Please Help.!! 389 Directory server.

rajeev_rattra · 06-28-2010, 11:02 PM

Hi Team,

I am setting up Fedora-13 with "389 directory server" for authentication. I had performed the following steps.

1. Install FD-13.
2. Yum install 389-ds.
3. Run script to configure.
4. Start 389-condole and create few group and user for testing.

I can see these user with "ldapsearch" and with "phpldapadmin". It looks my server is responding.

However, I am unable to see any user name with "getent passwd". also "ssh server_user@server" is not able to login.

whereas "getent passwd" shows local user and "ssh local_user@server" is able to login.

Any advise will be helpful.

Also note that I am not useing ssl, so want to avoid ssl. o you think it can be an issue.

Thanks in advance.

custangro · 06-28-2010, 11:11 PM

Quote:

Originally Posted by rajeev_rattra

Hi Team,

I am setting up Fedora-13 with "389 directory server" for authentication. I had performed the following steps.

1. Install FD-13.
2. Yum install 389-ds.
3. Run script to configure.
4. Start 389-condole and create few group and user for testing.

I can see these user with "ldapsearch" and with "phpldapadmin". It looks my server is responding.

However, I am unable to see any user name with "getent passwd". also "ssh server_user@server" is not able to login.

whereas "getent passwd" shows local user and "ssh local_user@server" is able to login.

Any advise will be helpful.

Also note that I am not useing ssl, so want to avoid ssl. o you think it can be an issue.

Thanks in advance.

Did you use system-config-authentication tool on the client?

rajeev_rattra · 06-28-2010, 11:38 PM

Quote:

Originally Posted by custangro

Did you use system-config-authentication tool on the client?

Thanks,

Yes I do use "system-config-authentication".

But before that, "getent passwd" should show me the server_user name. And "ssh server_user@server" should alow me to login.

Any Advise.

Thanks again for help.

frndrfoe · 06-29-2010, 11:32 AM

does /etc/ldap.conf have a "host" or "uri" line referring to your localhost?

does /etc/nsswitch.conf refer to ldap for passwd, group, and shadow?

check /etc/pam.d/system-auth-ac (file name may have changed in f13) for a few lines calling ldap.so

vishesh · 06-30-2010, 01:38 AM

Ensure /etc/nsswitch.conf in following format
passwd: files ldap
shadow: files ldap
group: files ldap
And /etc/ldap.conf in
BASE dc=test,dc=com( if your doamin is test.com otherwise change it accordingly)
URI ldap://localhost

Thanks

rajeev_rattra · 07-03-2010, 06:04 AM

Thanks for reply.
I had corrected my nssswitch.conf.

passwd: files ldap sss
shadow: files ldap sss
group: files ldap sss

I am not sure what are these "sss".

Now I can get username with getent passwd. Still unable to do "ssh user@host" or login.

Also for information, "System-config-authenticate" is new in FC13. I is also forcing to enable TSL certificate.

Any advice.

rajeev_rattra · 07-03-2010, 06:15 AM

Quote:

Originally Posted by frndrfoe

does /etc/ldap.conf have a "host" or "uri" line referring to your localhost?

does /etc/nsswitch.conf refer to ldap for passwd, group, and shadow?

check /etc/pam.d/system-auth-ac (file name may have changed in f13) for a few lines calling ldap.so

Unfortunatily these is no line calling ldap.so. Di=o you think some thing is missing here?

Please advise.

Thanks again.

custangro · 07-06-2010, 10:08 AM

Quote:

Originally Posted by rajeev_rattra

Thanks for reply.
I had corrected my nssswitch.conf.

passwd: files ldap sss
shadow: files ldap sss
group: files ldap sss

I am not sure what are these "sss".

Now I can get username with getent passwd. Still unable to do "ssh user@host" or login.

Also for information, "System-config-authenticate" is new in FC13. I is also forcing to enable TSL certificate.

Any advice.

1) Are you using TLS? Remember you must provide the certificate if it's forcing TLS...

2)Did you install pam_ldap (or whatever it's called now)?

rajeev_rattra · 07-07-2010, 04:45 AM

Quote:

Originally Posted by custangro

1) Are you using TLS? Remember you must provide the certificate if it's forcing TLS...

2)Did you install pam_ldap (or whatever it's called now)?

Thanks for reply. I don't want to use TSL. But system is forcing me to do so. So I am using "setup" Command from command line.

How to disable TSL?

Earlier, PAM_LADP WAS INSTALLED AUTOMATICALLY BY yum. I will check it.

custangro · 07-07-2010, 10:17 AM

Quote:

Originally Posted by rajeev_rattra

Thanks for reply. I don't want to use TSL. But system is forcing me to do so. So I am using "setup" Command from command line.

How to disable TSL?

Earlier, PAM_LADP WAS INSTALLED AUTOMATICALLY BY yum. I will check it.

Have you tired running it from the command line? Something like...

Code:

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap.example.com --ldapbasedn="dc=example,dc=com" --update

Also have you verified that you added something like this....

Code:

auth		sufficient	pam_ldap.so
account		sufficient	pam_ldap.so
password	sufficient	pam_ldap.so
session		sufficient	pam_ldap.so

In the pam files (including but not limited to)/etc/pam.d/sshd and /etc/pam.d/login ?

NOTE: I'm just going off of what I did to my RHEL/CentOS servers...haven't really played with F13 yet...but the steps should be similar...

-C