Re: [389-users] Client setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/18/2010 07:47 AM, Maurice James wrote:

Hi all,

   I’m running FC14 and I’m having a hell of a time trying to get my client authenticating to my 389-ds server.

Here are the specs

389-ds server: FC13

Client machines are a mix of FC 13 and FC14

I have SSL set up and listening on port 636. I used system-config-authentication to set up the client. When I run getent passwd <username> there is not output on the client, but I see a query in the server. Am I missing a step?


FC13 moved from nscd to sssd, and it has been difficult to use basic 389ds ever since, at least for me because I used a fairly locked down and secured directory server which also forces the use of LDAPS as it is the only means I could get to work which guaranteed SSL with a private CA and didn't break everything (I tried to use ldap/389 w/TLS required, but other things broke for some reason--it has been a year or two since I did this, so perhaps things have improved).

Also, if you are using SSL, make sure your cert's are all verifying correctly (include the server cert), or for debugging, disable cert verification (/etc/ldap.conf:tls_checkpeer no, /etc/openldap/ldap.conf:TLS_REQCERT never, /etc/sssd/ldap.conf:ldap_tls_reqcert = allow).

I used a fixed ldap.conf (below). I put this in place prior to running system-config-authentication, then fix it up again after.  system-config-authentication changes the file below and breaks things with ldaps, and changes the password to md5, not clear.  Basically look at your ldap.conf between old and new versions, verify 'ssl', 'tls*' and 'uri' match what they need to be for your configuration, and then lastly review the configs in /etc/sssd/sssd.conf and make sure they are in parity.  YMMV.

-----------------------------------------------
base dc=arkham
pam_lookup_policy yes
pam_groupdn cn=xxxx,ou=Groups,dc=arkham
pam_member_attribute uniquemember
pam_min_uid 5000
scope sub
timelimit 10
bind_timelimit 10
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

# do not use anonymous bind
binddn cn=proxyhost,ou=Hosts,dc=arkham
bindpw xxxxx

uri ldaps://ds1.arkham

tls_cacertdir /etc/openldap/cacerts


# send passsord back to DS (to change) in clear
pam_password clear
-----------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux