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20101219/6c38d57a/attachment.html>

More information about the 389-users mailing list