[KLUG Members] making a linux machine auth against an ldap server.

[Adam Tauno Williams]

> >>its a sun ONE directory SASL GSSAPI. :).
> > Ok. Is your machine/workstation part of the Kerberos domain?
> I have no idea.

Then we will assume not.

> I'm told kerberos is _bad_. 

Rubbish, Kerberos V is amazing technology and has been adopted by EVERY
modern platform including M$-Windows.

> I was also told that the 
> whole point of doing ldap was cause it was easier than doing kerberos.

The two things are not really the same thing at all (apples & oranges),
although they can both be used to perform authentication. Kerberos and
LDAP fit *VERY* nicely together.

> >>I can't get anonymous queries working. I've been using a DN to do queries.
> >>ldapsearch -H ldap://dir.wmich.edu -D
> >>uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu -W -x -b
> >>ou=people,o=wmich.edu,dc=wmich,dc=edu -s sub 'uid=*******'
> > Well, simple binds seem to be working.  I assume the oitlabs is a
> > quasi-generic context used for searching the DSA to locate the uid (or
> > wmuuid)? 
> oitlabs is part of the DN used to bind.,
> the context used to search is ou=people,o=wmich.edu,dc=wmich,dc=edu 
> uid=UNIFIED_LOGIN_NAME wmuuid
> returning the users DN to bind against the ldap.
> mine is
> DN: wmuUID=SOME_SUCH,ou=people,o=wmich.edu,dc=wmich,dc=edu
> then they are supposed to bind with that and THEIR password :)

Right, this all sounds normal and very RFC2307ish.

>   Have you set the binddn/bindpw in /etc/ldap.conf to this DN
> > and secret? 
> Yes, its hard to test with all the requisite files being incorrect/correct.

This looks like it should pretty much work out of the box.  What
specific error messages are you seeing when trying to authenticate.

>   Depending on what a user object looks like you probably
> > need to adjust pam_filter, pam_login_attribute, and do some attribute
> > mapping.  For example add "nss_map_attribtue uid wmuuid" to make the uid
> > value come from the wmuuid atribute.  I've never used a Sun ONE
> > directory server so I don't know what the schema looks like,  I'd assume
> > it contains information at least equivalent to the schema provided by
> > RFC2307.
> > Is the server providing a posixAccount for accounts?  Or are you going
> > to use PAM for authentication but use the local files for NSS? (not
> > using the LDAP DSA as an NSS source).
> the posixAccount field is there, but I'm not sure if thats set up or 
> not, I'm going to worry about that next. I'll do local files for users 
> for now.

setup?  Either the object returned by the search is a posixAccount or it
isn't.  Does the object returned contain a "uid" attribute in addition
to the wmuuid attribute?

> >>that query with the correct password returns the entry I want, inside
> >>of the entry there is a wmuuid field that has the username your
> >>SUPPOSED to connect to the ldap server with, to authenticate.
> >>when I try using TLS or SASL I get this.
> >>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> >>verify failed
> > You aren't even getting to SASL then.  Try setting "TLS_REQCERT never"
> > in /etc/openldap/ldap.conf.
> > Can you acquire Kerberos tickets?
> No idea what a kerberos ticket is.

Thats ok, it doesn't look like you need one.

> did you know if you look hard enough for ldap stuff, you stuble across a 
> huge 500 slide presentation?

Yep, that is because LDAP is a generic tool used to solve an enormous
array of problems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20051109/fea75b85/attachment.bin