[KLUG Members] making a linux machine auth against an ldap server.
Adam Tauno Williams
adam at morrison-ind.com
Wed Nov 9 23:36:52 EST 2005
> >>its a sun ONE directory SASL GSSAPI. :).
> > Ok. Is your machine/workstation part of the Kerberos domain?
> I have no idea.
Then we will assume not.
> I'm told kerberos is _bad_.
Rubbish, Kerberos V is amazing technology and has been adopted by EVERY
modern platform including M$-Windows.
> I was also told that the
> whole point of doing ldap was cause it was easier than doing kerberos.
The two things are not really the same thing at all (apples & oranges),
although they can both be used to perform authentication. Kerberos and
LDAP fit *VERY* nicely together.
> >>I can't get anonymous queries working. I've been using a DN to do queries.
> >>ldapsearch -H ldap://dir.wmich.edu -D
> >>uid=oitlabs,ou=special,ou=people,o=wmich.edu,dc=wmich,dc=edu -W -x -b
> >>ou=people,o=wmich.edu,dc=wmich,dc=edu -s sub 'uid=*******'
> > Well, simple binds seem to be working. I assume the oitlabs is a
> > quasi-generic context used for searching the DSA to locate the uid (or
> > wmuuid)?
> oitlabs is part of the DN used to bind.,
> the context used to search is ou=people,o=wmich.edu,dc=wmich,dc=edu
> uid=UNIFIED_LOGIN_NAME wmuuid
> returning the users DN to bind against the ldap.
> mine is
> DN: wmuUID=SOME_SUCH,ou=people,o=wmich.edu,dc=wmich,dc=edu
> then they are supposed to bind with that and THEIR password :)
Right, this all sounds normal and very RFC2307ish.
> Have you set the binddn/bindpw in /etc/ldap.conf to this DN
> > and secret?
> Yes, its hard to test with all the requisite files being incorrect/correct.
This looks like it should pretty much work out of the box. What
specific error messages are you seeing when trying to authenticate.
> Depending on what a user object looks like you probably
> > need to adjust pam_filter, pam_login_attribute, and do some attribute
> > mapping. For example add "nss_map_attribtue uid wmuuid" to make the uid
> > value come from the wmuuid atribute. I've never used a Sun ONE
> > directory server so I don't know what the schema looks like, I'd assume
> > it contains information at least equivalent to the schema provided by
> > RFC2307.
> > Is the server providing a posixAccount for accounts? Or are you going
> > to use PAM for authentication but use the local files for NSS? (not
> > using the LDAP DSA as an NSS source).
> the posixAccount field is there, but I'm not sure if thats set up or
> not, I'm going to worry about that next. I'll do local files for users
> for now.
setup? Either the object returned by the search is a posixAccount or it
isn't. Does the object returned contain a "uid" attribute in addition
to the wmuuid attribute?
> >>that query with the correct password returns the entry I want, inside
> >>of the entry there is a wmuuid field that has the username your
> >>SUPPOSED to connect to the ldap server with, to authenticate.
> >>when I try using TLS or SASL I get this.
> >>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> >>verify failed
> > You aren't even getting to SASL then. Try setting "TLS_REQCERT never"
> > in /etc/openldap/ldap.conf.
> > Can you acquire Kerberos tickets?
> No idea what a kerberos ticket is.
Thats ok, it doesn't look like you need one.
> did you know if you look hard enough for ldap stuff, you stuble across a
> huge 500 slide presentation?
Yep, that is because LDAP is a generic tool used to solve an enormous
array of problems.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20051109/fea75b85/attachment.bin
More information about the Members
mailing list