[NCLUG] Setting up RH8-9 as LDAP client?

Christopher J. Keist CJ.Keist at engr.colostate.edu
Fri May 23 10:21:40 MDT 2003 

Thanks for the info.  I'll give these changes a try, and if don't work  
will try the OpenLdap group next.

On Wednesday, May 21, 2003, at 11:48  AM, mbutcher at aleph-null.tv wrote:

>
> IF what I say doesn't help, you might want to check the openldap  
> mailing lists.
> They are really good about helping with this sort of thing.
>
> Anyway, here's what you'll need to do:
>
> your /etc/ldap.conf file should look like this (modifying yours):
>
> # Use this instead of host and port, which are deprecated:
> uri ldap://129.82.xxx.xxx:389
> # host 129.82.xxx.xxx
>> base dc=engr,dc=colostate,dc=edu
> # This will do StartTLS, which uses port 389. I'm not sure if IPlanet  
> supports
> # this, but it is the standard. You can emulate StartTLS by doing a -Z  
> with
> # ldapsearch
> ssl hard
>> pam_password md5
>> binddn cn=proxy,dc=engr,dc=colostate,dc=edu
>> bindpw password
>
> # I don't think you need this. I don't use it.
> # rootbinddn cn=directory manager,dc=engr,dc=colostate,dc=edu
> # port 389
>> pam_filter objectclass=posixAccount
>> pam_login_attribute uid
> # Now you need all of the SSL stuff
> # The most simple is something like this (but your SSL certs may be  
> somewhere
> # else) I don't know what cert7.db is, but if it's a pem file, that  
> might be
> # what goes here.
> CACERT_FILE /usr/share/ssl/cacert-bundle.pem
>
> # End
>
> Depending on how your SSL is configured on the Master, you may need  
> more
> configuration. See the man page on ldap.conf /etc/openldap.ldap.conf,  
> that is)
> to get more info.
>
> padl.com (pam_ldap) and openldap.org (openldap and openldap-clients)  
> will both
> be helpful resources, too.
>
> BTW -- it's always best to get things working with ldapsearch before  
> you try and
> configure pam_ldap. That'll help you work the bugs out of the
> /etc/openldap/ldap.conf file first, and then help you troubleshoot  
> pam_ldap.
>
> Matt
>
>
> Quoting "Christopher J. Keist" <CJ.Keist at engr.colostate.edu>:
>
>> Hello,
>>       Looking to see if anyone has setup RH linux as an LDAP client to
>> authenticate users?  I have a test LDAP server (running iPlanet 5.1
>> from Sun) and have had only success configuring other Solaris 9
>> workstations.  I been trying to get RH8 and RH9 to use LDAP but with
>> out any luck so far.
>>      My LDAP server is setup for both simple and TLS authentication  
>> with
>> a proxy user.  Here is how I have setup the /etc/ldap.conf file:
>>
>> host 129.82.xxx.xxx
>> base dc=engr,dc=colostate,dc=edu
>> ssl no
>> pam_password md5
>> binddn cn=proxy,dc=engr,dc=colostate,dc=edu
>> bindpw password
>> rootbinddn cn=directory manager,dc=engr,dc=colostate,dc=edu (password
>> is in /etc/ldap.secret)
>> port 389
>> pam_filter objectclass=posixAccount
>> pam_login_attribute uid
>>
>> I run the /usr/bin/authconfig-gtk which takes care of modifying
>> /etc/nsswitch.conf and /etc/pam.d/system-auth for LDAP.  The above  
>> conf
>> doesn't look to be even trying to connect to my LDAP server.  But if I
>> change it to use TLS/SSL port 636, I do show connection attempts on  
>> the
>> LDAP server, but not able to get user info.  One thing is that I'm
>> using my own signed certificate on the LDAP server, and have copied my
>> cert7.db (Which I have setup to accept my certificate for ever) to the
>> /etc/ssl/certs directory.
>>
>> Any ideas on this?
>>
>> ---------------------------------------------------------------------- 
>> --
>> ---------------------------
>>
>> C. J. Keist                     Email: cj.keist at engr.colostate.edu
>> UNIX/Network Manager            Phone: 970-491-0630
>> Engineering Network Services    Fax:   970-491-5569
>> College of Engineering, CSU
>> Ft. Collins, CO 80523-1301
>>
>> All I want is a chance to prove 'Money can't buy happiness'"
>>
>> _______________________________________________
>> NCLUG mailing list       NCLUG at nclug.org
>>
>> To unsubscribe, subscribe, or modify your settings, go to:
>> http://www.nclug.org/mailman/listinfo/nclug
>>
>
>
>
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
>
------------------------------------------------------------------------ 
---------------------------

C. J. Keist                     Email: cj.keist at engr.colostate.edu
UNIX/Network Manager            Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'"

More information about the NCLUG mailing list