Denny Fuchs wrote:
hi,
I have one main HDB Database for:
dc=example,dc=net - /var/lib/ldap/
with one subtree:
ou=department,dc=example,dc=net
Now I want to let other departments use our N-Way LDAP server too. My idea
was to put the new departments into different hdb databases:
hi,
Am 01.11.2013 um 12:02 schrieb Michael Ströder mich...@stroeder.com:
Why do you want to have separate databases?
What does use mean in this context?
for a easier file and database management. They may need different DB options
or indexes as we need, so I want to split every departure
Denny Fuchs wrote:
Am 01.11.2013 um 12:02 schrieb Michael Ströder mich...@stroeder.com:
Why do you want to have separate databases?
What does use mean in this context?
for a easier file and database management. They may need different DB
options or indexes as we need, so I want to split
Hi
I am using LDAP for authenticating users. I have some Fedora 8 servers
which are setup as ldap clients. When I create users in LDAP it shows up on
all clients. I can do an 'ldapsearch' or 'getent passwd' and all the
clients shows up the ldap users. But on one of the client, I am unable to
Look for selinux differences between the machines.
Make sure that something about your query isn't limiting logins to
specific IP addresses (and your non-working client is outside of that
IP address list).
Any errors in /var/log/secure or wherever complaints woudl be getting logged?
...Todd
On
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
Just to see if I could make any form of client cert authentication
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form of
authentication with OpenLDAP and didn't know for sure. Is it possible to have
OpenLDAP require both a DN/password pair *and* a client ssl cert?
Regarding client certs you have two options:
1. Let the
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can make the server require a client cert, but it
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can make the server require a
Michael Ströder wrote:
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can
Howard Chu wrote:
Michael Ströder wrote:
BTW:
In case of client certs the cert's subject-DN is the authc-DN which can be
directly used in authz-regexp which very much ties the mapping to subject-DN
conventions of the PKI.
But in some cases it would be very handy to map a distinct client
On 11/01/2013 12:12 PM, Howard Chu wrote:
I would reject such an ITS. Cert-pinning is an issue for clients that
have a very large collection of trusted CAs. The Admin Guide clearly
states that servers should only trust a single CA - the CA that signed
its own certs and the certs of its clients.
I have not added any IP rules or firewalls for the clients. There is
nothing in my system that would restrict an IP. I am sure that the ldap
query is not blocked, because in that case 'ldapsearch' or 'getent passwd'
would not have shown me the ldap users. What is the selinux difference that
I need
Brent Bice wrote:
So, was I right in trying to use ~/.ldaprc to try to force ldapsearch (for
instance) to use a cert for authentication? Running a sniffer and looking at
the traffic, it doesn't look like ldapsearch is ever doing anything beyond an
anonymous bind unless I specify -D and -W
On Fri, 2013-11-01 at 19:30 +0530, slacker lnx wrote:
But on one of the client, I am unable to login (through ssh) using the
ldap userids. When I login as root and try to switch user I get a
message 'user does not exist' (getent passwd and ldapsearch shows the
user).
One thing that could
15 matches
Mail list logo
