Hi Dont know how to reply on same thread.
but thank for quick reply.
its case sensitive. so I created the cert file and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf base dc=fosiul,dc=lan uri ldap://ldap-2.fosiul.lan/ ssl start_tls tls_cacertdir /etc/openldap/cacerts/
#TLS_CACERT /etc/openldap/cacerts/cacert.asc pam_password md5
and i can see it created another file in /etc/openldap/cacerts/ directory like ths 5be5959f.0 ds-ca.crt
and when i do like this
id usrname
it does not find the user and i dont see any error in /var/log/message
so its like its connecting to ldap. .but it does not get any information
do i have to say Cn="Directory Manager" some where in ldap.conf file ??
thanks for your help.
Fosiul
but in clients , log file
On Sat, Jul 28, 2012 at 4:25 PM, fosiul alam expertalert@gmail.com wrote:
Hi Dont know how to reply on same thread.
Just click on reply & leave the subject of mail un-touched
but thank for quick reply.
its case sensitive. so I created the cert file and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf base dc=fosiul,dc=lan uri ldap://ldap-2.fosiul.lan/ ssl start_tls tls_cacertdir /etc/openldap/cacerts/
#TLS_CACERT /etc/openldap/cacerts/cacert.asc pam_password md5
You should use pam_password clear because Your password is being hashed by your client system before it is sent to the Directory Server. This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password. You need to configure /etc/ldap.conf to send the clear text password to the LDAP server. You should use SSL/TLS to protect the password in transit (which you already have).
and i can see it created another file in /etc/openldap/cacerts/ directory like ths 5be5959f.0 ds-ca.crt
and when i do like this
id usrname
it does not find the user and i dont see any error in /var/log/message
so its like its connecting to ldap. .but it does not get any information
do i have to say Cn="Directory Manager" some where in ldap.conf file ??
thanks for your help.
Fosiul
but in clients , log file
Copy the my-public-ca.asc file in /etc/openldap/cacerts # cp my-public-ca.asc /etc/openldap/cacerts # cacertdir_rehash /etc/openldap/cacerts
This will create file like below. (Check for the soft link file ending with .0)
[root@atolani cacerts]# ll total 4 lrwxrwxrwx. 1 root root 16 Apr 24 11:16 2c47a1a7.0 -> my-public-ca.asc -rw-r--r--. 1 root root 851 Apr 9 01:13 my-public-ca.asc
Now try to run ldapsearch using -ZZ (for start_tls) Make sure you give the exact hostname which you used while creating the cert in this step. "certutil -S -n "server-cert" -s "cn=directory.example.com""
Something like this.
ldapsearch -x -ZZ -D "cn=Directory manager" -w password -h directory.example.com -b "dc=example,dc=com"
If this works, Then your TLS is working. Now try to configure pam_ldap with tls.
Regards Arpit Tolani
To make system aware of users in 389 you need to configure other files: /etc/ldap.conf (el5 systems) or /etc/nss_ldap.conf (el6 systems) + /etc/nsswitch.conf + PAM modules (/etc/pam.d/system-auth + install pam_ldap module). On RHEL/Fedora/Centos/SL you can do this easy way using authconfig, authconfig-tui or system-config-authentication. I don't recommend messing manually with PAM without reading some docs about them, because you can break login in your system.
Consider using one three tools I have toold about. They can modify all required files. You may be required to install nss-pam-ldapd package on el6 systems for PAM to work, this will install nslcd daemon too as dependency. I usually set FORLEGACY to yes in /etc/systemconfig/authconfig on el6 systems
2012/7/28 fosiul alam expertalert@gmail.com
Hi Dont know how to reply on same thread.
but thank for quick reply.
its case sensitive. so I created the cert file and i put that one into client , and i configured as documentated
/etc/openldap/ldap.conf
URI ldap://ldap-2.fosiul.lan/ BASE dc=fosiul,dc=lan TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #TLS_CACERT /etc/openldap/cacerts/cacert.asc
and in /etc/ldap.conf base dc=fosiul,dc=lan uri ldap://ldap-2.fosiul.lan/ ssl start_tls tls_cacertdir /etc/openldap/cacerts/
#TLS_CACERT /etc/openldap/cacerts/cacert.asc pam_password md5
and i can see it created another file in /etc/openldap/cacerts/ directory like ths 5be5959f.0 ds-ca.crt
and when i do like this
id usrname
it does not find the user and i dont see any error in /var/log/message
so its like its connecting to ldap. .but it does not get any information
do i have to say Cn="Directory Manager" some where in ldap.conf file ??
thanks for your help.
Fosiul
but in clients , log file
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org