Are the accounts you are trying to use setup with the objectClass: posixAccount and the required attributes (homeDirectory, uidNumber etc..) 2010/12/19 Maurice James <midnightsteel at msn.com> > Hi Brandon, > > Here are my two config files. Am I missing something? > > > > ***ldap.conf:***** > > # > > # LDAP Defaults > > # > > > > # See ldap.conf(5) for details > > # This file should be world readable but not world writable. > > > > #BASE dc=example,dc=com > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > #SIZELIMIT 12 > > #TIMELIMIT 15 > > #DEREF never > > URI ldaps://whitebox.tierre.net > > BASE dc=tierre,dc=net > > TLS_CHECKPEER no > > TLS_REQCERT never > > TLS_CACERTDIR /etc/openldap/cacerts > > > > pam_lookup_policy yes > > pam_groupdn ou=Home,dc=tierre,dc=net > > pam_member_attribute uniquemember > > pam_min_uid 5000 > > pam_password clear > > scope sub > > timelimit 10 > > bind_timelimit 10 > > idle_timelimit 3600 > > bind_policy soft > > nss_initgroups_ignoreusers > > > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd.gdm > > > > binddn cn=Configuration Administrator > > bindpw xxxxxx > > > > > > ***sssd.conf**** > > [domain/default] > > ldap_tls_reqcert = allow > > ldap_default_bind_dn = cn=admin > > ldap_default_authtok_type = password > > ldap_dfault_authtok = 1saturday > > auth_provider = ldap > > cache_credentials = True > > ldap_id_use_start_tls = False > > debug_level = 0 > > ldap_search_base = dc=tierre,dc=net > > krb5_realm = EXAMPLE.COM > > chpass_provider = ldap > > id_provider = ldap > > ldap_uri = ldaps://whitebox.tierre.net > > krb5_kdcip = kerberos.example.com > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > > > > > > > > > > > > > > > > > > > > > > > > *From:* 389-users-bounces at lists.fedoraproject.org [mailto: > 389-users-bounces at lists.fedoraproject.org] *On Behalf Of *brandon > *Sent:* Saturday, December 18, 2010 10:11 AM > *To:* General discussion list for the 389 Directory server project. > *Subject:* Re: Client setup > > > > On 12/18/2010 07:47 AM, Maurice James wrote: > > Hi all, > > I?m running FC14 and I?m having a hell of a time trying to get my client > authenticating to my 389-ds server. > > Here are the specs > > 389-ds server: FC13 > > Client machines are a mix of FC 13 and FC14 > > I have SSL set up and listening on port 636. I used > system-config-authentication to set up the client. When I run getent passwd > <username> there is not output on the client, but I see a query in the > server. Am I missing a step? > > > FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds > ever since, at least for me because I used a fairly locked down and secured > directory server which also forces the use of LDAPS as it is the only means > I could get to work which guaranteed SSL with a private CA and didn't break > everything (I tried to use ldap/389 w/TLS required, but other things broke > for some reason--it has been a year or two since I did this, so perhaps > things have improved). > > Also, if you are using SSL, make sure your cert's are all verifying > correctly (include the server cert), or for debugging, disable cert > verification (/etc/ldap.conf:tls_checkpeer no, > /etc/openldap/ldap.conf:TLS_REQCERT never, > /etc/sssd/ldap.conf:ldap_tls_reqcert = allow). > > I used a fixed ldap.conf (below). I put this in place prior to running > system-config-authentication, then fix it up again after. > system-config-authentication changes the file below and breaks things with > ldaps, and changes the password to md5, not clear. Basically look at your > ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match > what they need to be for your configuration, and then lastly review the > configs in /etc/sssd/sssd.conf and make sure they are in parity. YMMV. > > ----------------------------------------------- > base dc=arkham > pam_lookup_policy yes > pam_groupdn cn=xxxx,ou=Groups,dc=arkham > pam_member_attribute uniquemember > pam_min_uid 5000 > scope sub > timelimit 10 > bind_timelimit 10 > idle_timelimit 3600 > bind_policy soft > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm > > # do not use anonymous bind > binddn cn=proxyhost,ou=Hosts,dc=arkham > bindpw xxxxx > > uri ldaps://ds1.arkham > > tls_cacertdir /etc/openldap/cacerts > > > # send passsord back to DS (to change) in clear > pam_password clear > ----------------------------------------------- > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20101221/ccad7227/attachment-0001.html
