[Fedora-directory-users] Schema Conversion
by D Canfield
I don't suppose anyone has found an easy way to convert OpenLDAP schema
into fedora-ds compatible ldif files? We've got about 100 attributes
defined, and I'm really not looking forward to entering them all by hand...
Thanks
DC
18 years, 4 months
[Fedora-directory-users] NIS migration?
by Dean Jones
Can anyone point me to docs showing how to migrate from NIS to FDS?
I have found info for create LDIF files for OpenLDAP from NIS entries,
but those are not compatible with FDS from what i have read.
thanks
18 years, 6 months
RE: [Fedora-directory-users] Problem with solaris & FDS authentication
by Tay, Gary
==
well, I decided to turn off the nscd completely, while I'm testing.
==
GT: Pls run nscd, without it LDAP name service may not work, after running nscd, check if "id testdba" shows the expected result, you may add "debug" keyword to all lines in /etc/pam.conf to observe all possible /var/adm/messages for "sshd" processing.
GT: You also need to zero into FDS access and errors log files for useful clues, show us some of the access log details if possible.
===
I have them in the ldap.client.file but the default profile looks like this:
# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
Am I missing anything? I don't have serviceSearchDescriptor but I think it should chain
ou=People+defaultSearchBase, right?
===
GT: Use Fedord Management Console to add the three SSDs into the "default" profile, just right click and edit its properties, add/edit attributes, the bindTimeLimit of 2 seconds is too low, you may want to up it to 10 seconds.
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com?one
bindTimeLimit: 10
GT: Make sure on top of DNS, you have 149.85.70.17 and LDAP Server hostname in `hostname`.`domainname` format in /etc/hosts, there should be an "hosts: files dns" in /etc/nsswitch.conf, it should not be "hosts: ldap"
===
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
LDAP Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
And notice it's asking me for a separate ldap password. What's up with that?
===
GT: IIRC "Password:" is the prompting of pam_unix_xxxx.so.1 auth module
"LDAP Password:" is the prompting of pam_ldap.so.1 auth module, when first pass failed, 2nd pass continued.
18 years, 6 months
[Fedora-directory-users] passwd/shadow/group --> fedora-ds HOWTO?
by Bryan K. Wright
Hi folks,
I've just started playing with fedora directory server,
and I'm looking for a straightforward way to import existing
Linux accounts (passwd/shadow/group files) into fedora-ds.
I've looked at the padl migration tools and tried
them out, but they don't seem to quite get it right. First,
the groups are put into ou=Groups instead of ou=Group (as
fedora-ds expects). Editing the ldif file to change Groups to
Group allows me to import the group data, but then the objectClasses
are wrong. The padl tools create groups as class "posixGroup",
but fedora-ds seems to use "groupofuniquenames" for groups.
Also, the padl migration tools use objectClasses
"posixAccount","account" and "shadowAccount" for entries in
the passwd file, but fedora-ds seems to expect "person",
"organizationalPerson" and "inetorgperson".
Has anybody written a simple HOWTO for migrating
passwd/shadow/group files to fedora-ds?
Thanks,
Bryan
--
==========================================================================
Bryan Wright |"If you take cranberries and stew them like
Physics Department | applesauce, they taste much more like prunes
University of Virginia | than rhubarb does." -- Groucho
Charlottesville, VA 22901 |
(434) 924-7218 | bryan(a)virginia.edu
==========================================================================
18 years, 6 months
[Fedora-directory-users] Re: passwd/shadow/group --> fedora-ds HOWTO?
by Steve Bonneville
Rich Megginson <rmeggins(a)redhat.com> wrote:
> Bryan K. Wright wrote:
[...]
> > Also, the padl migration tools use objectClasses
> >"posixAccount","account" and "shadowAccount" for entries in
> >the passwd file, but fedora-ds seems to expect "person",
> >"organizationalPerson" and "inetorgperson".
> >
> >
> Similar to the above, entries can be both inetOrgPerson and
> posixAccount, shadowAccount, and account (see the caveat about using the
> account objectclass here -
> http://directory.fedora.redhat.com/wiki/Howto:Posix)
You can cause the migration tools to use inetOrgPerson instead of
account for your structural class by either
1) Setting the environment variable $LDAP_EXTENDED_SCHEMA to 1 before
running the migration scripts, or
2) Editing /usr/share/openldap/migration/migrate_common.ph so that
$EXTENDED_SCHEMA = 0;
on line 90 or so reads
$EXTENDED_SCHEMA = 1;
Then you can add the hostObject class manually to inetOrgPerson if
you really need it, and not use account at all.
You can also cause groups to be put in ou=Groups instead of ou=Group
by editing line 61 or so of migrate_common.ph appropriately. This is
in the middle of the else condition of the test for the presence of
/usr/sbin/mkslapdconf ($NETINFOBRIDGE). It'll use posixGroup as the
structural class, of course, which leads into the whole discussion of
whether you can/should use groupOfUniqueNames as well that we just
recently had on the list.
The PADL migration scripts are a bit rickety; it's a good idea to
always check their output for sanity.
-- Steve Bonneville
18 years, 6 months
RE: [Fedora-directory-users] Problem with solaris & FDS authentication
by Tay, Gary
0) Make sure every time you restart /etc/init.d/ldap.client
(ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache
daemon).
1) Make sure you define "CRYPT" as the default passwordStorageScheme in
LDAP DIT (right click cn=config and edit its properties).
2) Make sure you have these three lines in /var/ldap/ldap_client_file
and also in "default" profile in LDAP DIT?
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:
ou=group,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=composers,dc=foo,dc=com?one
And there is a "shadow: files ldap" line in /etc/nsswitch.conf.
3) Make sure you restart SSH Server whenever there is a change in
/etc/ssh/sshd_config.
===
Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM:
Authentication failed for testdba from cnyitsun01.composers.foo.com Aug
30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured ===
===
4) Did you install a binary version of OpenSSH Server with PAM support
or compile from source with an "./configure --with-pam" option?
To check if sshd is built with PAM support, run:
# ldd /usr/local/sbin/sshd
It should have something like "libpam.so,1" in it:
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libcrypto.so.0.9.7 => /usr/local/ssl/lib/libcrypto.so.0.9.7
librt.so.1 => /usr/lib/librt.so.1
libz.so => /usr/lib/libz.so
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libc.so.1 => /usr/lib/libc.so.1
libcmd.so.1 => /usr/lib/libcmd.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
5) The output of your "sshd -d" looks perfectly fine and it isn't what
you said "totally silent", the SSH Server is listening, as and when you
perform ssh connection from any host to the ssh server, you would see
more "debugging" messages appearing in this "interactive" mode, to exit,
press Ctrl-C to kill the debugging mode, note that after this sshd is no
more running.
6) For ssh client connection, do this way to see more:
$ ssh -v testdba(a)192.85.86.87
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Wednesday, August 31, 2005 4:26 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Problem with solaris & FDS
authentication
Gary, here's the output from /var/adm/messages:
Aug 30 16:17:38 unknown last message repeated 1 time
Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM:
Authentication failed for testdba from cnyitsun01.composers.foo.com Aug
30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured
What does that mean? I took the pam.conf from the website you gave me
and commented out the lines, like you said:
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
#login auth required pam_unix_cred.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 debug
Also:
bash-2.03# getent passwd testdba
testdba::10001:7000::/home/testdba:/bin/bash
sshd -d is totally silent. No output after startup:
bash-2.03# /usr/local/sbin/sshd -d
debug1: sshd version OpenSSH_3.9p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Disabling protocol version 1. Could not load host key
debug1: rexec_argv[0]='/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> What is the output of "id testdba" and "getent passwd testdba"?
>
> To use ldap auth for SSH Server, you must set these lines in
> /etc/ssh/sshd_config:
>
> PasswordAuthentication yes
> ChallengeResponseAuthentication yes
> UsePAM yes
Yep, changed that!
Still (from the remote machine):
cnyitsun01/ > ssh testdba(a)192.85.86.87
Password:
LDAP Password:
Password:
LDAP Password:
And it never lets me in.
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 6 months
[Fedora-directory-users] solaris 10 caching credentials? Inactivated users allowed in via ssh
by Brian K. Jones
Hi all,
I'm running FDS (binary rpm) on rhel4. I have rhel4 and solaris 10 clients.
If I inactivate a user account in the FDS admin GUI, then try to log in via
ssh as that inactivated user on any ol' random Linux client, the BIND
operation fails with err=53 (unwilling to perform). This, I should think, is
the expected behaviour.
Solaris 10, on the other hand, lets the user in (again, ssh). The only BIND I
can correllate in the logs come from the solaris proxy user. Then a search is
done for "shadowaccount=<username>", and then a search is done for the group
memberships of that user (presumably I'm already in when this is done).
There's never a BIND operation as the inactive user at all!
Can someone explain what's happening?
brian.
18 years, 6 months
RE: [Fedora-directory-users] Problem with solaris & FDS authentication
by Tay, Gary
What is the output of "id testdba" and "getent passwd testdba"?
To use ldap auth for SSH Server, you must set these lines in /etc/ssh/sshd_config:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Note: in older version (pre-3.6.1) of OpenSSH Server, instead of “UsePAM yes”, the parameter is:
PAMAuthenticationViaKbdInt yes
"-d" is the debug option of OpenSSH Server in INTERACTIVE MODE ONLY, SUN SSH server which is a version of OpenSSH may not have this option, please find out the correct debugging option that you may use.
-d Debug mode. The server sends verbose debug output to
the system log, and does not put itself in the back-
ground. The server also will not fork and will only
process one connection. This option is only intended
for debugging for the server. Multiple -d options
increase the debugging level. Maximum is 3.
You must also first stop and kill sshd, then restart using "-d", eg:
# /usr/local/sbin/sshd -d
Did you add "debug" keywords to lines of /etc/pam.conf? after that /var/adm/messages should
show more messages.
Something like:
...
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth sufficient pam_unix_auth.so.1 debug
login auth required pam_ldap.so.1 try_first_pass debug
login auth required pam_dial_auth.so.1 debug
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1 debug
sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass debug
...
To troubleshoot "Object not found (LDAP ERROR (50): Insufficient access.)", you may look into the log files.
(From Fedora Directory Server mail list archive)
===
Look in the access log on the FDS server for connections from that workstation (grep on the IP of that workstations, or one of the user id's that are trying to auth, etc). When you find it, grep out conn=xxx (where xxx is the connection # from that IP) so you get the complete connection from start to finish.
- Look at the BIND lines to see what that workstation is binding as.
- Look at the SRCH lines, to see what basedn and filter is being used.
- Look at the result line (right after the SRCH line) to see what the results are (though you'll probably just see err=32, which is no such object). If there are multiple SRCH lines, check each one.
- Check the ACI's set on your suffix - in console, click on the
Directory tab then right click on the top entry in your tree, and select "set permissions" (something like that - doing this from memory). Make sure the appropriate access is set.
You may have to look throughout your tree for aci's to be sure you find everything.
(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" "aci" to find 'em all.)
===
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com on behalf of Igor
Sent: Tue 8/30/2005 9:37 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: [Fedora-directory-users] Problem with solaris & FDS authentication
Gary,
I did like you said. There was nothing in msgs file. From the remote host I got this:
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
testdba(a)149.85.86.87's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
sshd -d produced nothing either. So, I'm confused now.
Also, ldaplist by itself gives this:
bash-2.03# ldaplist
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
Is that normal?
And when I snoop -v ldap | grep LDAP I don't see the {crypt} password anywhere.....?
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> To troublshoot PAM issue, you may add "debug" keyword at the end of
> every or selected lines of /etc/pam.conf, and /var/adm/messages should
> show more messages.
>
> To troubleshoot SSH Server, you may start sshd with "-d" (debfufg)
> option (Interactive Mode Only), or use "ssh -v testdba@localhost" at the
> SSH Client (-v means verbose mode).
>
> You may use the sample pam.conf from
> http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment
> out all the "pam_unix_cred.so.1" lines as they are meant for Solaris10.
>
> Gary
>
> -----Original Message-----
> From: fedora-directory-users-bounces(a)redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
> Sent: Tuesday, August 30, 2005 4:30 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: [Fedora-directory-users] Problem with solaris & FDS
> authentication
>
>
> Hi, guys. I finally got the solaris box to talk to the FDS (thank you
> all for your
> help).
>
> I'm now having a problem where I can't telnet/ssh from another machine.
>
> On the client, I have this:
>
> bash-2.03# ldaplist -l passwd testdba
> dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
> givenName: oracle
> sn: user
> loginShell: /bin/bash
> uidNumber: 10001
> gidNumber: 7000
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowaccount
> uid: testdba
> cn: oracle user
> homeDirectory: /home/testdba
> bash-2.03#
>
> The ACIs (in addition to the default ones):
>
>
> Bind Password:
> dc=composers,dc=foo,dc=com
>
> aci=(targetattr =
> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
> in||shadowMax||shadowWarning|
> |shadowInactive||shadowExpire||shadowFlag||memberUid"
> )(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write)
> userdn = "ldap:
> ///self";)
> aci=(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPasswo
> rd")(version 3.0;
> acl LDAP_Naming_Services_proxy_password_read; allow (compare,search)
> userdn = "
> ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
>
>
>
> There's nothing in the /var/adm/messages. My pam.conf [snipped] is
> this:
>
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth sufficient pam_unix_auth.so.1
> login auth required pam_ldap.so.1 try_first_pass
> login auth required pam_dial_auth.so.1
>
> #ssh
>
> sshd auth sufficient /usr/lib/security/pam_ldap.so.1
> sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
>
> ---
>
> The userPassword field is not displayed when I do ldaplist. Is that
> normal? Even when I
> do this:
>
> /usr/bin/ldapsearch -D
> "cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h
> cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=\*
>
> uid=testdba,ou=People, dc=composers,dc=foo,dc=com
> givenName=oracle
> sn=user
> loginShell=/bin/bash
> uidNumber=10001
> gidNumber=7000
> objectClass=top
> objectClass=person
> objectClass=organizationalPerson
> objectClass=inetorgperson
> objectClass=posixAccount
> objectClass=shadowaccount
> uid=testdba
> cn=oracle user
> homeDirectory=/home/testdba
>
> How can I go about troubleshooting this?
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 6 months
RE: [Fedora-directory-users] Problem with solaris & FDS authentication
by Tay, Gary
To troublshoot PAM issue, you may add "debug" keyword at the end of
every or selected lines of /etc/pam.conf, and /var/adm/messages should
show more messages.
To troubleshoot SSH Server, you may start sshd with "-d" (debfufg)
option (Interactive Mode Only), or use "ssh -v testdba@localhost" at the
SSH Client (-v means verbose mode).
You may use the sample pam.conf from
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment
out all the "pam_unix_cred.so.1" lines as they are meant for Solaris10.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Tuesday, August 30, 2005 4:30 AM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] Problem with solaris & FDS
authentication
Hi, guys. I finally got the solaris box to talk to the FDS (thank you
all for your
help).
I'm now having a problem where I can't telnet/ssh from another machine.
On the client, I have this:
bash-2.03# ldaplist -l passwd testdba
dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName: oracle
sn: user
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 7000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowaccount
uid: testdba
cn: oracle user
homeDirectory: /home/testdba
bash-2.03#
The ACIs (in addition to the default ones):
Bind Password:
dc=composers,dc=foo,dc=com
aci=(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
in||shadowMax||shadowWarning|
|shadowInactive||shadowExpire||shadowFlag||memberUid"
)(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write)
userdn = "ldap:
///self";)
aci=(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPasswo
rd")(version 3.0;
acl LDAP_Naming_Services_proxy_password_read; allow (compare,search)
userdn = "
ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
There's nothing in the /var/adm/messages. My pam.conf [snipped] is
this:
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1
sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
---
The userPassword field is not displayed when I do ldaplist. Is that
normal? Even when I
do this:
/usr/bin/ldapsearch -D
"cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h
cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=\*
uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName=oracle
sn=user
loginShell=/bin/bash
uidNumber=10001
gidNumber=7000
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
objectClass=posixAccount
objectClass=shadowaccount
uid=testdba
cn=oracle user
homeDirectory=/home/testdba
How can I go about troubleshooting this?
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 6 months
[Fedora-directory-users] Problems with sasl authentication
by Kalle Kivistö
Howdy,
I've tried unsuccessfully to get DS to authenticate users with sasl.
I have a slapd.conf in /var/lib/sasl2 that looks like this:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
and a sasl-mapping that looks like this:
Regex: .*
Search Base DN: ou=People, dc=my, dc=domain, dc=fi
Search Filter: (uid=&)
It looks like the sasl-mapping is ignored, and saslauthd with debugging
on shows no authentication requests. When I run testsaslauthd with valid
user information it seems to authenticate just fine. Does anybody have
any hints, or an example of a working setup?
18 years, 6 months