I've managed to get my Fedora box authenticate to AD with NSS_LDAP module with SSL working. I would like to bring this authentication to the next step by using SASL /GSSAPI, however I find very little / no documentation exist on this topic? I was wondering does anyone know where I can get the documentation on how to setup NSS_LDAP talking to AD with SASL/GSSAPI?
I took to yast to install ldap. I creating the CA cert, server key and server cert and specified them during the yast ldap server dialogs.
The firewall is open for ldap.
I also went through yast's ldap client ... though I didn't exactly see to anything (presuably it wrote up a configuration file somewhere).
However when trying use the basic ldap tools, like ldapwhoami. Well it doesn't connect and gives me the above error. Of coure the ldap db is unpopulated as yet, so it probably is not able to say who am at all. But ldapadd doesn't work either.
It seems to point to my SSL usage not being correct .. so I'm trying to double check that now.
I am trying to get kerberos ticket forwarding via SSH to work between RHEL and Ubuntu. It is working, when connecting from Ubuntu to RHEL, but not the other way round. (It also works between RHEL machines.) I have enabled the GSSAPI features in both SSH client and server, checked keytabs and verified, that my ticket is forwardable.
Any idea, how to get more information? Could it have s. th. to do with using allow_weak_crypto=yes in our krb5.conf? I have to use that, because our kerberos server only supports DES encryption.
Slackware 13 64 - full installation Postfix from slackbuilds dot org Dovecot from same
has anyone recompiled Postfix using the Slackbuild script, modifying the script to include support for Cyrus-SASL, OpenLDAP, and MySQL in the build, while retaining Dovecot SASL and TLS? If so I would appreciate it if they could post the CCARGS and AUXLIBS commands. I am having some difficulty getting this working.
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
I would like to ask:How do I setup LDAP auth of users/groups on Debian 5.0?Is it using LDAP Migration tools? Can be done differently? Using different tool? Some nice tootorial?Some up to date book for LDAP or I need to dig in openldap.org?I'm learning by book which is a lil bit older so Im bit confused.
I'm having a remote server running SSH, I use the scp from my local computer like this:scp filename.txt username@IP:Port:home/usernameit asks for the password, I supply it, he doesn't accept it for 3 times and then I get "Permission denied (publickey,gssapi-with-mic,password)"
I've been working though [URL] tutorial trying to get openldap working.
When I get to the point where i'm setting up the client. More specifically when I do ldapaddgroup testgroup I am sent this error
"You must have OpenLDAP client commands installed before running these scripts"
I have installed the ldapscripts package along with all the required ones. Has anyone been through this, I imagine it's some little nuance that I am missing.
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
I am trying to setup LDAP and NFS for our school computer lab (authenticating student logins, file storage, etc.) but I am in over my head. I can't seem to find a good guide for 10.04 anywhere.
I am using thunderbird and evolution on my computer at work using IMAP and have been trying to configure both of the clients to access the global address book from the companies exchange 5.5 mail server.
I read this but cannot get any results when I search for a name.
[url]
How can I obtain the information that I need from the Exchange 5.5 server to setup my GAL on thunderbird or evolution.
I would like to setup LDAP (openldap) with Samba. I would like to know what should I setup first? Should I setup LDAP before Samba or Samba before LDAP?
I'm trying to set up a centralized log-on scheme in a research lab with about 10 computers. It's looking like we're going with LDAP - this decision may be out of my control (but if there's an alternative that would be REALLY better, do let me know). My question is we don't really have a domain name, so when all the tutorials say cn=example,cn=com, I can't mimic this exactly. I've been trying to get away with just one, like cn=researchlab. Will LDAP work with just one, or do I need to invent a second also? On the flipside, will it work with more? Our server can be reached by lab.department.school.edu, could I do cn=lab,cn=department,cn=school,cn=edu?
I have looked around a while for the answer, but nothing really fits. Here is the scenario. I have one server and a few openvz VE's running. I want to be able to auth whatever possible with LDAP. I have an LDAP server setup on the host and auth works for the server users. The tricky part for me is that every VE has their own domain. and if I can do that, they will also have the same login for their VE on said domain. I can setup users and the required software on the hosts and guest, but I guess I am confused at how to manage the multiple domain part of things.
not sure if proftp can do 'name based' stuff like apache, but if it can, we can point ftp.clientdomain.foo to the main server and handle it that way.
I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb ii krb5-config 2.2 Configuration files for Kerberos Version 5
I have been trying to set up an LDAP server for a development environment as part of an internship for a week now, and I cannot get past this point. I have been following the 10.04 server guide to set up LDAP here: URL...Once I get to the following point in the guide, it just hangs:"As an example of modifying the cn=config tree, add another attribute to the index list using ldapmodify:"I've been working on this for a week and can't understand why this won't work. I am fairly certain that I've followed the guide to a 'T.'Any idea why am I receiving a permission denied error? Is this a permissions issue with one of the config files?
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana <connection goes through seamlessly without prompting> peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
i have configured ldapserver on rhel4 for creating address book
following are configuration files on ldap server /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
i am able to import this ldif file into database.also when i perform the ldapsearch on this server with command"ldapsearch �x �W �D �cn=manager, dc=example, dc =com� �b �dc=example, dc=com�" i get correct output.
but when i am trying to search from another client machine, i am getting "error ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
also when i configured address book on mozilla on server., it is working fine.but not working on another machine.is any configuration is missing on client machine.both ldap server and client are configured on rhel4es without any firewall or selinux.
I installed CentOS 5.2 and then run yum update. I configured this server as LDAP/Samba primary domain controller. LDAP seems to be OK and for testing I am able to create users with:smbldap-tools useradd -am usernameI can ssh into the server as root and also as a Linux user which was locally created in the server. But ssh into the server as LDAP user fails (from a Fedora 11 machine) with "Permission denied, please try again", prompting again for password.Some data:
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
I'm trying to set up a Linux server and I am new to this. I have gone through most of the configuration using SAMBA 3.0 and when I populate the ldap directory all I get this error before the password request:
Then when I perform an ldapsearch to see if the directory is populated I get this message:
I'm checking with a sniffer and there's activity going on between the client and the LDAP server... as a matter of fact, the sniffer shows that the search is producing one ldap item, however, php says it can't contact the ldap server (after it has bound and everything):
The script is working beautifully on another host with debian.
I am currently involved in setting up an openldap server on a CentOS platform. I am having some issues with getting it set up to the point that I can remotely manage the server via phpldapadmin in a web browser. I am running into an issue when starting the slapd daemon.
why i can't login on the ldap-client via ldap, so here is a short description of my machines (i use openvz virtualising)I have on the HN (Debian Lenny) 2 VE's, which are in the same subnet (192.168.1.0/24)The first VE (Hostname: ldap1, IP: 192.168.1.91) is the ldap-server, which is so configured, that i can manage the server via phpldapadmin.The second VE (Hostname: ftp1, IP: 192.168.1.31) is the ldap-client, there should run a sftp-server in the future and the sftp-server(ssh-server) should use ldap-usernames to login. on the ftp1, i get with this command getent passwd the users configured on the ldap-server, but with the command id USERNAME the result is, that the user doesn't exist. (USERNAME is this name, i get returned by getent) and if i try to login via ssh, i get permission denied. and because the machines are openvz-virtual-machines, so i can't login on them like on a normal system, but a su USERNAME doesn't work too, because the user is not known on the system.
my installation:
i don't think, that the ldap-server is the problem, because the phpldapadmin and getent on ftp1 are working perfectly, but if you want, i can post the config here too. the VE ftp1 was configured with the following how-to: [URL] and pam is configured like in the chapter "PAM setup with pam_ldap" on [URL]
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following: sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds Here's my /etc/nsswitch.conf: passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
I have LDAP authentication working via SSSD using authconfig-tui and a few minor modifications to sssd.conf (ie: max_id etc). The problem I am having is it would appear /etc/ldap.conf is being ignored and/or setups that work perfectly on RHEL5, F11 and F12 no longer work on F13. Specifically Im referring to "pam_check_host_attr" and "nss_map_attribute". It refuses to honor either of these options and I can only assume a number of the other options in our ldap.conf. For instance, "nss_map_attribute" is defaulting to the standard "homeDirectory" rather than "homeDirectoryLinux". This is related to a bunch of OSX clients we have and its not optional to use another setup. The host restriction is also a major issue.