[389-users] How to set up 389 client

Chandan Kumar chandank.kumar at gmail.com
Thu Dec 13 18:57:23 UTC 2012 

Unknown CA means the certificate that you have copied to client machine is
not trusted.

Please make sure there are no typos in the sssd.conf file for the
certificate directory path or at the ldap.conf path.

No I have not tested it on Redhat. I only have Centos servers. The answer
to your question is yes but with Centos not with Redhat.

Also if you want to check whether you ldap auth is working, just do "id
<ldap-userid>" it should show the information. If it does not then please
check your nssswitch.conf and sssd parameters.

In my case, the ldapsearch was throwing error with certificates, however,
sssd user authentication was working perfect.

On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:

> I recall setting it up like the instructions stated and when I ran
> wireshark I got the following error:
>
> TLSv1 Alert (Level: Fatal, Description: Unknown CA)
>
> The procedure is as follows:
> Create new user in LDAP server
> Create POSIX attributes for that new user
> Try to log into local box that authenticates against LDAP server with new
> user for first time
> It prevents me from logging in successfully (I've had this work before in
> CentOS)
>
> Have you been able to successfully log in to a local Red Hat box that
> authenticates against a 389 DS with a newly created user with POSIX
> attributes?
>
> Thanks,
>
> Rohit
>
> From: Chandan Kumar <chandank.kumar at gmail.com <javascript:_e({}, 'cvml',
> 'chandank.kumar at gmail.com');>>
> Reply-To: "General discussion list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org <javascript:_e({}, 'cvml',
> '389-users at lists.fedoraproject.org');>>
> Date: Thursday, December 13, 2012 11:57 AM
> To: "General discussion list for the 389 Directory server project." <
> 389-users at lists.fedoraproject.org <javascript:_e({}, 'cvml',
> '389-users at lists.fedoraproject.org');>>
> Subject: Re: [389-users] How to set up 389 client
>
> Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few
> weeks back. What error are you getting?
>
> The most annoying error what I know is the "peer is not trusted.".
>
> What are you using for Client side? SSSD or PADL NSS stuff? I would
> recommend to use SSSD and follow below link for that.
>
>
> http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html
> .
>
>
> On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
>
>> This is on CentOS however.  We had success configuring it for CentOS in
>> the past, but were unable to replicate this on Red Hat 6.3.  Did you follow
>> these steps for configuring Red Hat 6 as well?
>>
>> Thanks,
>>
>> Rohit
>>
>> From: Chandan Kumar <chandank.kumar at gmail.com>
>> Reply-To: "General discussion list for the 389 Directory server
>> project." <389-users at lists.fedoraproject.org>
>> Date: Thursday, December 13, 2012 11:50 AM
>> To: "General discussion list for the 389 Directory server project." <
>> 389-users at lists.fedoraproject.org>
>> Subject: Re: [389-users] How to set up 389 client
>>
>> Best guide will be the redhat manual or if you are looking for some how
>> to then you can follow below link.
>>
>>
>> http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html
>>
>> These are exact steps that I followed and worked with self signed
>> certificates.
>>
>>
>> On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
>>
>>> Hello everyone,
>>>
>>> How do I set up a 389 LDAP client to authenticate users against a 389
>>> LDAP server?  I don't have a trusted certificate authority (CA) but will
>>> create self-signed CA that signs server certificates, and then put that
>>> self-signed CA as the trusted CA on the client side.  Is there anything
>>> more specific or a guide on how to set this up out there?  Thanks in
>>> advance.
>>>
>>> Rohit
>>>
>>
>>
>> --
>>
>> --
>> http://about.me/chandank
>>
>>
>
> --
>
> --
> http://about.me/chandank
>
>

-- 

--
http://about.me/chandank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121213/1a89b08f/attachment.html>

More information about the 389-users mailing list