Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut... .
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
I will try what you recommended and get back to you on the errors I face. Thank you for the information.
Thanks.
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut....
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut....
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut... .
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut....
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
--
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide. On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu wrote:
Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut... .
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide.
On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." <Rohit.Chaudhari@jhuapl.edumailto:Rohit.Chaudhari@jhuapl.edu> wrote: Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:57 AM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting?
The most annoying error what I know is the "peer is not trusted.".
What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that.
http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-aut....
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Best guide will be the redhat manual or if you are looking for some how to then you can follow below link.
http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and...
These are exact steps that I followed and worked with self signed certificates.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
--
--
--
-- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance
if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide. On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to succ
Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 6:21 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide.
On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu wrote: Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to succ
--
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide. On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote:
I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to succ
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. <Rohit.Chaudhari@jhuapl.edumailto:Rohit.Chaudhari@jhuapl.edu> wrote: Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
First of all on the client side what as you using sssd or ldap pan module?
To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide.
On Dec 20, 2012 12:43 PM, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu wrote: Hey Chandan,
I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client?
Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before?
When I did a id <ldap-userid" on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long!
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Unknown CA means the certificate that you have copied to client machine is not trusted.
Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path.
No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat.
Also if you want to check whether you ldap auth is working, just do "id <ldap-userid>" it should show the information. If it does not then please check your nssswitch.conf and sssd parameters.
In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect.
On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: I recall setting it up like the instructions stated and when I ran wireshark I got the following error:
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS)
Have you been able to succ
--
-- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts?
Thanks.
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight.
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
--
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts?
Thanks.
From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts?
Thanks.
From: Chandan Kumar <chandank.kumar@gmail.comjavascript:_e({},%20'cvml',%20'chandank.kumar@gmail.com');> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org');> Subject: Re: [389-users] How to set up 389 client
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
I am not sure but In my opinion this applet read only local files. You can use other tools to modify ldap users. Maybe if you tell us what modifications you wish to do someone might help you :). I don't wish to make you chassing ghosts soo I am not giving any ldap client name without knowing what you intend to do.
Greg. 14 sty 2013 16:18, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu napisał(a):
The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts?
Thanks.
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. < Rohit.Chaudhari@jhuapl.edu> wrote:
Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." < 389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote:
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
This is what I am trying to do.
Create new-user on LDAP server Associate LDAP client with LDAP server On LDAP client, login with new-user, authenticating against LDAP server RHEL environment for new-user comes up When I go to System->Administration->Users and Groups, that new-user should be listed
It is not.
When I do id new-user, it shows all the sssd information correctly and the POSIX attributes that I set in LDAP server.
What do I need to do in order for the id new-user command information to show up in the Users and Groups list on the LDAP client?
Thanks,
Rohit
From: Grzegorz Dwornicki <gd1100@gmail.commailto:gd1100@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Monday, January 14, 2013 10:28 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
I am not sure but In my opinion this applet read only local files. You can use other tools to modify ldap users. Maybe if you tell us what modifications you wish to do someone might help you :). I don't wish to make you chassing ghosts soo I am not giving any ldap client name without knowing what you intend to do.
Greg.
14 sty 2013 16:18, "Chaudhari, Rohit K." <Rohit.Chaudhari@jhuapl.edumailto:Rohit.Chaudhari@jhuapl.edu> napisał(a): The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.commailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts?
Thanks.
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
are you using SSSD on client side or PADL/NSS?
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something?
Thanks
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Hello Rohit,
While creating users you also need to specify POSIX properties for the user.
In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist".
On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. Rohit.Chaudhari@jhuapl.edu wrote: Hey Chandan,
So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client?
Thanks,
Rohit
From: Chandan Kumar chandank.kumar@gmail.com Reply-To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM
To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client
Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only.
Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server.
I will look that guide again and will try to improve it.
On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
-- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
When I go to System->Administration->Users and Groups, that new-user should be listed
No, it shoudn't.
It is not.
When I do id new-user, it shows all the sssd information correctly and the POSIX attributes that I set in LDAP server.
What do I need to do in order for the id new-user command information to show up in the Users and Groups list on the LDAP client?
I know of no way to make this happen. The tools you are referring to just simply read the static /etc/passwd and /etc/group files. The ldap client tools make the connection and request to the ldap server which upon request hands them the credentials.
The tool id is completely different, as it runs through the pam setup for user information which then directs the request to the ldap server.
Thanks,
Rohit
It's not going to show you the ldap users only the local ones.
Sincerely,
Doug Tucker
On 01/14/2013 09:17 AM, Chaudhari, Rohit K. wrote:
The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.com mailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist". -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. <Rohit.Chaudhari@jhuapl.edu> wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 6:21 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only. Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap. From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server. I will look that guide again and will try to improve it. On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Is this something that will cause an issue with ACL/DIACAP restrictions? I'm not sure if you know what those are, but correct me if I'm wrong.
Thanks.
On 1/14/13 10:44 AM, "Doug Tucker" tuckerd@lyle.smu.edu wrote:
It's not going to show you the ldap users only the local ones.
Sincerely,
Doug Tucker
On 01/14/2013 09:17 AM, Chaudhari, Rohit K. wrote:
The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.com mailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist". -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. <Rohit.Chaudhari@jhuapl.edu> wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 6:21 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only. Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of
ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server. I will look that guide again and will try to improve it. On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I do not know what you mean in DIACAP... acl I assume that you mean local permision on system: I used ldap accounts with local permissions and I did not experience any problems AFAICT.
Greg. 14 sty 2013 16:48, "Chaudhari, Rohit K." Rohit.Chaudhari@jhuapl.edu napisał(a):
Is this something that will cause an issue with ACL/DIACAP restrictions? I'm not sure if you know what those are, but correct me if I'm wrong.
Thanks.
On 1/14/13 10:44 AM, "Doug Tucker" tuckerd@lyle.smu.edu wrote:
It's not going to show you the ldap users only the local ones.
Sincerely,
Doug Tucker
On 01/14/2013 09:17 AM, Chaudhari, Rohit K. wrote:
The id <ldap-user-name> command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client.
When I click through System->Administration->Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements.
Thanks,
Rohit
From: Chandan Kumar <chandank.kumar@gmail.com mailto:chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 1:43 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client
Sounds bit strange. what is out put of "id <ldap-user-name>". If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages.
Also disable selinux/Firewall and test.
On Monday, January 7, 2013, Chaudhari, Rohit K. wrote:
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar <chandank.kumar@gmail.com <javascript:_e({}, 'cvml', 'chandank.kumar@gmail.com');>> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Date: Monday, January 7, 2013 1:36 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org');>> Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Monday, January 7, 2013 11:39 AM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like "id: Group does not exist". -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. <Rohit.Chaudhari@jhuapl.edu> wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar <chandank.kumar@gmail.com> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Date: Thursday, December 20, 2012 6:21 PM To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] How to set up 389 client Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only. Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of
ldap.
From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server. I will look that guide again and will try to improve it. On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha
--
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org