[NCLUG] Setting up RH8-9 as LDAP client?
mbutcher at aleph-null.tv
mbutcher at aleph-null.tv
Wed May 21 11:48:23 MDT 2003
IF what I say doesn't help, you might want to check the openldap mailing lists.
They are really good about helping with this sort of thing.
Anyway, here's what you'll need to do:
your /etc/ldap.conf file should look like this (modifying yours):
# Use this instead of host and port, which are deprecated:
uri ldap://129.82.xxx.xxx:389
# host 129.82.xxx.xxx
> base dc=engr,dc=colostate,dc=edu
# This will do StartTLS, which uses port 389. I'm not sure if IPlanet supports
# this, but it is the standard. You can emulate StartTLS by doing a -Z with
# ldapsearch
ssl hard
> pam_password md5
> binddn cn=proxy,dc=engr,dc=colostate,dc=edu
> bindpw password
# I don't think you need this. I don't use it.
# rootbinddn cn=directory manager,dc=engr,dc=colostate,dc=edu
# port 389
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
# Now you need all of the SSL stuff
# The most simple is something like this (but your SSL certs may be somewhere
# else) I don't know what cert7.db is, but if it's a pem file, that might be
# what goes here.
CACERT_FILE /usr/share/ssl/cacert-bundle.pem
# End
Depending on how your SSL is configured on the Master, you may need more
configuration. See the man page on ldap.conf /etc/openldap.ldap.conf, that is)
to get more info.
padl.com (pam_ldap) and openldap.org (openldap and openldap-clients) will both
be helpful resources, too.
BTW -- it's always best to get things working with ldapsearch before you try and
configure pam_ldap. That'll help you work the bugs out of the
/etc/openldap/ldap.conf file first, and then help you troubleshoot pam_ldap.
Matt
Quoting "Christopher J. Keist" <CJ.Keist at engr.colostate.edu>:
> Hello,
> Looking to see if anyone has setup RH linux as an LDAP client to
> authenticate users? I have a test LDAP server (running iPlanet 5.1
> from Sun) and have had only success configuring other Solaris 9
> workstations. I been trying to get RH8 and RH9 to use LDAP but with
> out any luck so far.
> My LDAP server is setup for both simple and TLS authentication with
> a proxy user. Here is how I have setup the /etc/ldap.conf file:
>
> host 129.82.xxx.xxx
> base dc=engr,dc=colostate,dc=edu
> ssl no
> pam_password md5
> binddn cn=proxy,dc=engr,dc=colostate,dc=edu
> bindpw password
> rootbinddn cn=directory manager,dc=engr,dc=colostate,dc=edu (password
> is in /etc/ldap.secret)
> port 389
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
>
> I run the /usr/bin/authconfig-gtk which takes care of modifying
> /etc/nsswitch.conf and /etc/pam.d/system-auth for LDAP. The above conf
> doesn't look to be even trying to connect to my LDAP server. But if I
> change it to use TLS/SSL port 636, I do show connection attempts on the
> LDAP server, but not able to get user info. One thing is that I'm
> using my own signed certificate on the LDAP server, and have copied my
> cert7.db (Which I have setup to accept my certificate for ever) to the
> /etc/ssl/certs directory.
>
> Any ideas on this?
>
> ------------------------------------------------------------------------
> ---------------------------
>
> C. J. Keist Email: cj.keist at engr.colostate.edu
> UNIX/Network Manager Phone: 970-491-0630
> Engineering Network Services Fax: 970-491-5569
> College of Engineering, CSU
> Ft. Collins, CO 80523-1301
>
> All I want is a chance to prove 'Money can't buy happiness'"
>
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
>
More information about the NCLUG
mailing list