[KLUG Members] making a linux machine auth against an ldap server.

Tyler Haske dvorak.typist at gmail.com
Wed Nov 9 23:01:02 EST 2005

Previous message: [KLUG Members] making a linux machine auth against an ldap server.
Next message: [KLUG Members] making a linux machine auth against an ldap server.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adam Tauno Williams wrote:
>>its a sun ONE directory SASL GSSAPI. :).
> 
> 
> Ok. Is your machine/workstation part of the Kerberos domain?

I have no idea. I'm told kerberos is _bad_. I was also told that the 
whole point of doing ldap was cause it was easier than doing kerberos.

> 
> 
>>I can't get anonymous queries working. I've been using a DN to do queries.
>>ldapsearch -H ldap://dir.wmich.edu -D
>>uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu -W -x -b
>>ou=people,o=wmich.edu,dc=wmich,dc=edu -s sub 'uid=*******'
> 
> 
> Well, simple binds seem to be working.  I assume the oitlabs is a
> quasi-generic context used for searching the DSA to locate the uid (or
> wmuuid)? 

oitlabs is part of the DN used to bind.,
the context used to search is ou=people,o=wmich.edu,dc=wmich,dc=edu 
uid=UNIFIED_LOGIN_NAME wmuuid

returning the users DN to bind against the ldap.
mine is
DN: wmuUID=SOME_SUCH,ou=people,o=wmich.edu,dc=wmich,dc=edu
then they are supposed to bind with that and THEIR password :)

  Have you set the binddn/bindpw in /etc/ldap.conf to this DN
> and secret? 

Yes, its hard to test with all the requisite files being incorrect/correct.

  Depending on what a user object looks like you probably
> need to adjust pam_filter, pam_login_attribute, and do some attribute
> mapping.  For example add "nss_map_attribtue uid wmuuid" to make the uid
> value come from the wmuuid atribute.  I've never used a Sun ONE
> directory server so I don't know what the schema looks like,  I'd assume
> it contains information at least equivalent to the schema provided by
> RFC2307.
> 
> Is the server providing a posixAccount for accounts?  Or are you going
> to use PAM for authentication but use the local files for NSS? (not
> using the LDAP DSA as an NSS source).
the posixAccount field is there, but I'm not sure if thats set up or 
not, I'm going to worry about that next. I'll do local files for users 
for now.
> 
> 
>>that query with the correct password returns the entry I want, inside
>>of the entry there is a wmuuid field that has the username your
>>SUPPOSED to connect to the ldap server with, to authenticate.
>>when I try using TLS or SASL I get this.
>>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>verify failed
> 
> 
> You aren't even getting to SASL then.  Try setting "TLS_REQCERT never"
> in /etc/openldap/ldap.conf.
> 
> Can you acquire Kerberos tickets?
No idea what a kerberos ticket is.

did you know if you look hard enough for ldap stuff, you stuble across a 
huge 500 slide presentation?

Thanks!

> 
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
> 
>

Previous message: [KLUG Members] making a linux machine auth against an ldap server.
Next message: [KLUG Members] making a linux machine auth against an ldap server.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list