Re: [389-users] Multi-Master Replication Issue
Okay, I will take a look and report back. Thanks, Rohit On 3/6/14 12:58 PM, Morgan Jones mor...@morganjones.org wrote: For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwav...@gmail.com wrote: On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Multi-Master Replication Issue
I had to put a -x after ldapmodify to make it use simple authentication versus SASL. My 389 DS is not SASL enabled, but it does have a self-signed CA certificate. When I tried to just set TLS_REQCERT never, it did not work. I haven't tried testing the TLS_CACERT variable, where I set exactly what the cacert.asc is. Could there be a problem of creating the certificate with certutil versus openSSL (certutil results in .asc file)? Look forward to thoughts, R On 3/6/14 1:04 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Okay, I will take a look and report back. Thanks, Rohit On 3/6/14 12:58 PM, Morgan Jones mor...@morganjones.org wrote: For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the certificate. Does ldapsearch/ldapmodify work for other operations? Otherwise maybe send us the exact command you're running? -morgan On Mar 6, 2014, at 12:29 PM, Justin Edmands shockwav...@gmail.com wrote: On Thu, Mar 6, 2014 at 12:19 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hi All, I am trying to create multi-master replication in 389. But I am having trouble using ldapmodify to create a replication manager DN account I get the following error: Additional info: TLS error -8157: Certificate extension not found I went on the web and some people suggested I have a TLS_REQCERT=none line in /etc/openldap/ldap.conf, but this did not fix it either. My certificate in /etc/openldap/cacerts is called cacert.asc. Does anyone know how I can fix my problem? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users Not totally sure, but don't use the = here is mine: URI ldaps://baldirsrv ldaps://hqdirsrv ldaps://stldirsrv BASE ou=People,dc=domain,dc=com TLS_CACERTDIR /etc/openldap/cacerts # TLS_CACERT /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow you can set it to TLS_REQCERT never as well. Also consider setting the TLS_CACERTDIR and TLS_CACERT -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Local accounts vs 389 DS users
I have a user that I have set locally on a Red Hat machine. I store that user in LDAP with the same Posix attributes, but their password differs. When I log in from the Red Hat machine, it uses the local cached credentials of that user (LDAP password and credentials never seem to matter). How can I synchronize the local and ldap version of the user so that I don't have to create it locally AND on LDAP on every single remote machine? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Multimaster Replication with 389
Hello, How do I do multi-master replication on 389DS with two TLS/SSL enabled servers? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Multimaster Replication with 389
I've set up MMR without certificates before. I'm just confused with different documentation telling me different things. My setup is 2 servers, both with their own CA certificates, talking to each other multi-master. A couple questions I have: 1. Is each server allowed to have its own self-signed CA and still be able to do replication? 2. If they are supposed to have the same CA, I understand. Documents have told me to create a CA certificate and then pass that CA cert to the other server? I keep running into issues because the serial numbers of the two certs match. Thanks for the documentation so far. I hope this will solve my issue :) R From: Justin Edmands shockwav...@gmail.commailto:shockwav...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, March 6, 2014 5:19 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] Multimaster Replication with 389 I will second the motion of forwarding to documentation here. It appears you have a lot of the same questions that I had when setting up my environment. It will all come to fruition after stepping through it slowly. This is not something to piece together if being used for your production environment. You'll miss something important and have to deal with it eventually. If this is a project for your job that needs to be rushed along, explain that setting it up correctly in 1 day is not really going to happen. That being said, your google searches will land you in fedoraproject and redhat docs. Both are usable and will get you where you want to be. After setup correctly, the replication is super simple in the DS interface. On Thu, Mar 6, 2014 at 4:38 PM, Vincent Gerris vger...@gmail.commailto:vger...@gmail.com wrote: I did this based on a chef recipe which I do not have here. A start can be found here: https://www.youtube.com/watch?v=M2dUHOfaqe4 and here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html and here: http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL Just read the documentation and you should be able to figure it out. Some notes I remember: - to connect to replication host I used port 389 and TLS - when register 1 to 2 initalise, do not do it vice versa You can use corosync/pacemaker if you want to add load balancing. Good luck! On Thu, Mar 6, 2014 at 8:59 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edumailto:rohit.chaudh...@jhuapl.edu wrote: Hello, How do I do multi-master replication on 389DS with two TLS/SSL enabled servers? Thanks, R -- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Point to multiple LDAP servers
Hello, I want to configure authconfig-tui on Red Hat to point to multiple 389 servers (in case one went inaccessible, the clients would automatically point to the 2nd or 3rd or 4th, etc. server). 1.How do I do this? 2.How would my /etc/hosts file look as a result of pointing to multiple servers. Would I have to list each server as a separate line by IP address? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Reset Password as Root if User Forgets Password
There is a tab under Data-Password Policy, and what I meant was that checkbox Reset password. I want the ability to programmatically toggle that checkbox. Is there an attribute associated with that? Thanks On 1/27/14 3:21 PM, Dan Lavu d...@lavu.net wrote: There is no tab for it. On 26/01/14 22:55, Chaudhari, Rohit K. wrote: Hello 389DS users, I'm trying to figure out how to programmatically control the Change password after reset through Java code. What is the attribute associated with that checkbox in the 389DS password policy tab? Is there not a tab for it. I just need confirmation on that. Thanks -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Reset Password as Root if User Forgets Password
Hello, I need to be able to reset a LDAP user's password if they forget it with the user root. But when I try the passwd command as root for a LDAP user, I get the following: (as root) passwd tuser Changing password for user tuser. Password reset by root is not supported. passwd: Authentication token manipulation error. I am using sssd as the LDAP authentication mechanism tool, to be specific. Does anyone have a solution to dealing with this issue of resetting a LDAP user's password if they forgot it? Thanks, Rohit From: Chaudhari, Rohit K. Chaudhari rohit.chaudh...@jhuapl.edumailto:rohit.chaudh...@jhuapl.edu Date: Tuesday, January 21, 2014 3:29 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: using passwd with 389 Hello, I want to be able to use the Unix passwd command to reset a LDAP user's password from the command line. However, I keep getting an authentication token manipulation error whenever I try to reset the password using that command. What do I need to do in the 389 DS or on Unix in order to get this command to work? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Reset Password as Root if User Forgets Password
I'm not using kerberos. The other suggestion about using ldappasswd led to the error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Additional info: TLS: hostname does not match CN in peer certificate Is there a way to create a JNDI equivalent command so that I could add a checkbox to a Java GUI that basically toggles the force password change after reset checkbox built into the password policy in 389? On 1/22/14 10:49 AM, Paul Robert Marino prmari...@gmail.com wrote: sorry thats not possible. If you are using Kerberos then you can do it via the kadmin command. If not then you have to use one of several other tools like the admin console or ldapmodify for example. On Wed, Jan 22, 2014 at 9:06 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hello, I need to be able to reset a LDAP user's password if they forget it with the user root. But when I try the passwd command as root for a LDAP user, I get the following: (as root) passwd tuser Changing password for user tuser. Password reset by root is not supported. passwd: Authentication token manipulation error. I am using sssd as the LDAP authentication mechanism tool, to be specific. Does anyone have a solution to dealing with this issue of resetting a LDAP user's password if they forgot it? Thanks, Rohit From: Chaudhari, Rohit K. Chaudhari rohit.chaudh...@jhuapl.edu Date: Tuesday, January 21, 2014 3:29 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: using passwd with 389 Hello, I want to be able to use the Unix passwd command to reset a LDAP user's password from the command line. However, I keep getting an authentication token manipulation error whenever I try to reset the password using that command. What do I need to do in the 389 DS or on Unix in order to get this command to work? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Deleting home folders when deleting ldap users
Hello, I'm using JNDI and Java to delete LDAP users, but when I delete them, their home folders stay on the Desktop. How do I get these to delete as well without creating a separate script? Is there a toggle in LDAP to make this happen? Secondly, if a user has multiple home folders scattered across multiple systems, how do you clear away all those home folders when deleting a LDAP user on one central machine linked to all those multiple systems? Thanks On 1/22/14 3:26 PM, Paul Robert Marino prmari...@gmail.com wrote: your SSL cert or your DNS is bad. TLS requires full forward and revers lookup of the C name for the host to match one of the host names in the SSL cert. On Wed, Jan 22, 2014 at 3:08 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: I'm not using kerberos. The other suggestion about using ldappasswd led to the error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Additional info: TLS: hostname does not match CN in peer certificate Is there a way to create a JNDI equivalent command so that I could add a checkbox to a Java GUI that basically toggles the force password change after reset checkbox built into the password policy in 389? On 1/22/14 10:49 AM, Paul Robert Marino prmari...@gmail.com wrote: sorry thats not possible. If you are using Kerberos then you can do it via the kadmin command. If not then you have to use one of several other tools like the admin console or ldapmodify for example. On Wed, Jan 22, 2014 at 9:06 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hello, I need to be able to reset a LDAP user's password if they forget it with the user root. But when I try the passwd command as root for a LDAP user, I get the following: (as root) passwd tuser Changing password for user tuser. Password reset by root is not supported. passwd: Authentication token manipulation error. I am using sssd as the LDAP authentication mechanism tool, to be specific. Does anyone have a solution to dealing with this issue of resetting a LDAP user's password if they forgot it? Thanks, Rohit From: Chaudhari, Rohit K. Chaudhari rohit.chaudh...@jhuapl.edu Date: Tuesday, January 21, 2014 3:29 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: using passwd with 389 Hello, I want to be able to use the Unix passwd command to reset a LDAP user's password from the command line. However, I keep getting an authentication token manipulation error whenever I try to reset the password using that command. What do I need to do in the 389 DS or on Unix in order to get this command to work? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] using passwd with 389
Hello, I want to be able to use the Unix passwd command to reset a LDAP user's password from the command line. However, I keep getting an authentication token manipulation error whenever I try to reset the password using that command. What do I need to do in the 389 DS or on Unix in order to get this command to work? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Using JNDI and 389DS
Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Using JNDI and 389DS
Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Using JNDI and 389DS
Hey dc, I did create a keystore, but every time I try to get it to work, I get stuck. I will post my java code tomorrow to show you what my code looks like, and then I will mention the exact 389 DS configuration. Thanks, Rohit From: 389-users-boun...@lists.fedoraproject.org [389-users-boun...@lists.fedoraproject.org] On Behalf Of Chun Tat David Chu [beyonddc.stor...@gmail.com] Sent: Wednesday, March 20, 2013 9:15 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Using JNDI and 389DS I have written Java code that does what you described. I think you should break up your problem. 1) Install your server certificate on the 389 DS first. You should consult the following website https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html 2) Write your Java application to use JNDI to talk with 389 DS via SSL. You should follow the tutorial from the website. http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html An important thing to note is you need to create a Java keystore. The Java keystore needs to be accessible by your application. You can pass in a Java property that specifies the Java keystore. The JNDI Tutorial above should give you some hint. Good luck, dc On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com wrote: Hi Rohit, Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here. The only difference is just ignore the slave certificate generation and all should be good. How about creating one CA cert signing all RHDS server from same CA, Then all you have to do is to import only one CA in clients. Create a CA Cerfificate # certutil -S -n CA certificate -s cn=CA cert,dc=directory,dc=example,dc=com -2 -x -t CT,, -m 1000 -v 720 -d . -k rsa Make sure you say yes to Is this a CA certificate [y/N]? and everything else will be default. Next we create your Server Cert. Important - Make sure your cn is your FQDN of this server. Create cert for ldap1.example.comhttp://ldap1.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n directory-Server-Cert-1 -s cn=ldap1.example.comhttp://ldap1.example.com -c CA certificate -t u,u,u -m 1001 -v 720 -d . -k rsa Create cert for ldap2.example.comhttp://ldap2.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n directory-Server-Cert-2 -s cn=ldap2.example.comhttp://ldap2.example.com -c CA certificate -t u,u,u -m 1002 -v 120 -d . -k rsa Then check to make sure it looks ok # certutil -L -n directory-Server-Cert-2 -d . Export keys certs for ldap2.example.comhttp://ldap2.example.com # pk12util -d . -o server2.p12 -n directory-Server-Cert-2 # certutil -L -d . -n CA certificate -a cacert.asc Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red Hat Directory Server. Create your public ca for your clients. # certutil -d . -L -n CA certificate -a my-public-ca.asc While logged in to the 2nd RHDS i.e. ldap2.example.comhttp://ldap2.example.com, run the following: # service dirsrv stop # cd /etc/disrv/slapd-INSTANCE2/ # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/ # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/ # pk12util -d . -i server2.p12 # certutil -A -d . -n CA certificate -t CT,, -a -i cacert.asc # service dirsrv start Thanks Chandan On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote: Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to set up 389 client
The id ldap-user-name command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client. When I click through System-Administration-Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements. Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:43 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Sounds bit strange. what is out put of id ldap-user-name. If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages. Also disable selinux/Firewall and test. On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar chandank.ku...@gmail.comjavascript:_e({},%20'cvml',%20'chandank.ku...@gmail.com'); Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Date: Monday, January 7, 2013 1:36 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like id: Group does not exist. -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only. Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap. From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server. I will look that guide again and will try to improve it. On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that ha -- -- http
Re: [389-users] How to set up 389 client
Is this something that will cause an issue with ACL/DIACAP restrictions? I'm not sure if you know what those are, but correct me if I'm wrong. Thanks. On 1/14/13 10:44 AM, Doug Tucker tuck...@lyle.smu.edu wrote: It's not going to show you the ldap users only the local ones. Sincerely, Doug Tucker On 01/14/2013 09:17 AM, Chaudhari, Rohit K. wrote: The id ldap-user-name command works just fine. That is not where I am having the issue. The issue lies in the local Users and Groups list in the RHEL client. When I click through System-Administration-Users and Groups, the ldap-user-name is not showing up on that list. How do I get it to show up on that list? This is a concern to me because my bosses are questioning whether the ldap-user-name I created has proper ACL privileges and would meet DIACAP requirements. Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com mailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:43 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Sounds bit strange. what is out put of id ldap-user-name. If sssd is configured properly this command has to work. Moreover, while you execute this command watch /var/log/secure.log for any error messages. Also disable selinux/Firewall and test. On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar chandank.ku...@gmail.com javascript:_e({}, 'cvml', 'chandank.ku...@gmail.com'); Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org'); Date: Monday, January 7, 2013 1:36 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org javascript:_e({}, 'cvml', '389-users@lists.fedoraproject.org'); Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 11:39 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like id: Group does not exist. -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM To: General discussion list for the 389 Directory server
Re: [389-users] How to set up 389 client
I configured everything with SSSD as you suggested. I'm able to do successful logins authenticating against the LDAP server, but when I check the Users and Groups list on the client machine, that newly created user isn't added. Thoughts? Thanks. From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Monday, January 7, 2013 1:36 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client are you using SSSD on client side or PADL/NSS? On Monday, January 7, 2013, Chaudhari, Rohit K. wrote: I do specify the POSIX properties on the LDAP side. But when I login with that created user on the client side and check the Users and Groups list on the client machine, it is not listed there. I did avoid the warning message by adding the LDAP user to a group that already exists. I want the user I create in LDAP to become listed in the Users and Groups list on the client (for ACL purposes, if you know anything regarding meeting DIACAP guidelines). Did I miss something? Thanks From: Chandan Kumar chandank.ku...@gmail.comjavascript:_e({},%20'cvml',%20'chandank.ku...@gmail.com'); Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Date: Monday, January 7, 2013 11:39 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Subject: Re: [389-users] How to set up 389 client Hello Rohit, While creating users you also need to specify POSIX properties for the user. In admin console you need to fill out posix properties details while creating the user. Also make sure you create posix groups and associate these new users with the group ID otherwise while login time you may get some warning message like id: Group does not exist. -- http://about.me/chandank On Mon, Jan 7, 2013 at 7:27 AM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu wrote: Hey Chandan, So I got the RHEL client working, but I have an outstanding issue. When I look at the users/groups setting on the client machine, the newly created user that I made on the RHEL LDAP server does not show up on the list. Is this how it is supposed to work? If not, how do I get a LDAP user to become a part of the users and groups list on the RHEL client? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 6:21 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Yes do need to replace it with SSSD. If you are having a fresh Centos install, by default it is sssd only. Best way would be to use the authconfig tool as it changes all related files and you don't have to manually change all of them. Moreover, you also need change the nss.conf file and make sure groups/users do have sssd instead of ldap. From RHEL 6.4 sssd will be fully supported and it gives better performance if you intend to integrate many applications with LDAP as it does not open multiple connections with the directory server. I will look that guide again and will try to improve it. On Thursday, December 20, 2012, Chaudhari, Rohit K. wrote: Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight. Thanks From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to set up 389 client
Okay I will try checking those parameters. I am doing sssd, I used ldap pan before in CentOS 6 and that had worked for me, but I will try using sssd. What confused me in your guide was when it said to set up /etc/pam.d/system-auth, replacing all instances of pam_sss.so with pam_ldap.so. If I want to use sssd I need to leave this alone. I'll give you an update tomorrow to see how it is going. Thanks again for your insight. Thanks From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, December 20, 2012 4:07 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client First of all on the client side what as you using sssd or ldap pan module? To create Home dir enablemkhomedir option should be given to authconfig and which is already specified in the Guide. On Dec 20, 2012 12:43 PM, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edumailto:rohit.chaudh...@jhuapl.edu wrote: Hey Chandan, I tried your guide and am still getting the same issues with the CA not being trusted. How do I make the certificate trusted to the client? Also, my main goal is to be able to create a new user on LDAP on the server side (with POSIX attributes) and then when I try to log in for the first time on the client machine, it should find the information in the LDAP server and let me login as a newly created user. Have you tried doing this before? When I did a id ldap-userid on the client side, it was returning values for me for EXISTING user accounts on the client side, but nothing on users I didn't have already created on the client side. How do I get this to work? I have been banging my head on this for way too long! Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 1:57 PM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Unknown CA means the certificate that you have copied to client machine is not trusted. Please make sure there are no typos in the sssd.conf file for the certificate directory path or at the ldap.conf path. No I have not tested it on Redhat. I only have Centos servers. The answer to your question is yes but with Centos not with Redhat. Also if you want to check whether you ldap auth is working, just do id ldap-userid it should show the information. If it does not then please check your nssswitch.conf and sssd parameters. In my case, the ldapsearch was throwing error with certificates, however, sssd user authentication was working perfect. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: I recall setting it up like the instructions stated and when I ran wireshark I got the following error: TLSv1 Alert (Level: Fatal, Description: Unknown CA) The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS) Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:57 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting? The most annoying error what I know is the peer is not trusted.. What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that. http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM
Re: [389-users] How to set up 389 client
This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:50 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Best guide will be the redhat manual or if you are looking for some how to then you can follow below link. http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html These are exact steps that I followed and worked with self signed certificates. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone, How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance. Rohit -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to set up 389 client
I will try what you recommended and get back to you on the errors I face. Thank you for the information. Thanks. From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:57 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting? The most annoying error what I know is the peer is not trusted.. What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that. http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.comjavascript:_e({},%20'cvml',%20'chandank.ku...@gmail.com'); Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Date: Thursday, December 13, 2012 11:50 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Subject: Re: [389-users] How to set up 389 client Best guide will be the redhat manual or if you are looking for some how to then you can follow below link. http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html These are exact steps that I followed and worked with self signed certificates. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone, How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance. Rohit -- -- http://about.me/chandank -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to set up 389 client
I recall setting it up like the instructions stated and when I ran wireshark I got the following error: TLSv1 Alert (Level: Fatal, Description: Unknown CA) The procedure is as follows: Create new user in LDAP server Create POSIX attributes for that new user Try to log into local box that authenticates against LDAP server with new user for first time It prevents me from logging in successfully (I've had this work before in CentOS) Have you been able to successfully log in to a local Red Hat box that authenticates against a 389 DS with a newly created user with POSIX attributes? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, December 13, 2012 11:57 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] How to set up 389 client Well Centos is just clone of RHEL. I did this setup on Centos 6.3 just few weeks back. What error are you getting? The most annoying error what I know is the peer is not trusted.. What are you using for Client side? SSSD or PADL NSS stuff? I would recommend to use SSSD and follow below link for that. http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: This is on CentOS however. We had success configuring it for CentOS in the past, but were unable to replicate this on Red Hat 6.3. Did you follow these steps for configuring Red Hat 6 as well? Thanks, Rohit From: Chandan Kumar chandank.ku...@gmail.comjavascript:_e({},%20'cvml',%20'chandank.ku...@gmail.com'); Reply-To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Date: Thursday, December 13, 2012 11:50 AM To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.orgjavascript:_e({},%20'cvml',%20'389-users@lists.fedoraproject.org'); Subject: Re: [389-users] How to set up 389 client Best guide will be the redhat manual or if you are looking for some how to then you can follow below link. http://blogatharva.blogspot.ca/2012/11/389-directory-server-installation-and.html These are exact steps that I followed and worked with self signed certificates. On Thursday, December 13, 2012, Chaudhari, Rohit K. wrote: Hello everyone, How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance. Rohit -- -- http://about.me/chandank -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users