10:47 p.m.
have been stucked with the following points:
1. Authenticating Linux Client with ldaps://
2. Auto create home directory ( I will look into what you sent)
3. Auto-Increment UserID
Lets start with the first one.
I have 389-DS configured with SSL.
If I try to configure the Client with authconfig-tui command and deselecting
TLS and ldaps:// it works fine.
Lets talk about CLient binding to ldaps://.
On Server Side, I found a crt file through find command as below:
[root@389-ds schema]# find / -name *.crt
/etc/pki/tls/certs/ca-bundle.
crt
Is that the certificate we need to send to /etc/openldap/cacerts/
As I can see links sent by fedora DS Mailing list experts is old one which
talks about Fedora DS.
But the new 389-DS seems to have different location for the certificates.
Now I just copied this ca-bundle.crt to the client machine
Tried running:
authconfig-tui
TLS[*]
ldaps://<ip>/
dc=im,dc=sap,dc=com
I did created a user through Management Console.
[root@389-ds schema]# ldapsearch -x -b "dc=im,dc=sap,dc=com" -L
'(objectclass=*)'
# rajeshwar, Env, im, Bangalore, isst.sapient.com
dn: uid=rajeshwar,cn=Env,ou=im,ou=Bangalore,dc=im,dc=sap,dc=com
uid: rajeshwar
givenName: Rajeshwar
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: posixgroup
sn: k
cn: Rajeshwar k
uidNumber: 670
gidNumber: 670
homeDirectory: /home/rajeshwar
loginShell: /bin/bash
# search result
# numResponses: 28
# numEntries: 27
Now if I try to login through the username it doesnt display anything:
Jan 14 14:53:34 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Jan 14 14:53:38 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Jan 14 14:53:46 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
any idea what may be going wrong?
--
”It is not possible to rescue everyone who is caught in the Windows
quicksand
--Make sure you are on solid Linux ground before trying.”
2:25 a.m.
On [Thu, 14.01.2010 10:17], Ajeet S Raina wrote:
have been stucked with the following points:
1. Authenticating Linux Client with ldaps://
Please read the already mentioned HowTo to setup SSL. Everything is
described there in great detail. Again the link:
http://directory.fedoraproject.org/wiki/Howto:SSL
A short summary:
You have to either setup a new CA or use an already existing CA.
Create a certificate request for your server. Send this request
(csr-file) to the CA and let the CA sign the request. Import the
signed certificate (crt-file) into your DS. Make also the CA certificate
available to the client, either via certutil or the console. Both
certificates (from the server and the CA) should be visible with
certutil -d /etc/dirsrv/slapd-instancename -L) and/or via the console.
If this is not the case, don't move on, search the problem until you see
both certificates. Make sure the trust flags were set correctly.
Next step is to configure the client. Run system-config-authentication to
provide the necessary information to NSS and PAM. Specifiy a location
where the CA certificate can be found. After that, try to search the DS
with "ldapsearch -ZZ". If this is not working, don't move on, search the
problem until ldapsearch returns ldap objects from your DS. The logs files
with the error codes are always a good start point to troubleshoot problems.
If this is working, try to authenticate as a ldap user. If this works,
great, if not, check the logs, re-check the HOWTO. Try again. If it is
still not working, ask again.
2. Auto create home directory ( I will look into what you sent)
man pam_mkhomedir
3. Auto-Increment UserID
http://directory.fedoraproject.org/wiki/DNA_Plugin
hth.
Happy Day.
Thorsten
--
"Eternity is a very long time, especially towards the end."
— Stephen Hawking
2:54 a.m.
Ajeet S Raina wrote:
have been stucked with the following points:
1. Authenticating Linux Client with ldaps://
2. Auto create home directory ( I will look into what you sent)
On Redhat or Centos, you can find two gui tools to configure the
authentification of client
One is tty gui is authconfig-tui with minimal configuration
the other is authconfig-gtk with extended options like auto create homedir.
You can do the same thing in command line with authconfig [--options]
In option you can precise --enablemkhomedir etc...
see authconfig --help or man authconfig
the advantage to have a command line is that once you have a good
configuration you will be able to write a script to extend it to the
others workstations.
2:56 a.m.
I am able to fix the issue by commenting out:
#ssl start_tls
and everything worked fine therein.
Thanks for the help anyway.
On Thu, Jan 14, 2010 at 2:24 PM, jean-Noël Chardron <
Jean-Noel.Chardron(a)dr15.cnrs.fr> wrote:
Ajeet S Raina wrote:
> have been stucked with the following points:
>
> 1. Authenticating Linux Client with ldaps://
> 2. Auto create home directory ( I will look into what you sent)
On Redhat or Centos, you can find two gui tools to configure the
authentification of client
One is tty gui is authconfig-tui with minimal configuration
the other is authconfig-gtk with extended options like auto create homedir.
You can do the same thing in command line with authconfig [--options]
In option you can precise --enablemkhomedir etc...
see authconfig --help or man authconfig
the advantage to have a command line is that once you have a good
configuration you will be able to write a script to extend it to the
others workstations.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
”It is not possible to rescue everyone who is caught in the Windows
quicksand
--Make sure you are on solid Linux ground before trying.”
5222
days inactive
5222
days old
389-users@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Ajeet S Raina -
jean-Noël Chardron -
Thorsten Scherf