[389-users] How to set up 389 client

Chandan Kumar chandank.kumar at gmail.com
Mon Jan 7 16:39:56 UTC 2013 

Hello Rohit,

While creating users you also need to specify POSIX properties for the user.

In admin console you need to fill out posix properties details while
creating the user. Also make sure you create posix groups and associate
these new users with the group ID otherwise while login time you may get
some warning message like  "id: Group does not exist".




--
http://about.me/chandank


On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. <
Rohit.Chaudhari at jhuapl.edu> wrote:

> Hey Chandan,
>
> So I got the RHEL client working, but I have an outstanding issue.  When I
> look at the users/groups setting on the client machine, the newly created
> user that I made on the RHEL LDAP server does not show up on the list.  Is
> this how it is supposed to work?  If not, how do I get a LDAP user to
> become a part of the users and groups list on the RHEL client?
>
> Thanks,
>
> Rohit
>
> From: Chandan Kumar <chandank.kumar at gmail.com>
> Reply-To: "General discussion list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org>
> Date: Thursday, December 20, 2012 6:21 PM
>
> To: "General discussion list for the 389 Directory server project." <
> 389-users at lists.fedoraproject.org>
> Subject: Re: [389-users] How to set up 389 client
>
> Yes do need to replace it with SSSD. If you are having a fresh Centos
> install, by default it is sssd only.
>
> Best way would be to use the authconfig tool as it changes all related
> files and you don't have to manually change all of them.  Moreover, you
> also need change the nss.conf file and make sure groups/users do have sssd
> instead of ldap.
>
> From RHEL 6.4 sssd will be fully supported and it gives better performance
> if you intend to integrate many applications with LDAP as it does not open
> multiple connections with the directory server.
>
> I will look that guide again and will try to improve it.
>
> On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
>
>> Okay I will try checking those parameters.  I am doing sssd, I used ldap
>> pan before in CentOS 6 and that had worked for me, but I will try using
>> sssd.  What confused me in your guide was when it said to set up
>> /etc/pam.d/system-auth, replacing all instances of pam_sss.so with
>> pam_ldap.so.  If I want to use sssd I need to leave this alone.  I'll give
>> you an update tomorrow to see how it is going.  Thanks again for your
>> insight.
>>
>> Thanks
>>
>> From: Chandan Kumar <chandank.kumar at gmail.com>
>> Reply-To: "General discussion list for the 389 Directory server
>> project." <389-users at lists.fedoraproject.org>
>> Date: Thursday, December 20, 2012 4:07 PM
>> To: "General discussion list for the 389 Directory server project." <
>> 389-users at lists.fedoraproject.org>
>> Subject: Re: [389-users] How to set up 389 client
>>
>> First of all on the client side what as you using sssd or ldap pan
>> module?
>>
>> To create Home dir enablemkhomedir option should be given to authconfig
>> and which is already specified in the Guide.
>> On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." <
>> Rohit.Chaudhari at jhuapl.edu> wrote:
>>
>> Hey Chandan,
>>
>> I tried your guide and am still getting the same issues with the CA not
>> being trusted.  How do I make the certificate trusted to the client?
>>
>> Also, my main goal is to be able to create a new user on LDAP on the
>> server side (with POSIX attributes) and then when I try to log in for the
>> first time on the client machine, it should find the information in the
>> LDAP server and let me login as a newly created user.  Have you tried doing
>> this before?
>>
>> When I did a id <ldap-userid" on the client side, it was returning values
>> for me for EXISTING user accounts on the client side, but nothing on users
>> I didn't have already created on the client side.  How do I get this to
>> work?  I have been banging my head on this for way too long!
>>
>> Thanks,
>>
>> Rohit
>>
>> From: Chandan Kumar <chandank.kumar at gmail.com>
>> Reply-To: "General discussion list for the 389 Directory server
>> project." <389-users at lists.fedoraproject.org>
>> Date: Thursday, December 13, 2012 1:57 PM
>> To: "General discussion list for the 389 Directory server project." <
>> 389-users at lists.fedoraproject.org>
>> Subject: Re: [389-users] How to set up 389 client
>>
>> Unknown CA means the certificate that you have copied to client machine
>> is not trusted.
>>
>> Please make sure there are no typos in the sssd.conf file for the
>> certificate directory path or at the ldap.conf path.
>>
>> No I have not tested it on Redhat. I only have Centos servers. The answer
>> to your question is yes but with Centos not with Redhat.
>>
>> Also if you want to check whether you ldap auth is working, just do "id
>> <ldap-userid>" it should show the information. If it does not then please
>> check your nssswitch.conf and sssd parameters.
>>
>> In my case, the ldapsearch was throwing error with certificates, however,
>> sssd user authentication was working perfect.
>>
>> On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
>>
>> I recall setting it up like the instructions stated and when I ran
>> wireshark I got the following error:
>>
>> TLSv1 Alert (Level: Fatal, Description: Unknown CA)
>>
>> The procedure is as follows:
>> Create new user in LDAP server
>> Create POSIX attributes for that new user
>> Try to log into local box that authenticates against LDAP server with new
>> user for first time
>> It prevents me from logging in successfully (I've had this work before in
>> CentOS)
>>
>> Have you been able to succ
>>
>>
>
> --
>
> --
> http://about.me/chandank
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130107/e4ca941c/attachment.html>

More information about the 389-users mailing list