Hi all,
On a C6 box, when I want to enable LDAP authentication, I issue:
# yum -y install nss-pam-ldapd pam_ldap nscd # authconfig --enableldap --enableldapauth --enablemkhomedir \ --ldapserver=ldap://ldap-blabla/ \ --ldapbasedn="blabla" \ --enablecache --disablefingerprint \ --kickstart --update
All is working fine, the directory structure is fine and compliant.
What about C7?
As far as I read, - there is a switch to "sssd" - I found 1 link: http://www.certdepot.net/ldap-client-configuration-authconfig/
Is there something in particular I should pay attention for? Note that I have only GUI-less servers.
Thank you.
On 2014-08-29 08:37, Mihamina Rakotomandimby wrote:
Hi all,
On a C6 box, when I want to enable LDAP authentication, I issue:
# yum -y install nss-pam-ldapd pam_ldap nscd # authconfig --enableldap --enableldapauth --enablemkhomedir \ --ldapserver=ldap://ldap-blabla/ \ --ldapbasedn="blabla" \ --enablecache --disablefingerprint \ --kickstart --update
All is working fine, the directory structure is fine and compliant.
What about C7?
As far as I read,
- there is a switch to "sssd"
- I found 1 link:
http://www.certdepot.net/ldap-client-configuration-authconfig/
Is there something in particular I should pay attention for? Note that I have only GUI-less servers.
Thank you. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
sssd is a hard peace to configure. In C7 it wants absolutely to have an encrypted connection to the LDAP server. Therefore, it must at least have a valid CAcert at disposition. Also, the LDAP server itself must have a valid CAcert (eventually the same as the sssd client) and a valid server-certificate with the Common-Name of the host it runs on.
Follows our /etc/sssd/sssd.conf:
[domain/default]
autofs_provider = ldap cache_credentials = True ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com ldap_default_authtok = ******** cache_credentials = true enumerate = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://casablanca.lan/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, autofs config_file_version = 2
domains = default [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac] -------------------------------
In the /etc/nsswitch.conf you must have:
..... passwd: files sss shadow: files sss group: files sss .....
-------------------------------
sssd, in our config, logs into the /var/log/daemonlog
-------------------------------
you must have authconfig set-up as you said in your message.
-------------------------------
In case you see just "Unable to establish TLS connection" with the LDAP server from sssd then you may be better off to start sssd in debug mode: sssd -d0x777 -i In this debug you search for "Starting TLS".
Wishing you good luck
suomi
On 08/29/2014 11:06 AM, anax wrote:
As far as I read,
- there is a switch to "sssd"
- I found 1 link:
http://www.certdepot.net/ldap-client-configuration-authconfig/
sssd is a hard peace to configure. In C7 it wants absolutely to have an encrypted connection to the LDAP server. Therefore, it must at least have a valid CAcert at disposition. Also, the LDAP server itself must have a valid CAcert (eventually the same as the sssd client) and a valid server-certificate with the Common-Name of the host it runs on.
Our LDAP servers are all clear text for the moment and there is no short|mid-term plan to bring an encryption.
It's then a no go for the moment :-(. Thanks.
-
anax -
Mihamina Rakotomandimby