Hi,
I'm planing to setup a new samba fileserver as a member to an existing samba 3.x SMB.
The old server is still nss-pam-ldapd configured (historic left overs).
As I dont have any pressure to have the new server up and running within the next few hours, I liked to set up sssd with our existing openldap.
After googling and reading some documentations from redhat/fedora I think I do have a basic clue on how it should work.
But at the end I'm not getting it up and running the way I expected.
My question:
"rpm -ql sssd" shows a config in /etc/sssd/sssd.conf, but this file dose not exist on my system. (May be some how a packagebug?)
Dose anybody has a working example file to share with me?
I tried to edit some examples from the web and put some config together, but without working success.
Thanks for any suggestion, hint etc. Regards Götz
On 21/02/2013 10:20 AM, Götz Reinicke - IT Koordinator wrote:
Hi,
I'm planing to setup a new samba fileserver as a member to an existing samba 3.x SMB.
The old server is still nss-pam-ldapd configured (historic left overs).
As I dont have any pressure to have the new server up and running within the next few hours, I liked to set up sssd with our existing openldap.
After googling and reading some documentations from redhat/fedora I think I do have a basic clue on how it should work.
But at the end I'm not getting it up and running the way I expected.
My question:
"rpm -ql sssd" shows a config in /etc/sssd/sssd.conf, but this file dose not exist on my system. (May be some how a packagebug?)
Dose anybody has a working example file to share with me?
I tried to edit some examples from the web and put some config together, but without working success.
Thanks for any suggestion, hint etc. Regards Götz
Try this http://www.couyon.net/1/post/2012/4/enabling-ldap-usergroup-support-and-auth...
I am using it with RHEL/Centos, LDAP is 389 DS and everything works. Only problem I have found is, that on RHEL/Centos prior to 5.7 (or 5.6, can't remember which version), I need to configure 'pure' LDAP authentication instead of SSSD.
On Thu, 21 Feb 2013, Götz Reinicke - IT Koordinator wrote:
Dose anybody has a working example file to share with me?
Sure.
----- %< ----- [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = blah.com
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[domain/blah.com] auth_provider = ldap cache_credentials = True chpass_provider = ldap debug_level = 3 entry_cache_timeout = 600 id_provider = ldap ldap_id_use_start_tls = True ldap_purge_cache_timeout = 0 ldap_search_base = dc=blah,dc=com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = demand ldap_uri = _srv_ ----- %< -----
A few notes:
Our DNS servers are configured with SRV records for our LDAP server, hence the _srv_ token in the ldap_uri directive, e.g.,
[bash]$ dig +nocmd _ldap._tcp.blah.com -t srv +noall +answer _ldap._tcp.blah.com. 3600 IN SRV 1 0 389 ldap-1.blah.com. _ldap._tcp.blah.com. 3600 IN SRV 0 0 389 ldap-2.blah.com.
Second, we use a local certificate authority to issue and sign internal-use certificates. The CA cert is installed in /etc/openldap/cacerts and cacertdir_rehash is run against it. In fact, we do that at kickstart time, e.g.,
%post # import CA certificate and rehash it for LDAP/TLS curl http://www.blah.com/ca/ca.blah.com.pem \ -s -o /etc/openldap/cacerts/ca.blah.com.pem /usr/sbin/cacertdir_rehash /etc/openldap/cacerts