Re: SUSE 10 LDAP QUESTIONS
-Original Message- From: Linux on 390 Port On Behalf Of Rich Smrcina There's a redpaper that talks about this. See: Securing Linux for zSeries with a Central z/OS LDAP Server You might also want to check out the ABC's redbooks (which ever one deals with RACF and security). That would be Volume 6. -jc- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
SUSE 10 LDAP QUESTIONS
I have a couple questions about connecting to ldap from Suse linux. - Does anyone have experience using the MVS ldap server for Z/linux authentication. Suse seems to ship with that functionality included, but I have been unable to get it to work. Are there addicional schema objects that must be installed to support linux authentication? - I am also trying to do ldap authentication in a php page. I have installed the PHP5-ldap package, but my php page is failing to make the ldap connection. I don't see any ldap related error in the apache log, so I am not sure what exactly is happening. Is it possible that the ldap errors are going to a different log file? Are there additional php packages that must be installed to make it work? Thanks a lot for your help, Russell Jones -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SUSE 10 LDAP QUESTIONS
There's a redpaper that talks about this. See: Securing Linux for zSeries with a Central z/OS LDAP Server You might also want to check out the ABC's redbooks (which ever one deals with RACF and security). Jones, Russell wrote: I have a couple questions about connecting to ldap from Suse linux. - Does anyone have experience using the MVS ldap server for Z/linux authentication. Suse seems to ship with that functionality included, but I have been unable to get it to work. Are there addicional schema objects that must be installed to support linux authentication? - I am also trying to do ldap authentication in a php page. I have installed the PHP5-ldap package, but my php page is failing to make the ldap connection. I don't see any ldap related error in the apache log, so I am not sure what exactly is happening. Is it possible that the ldap errors are going to a different log file? Are there additional php packages that must be installed to make it work? Thanks a lot for your help, Russell Jones -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SUSE 10 LDAP QUESTIONS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jones, Russell wrote: I have a couple questions about connecting to ldap from Suse linux. Before we get really into this, I should refer you to your local LDAP administrator, if you are not that person. If you are your own local LDAP admin, well, read on, but also apply heavy does of google fu. LDAP is a, uh, non-intuitive world. - Does anyone have experience using the MVS ldap server for Z/linux authentication. I don't use the MVS LDAP server, but another product. However, from a linux client perspective, LDAP is LDAP, for the most bits. There's a few assumptions in this which you'll need to know, btw *) do you allow anonymous binds *) do you force, allow, or not support SSL and/or TLS *) What bind method do you use Simple, SASL-??? Here's a few sets of tests I use, in roughly ascending order of functionality. This is assuming non-anonymous binds, simple binding, and no SSL/TLS 1) Can you do a manual ldapsearch at all, with fully specified parameters? E.g. something like this: ldapsearch -x -h your_ldap_host -D bindname -W -b ldap_base \ -s one objectclass=* If this fails, examine your assumptions. This should always be able to made work, if your assumptions are correct. 2) Do an ldapsearch leaving default some of the search parameters, to insure you have them configured correctly on your client host. E.g: ldapsearch -x -s one objectclass=* If this fails, use a process of elimination to find and correct the saved search parameters (LDAP server hostnames, ldap base, ldap bind names and passwords, etc). Most of this data is in the file /etc/ldap.conf and the directory /etc/openldap 3) Does the client OS see account / group information? getent passwd ; getent group ; id some_ldap_account There's lots of possible failures here. First check /etc/nsswitch.conf, and insure it's setup for either files ldap or compat for everything you care to get from the LDAP server. If it's compat there also needs to be a compat_passwd ... and other compat_* entries. Next, look for SSL / TLS connection failures, if you're using them. In particular, check the client's certdb is correct. If your server supports non-SSL connections, try testing this non-SSL to positively confirm whether this is an SSL problem or not. Next, check for extra search filters in /etc/ldap.conf specified as part of an nss_base_*' statements. Try commenting these out as a test. Also look in /etc/ldap.conf for attribute mapping statements -- make sure these match what the server actually provides, as seen in the output of a manual ldapsearch. Finally, check the server's schema, and insure it's compatible. The server needs some form of RFC2307 schema, and of course, each account and group used with linux LDAP needs the proper objectclasses and attributes. (E.g. objectclass: posixaccount, uidNumber: 123456, loginShell: /bin/ksh, etc etc) 4) Can you su - to an LDAP served account Check pam settings, existence of shell, home directory 5) Last, can you ssh / telnet to an LDAP served account If not, check your pam settings and sshd config. - I am also trying to do ldap authentication in a php page. I have installed the PHP5-ldap package, but my php page is failing to make the ldap connection. I don't see any ldap related error in the apache log, so I am not sure what exactly is happening. Is it possible that the ldap errors are going to a different log file? Are there additional php packages that must be installed to make it work? Recall here that you can have apache (via mod_auth_ldap) do session authentication, or you can do manual authentication in php via trying to do an ldap_bind in your php code. Which are you trying to do, here? - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk1pjAACgkQNObCqA8uBsx2zQCcCTFjg2P5bj9uPZ9076atLIIh AFsAn1Xr1J+tRMmIpEYiht5N3CqFNWV/ =+ubc -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SUSE 10 LDAP QUESTIONS
On 12/2/2008 at 4:03 PM, Rich Smrcina [EMAIL PROTECTED] wrote: Securing Linux for zSeries with a Central z/OS LDAP Server Just for the sake of completeness, the URL for the abstract is http://www.redbooks.ibm.com/abstracts/redp0221.html The document itself is at http://www.redbooks.ibm.com/redpapers/pdfs/redp0221.pdf Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: SUSE 10 LDAP QUESTIONS
Thanks to everyone for the responses. I will go through your tests and the suggested documentation and see where that gets me. As for the second part, I am attempting to bind to ldap using php. The same php page works on my Slackware system, but something is not configured correctly on the Suse system. Russell Jones ANPAC System Programmer [EMAIL PROTECTED] -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Spinler Sent: Tuesday, December 02, 2008 3:19 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: SUSE 10 LDAP QUESTIONS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jones, Russell wrote: I have a couple questions about connecting to ldap from Suse linux. Before we get really into this, I should refer you to your local LDAP administrator, if you are not that person. If you are your own local LDAP admin, well, read on, but also apply heavy does of google fu. LDAP is a, uh, non-intuitive world. - Does anyone have experience using the MVS ldap server for Z/linux authentication. I don't use the MVS LDAP server, but another product. However, from a linux client perspective, LDAP is LDAP, for the most bits. There's a few assumptions in this which you'll need to know, btw *) do you allow anonymous binds *) do you force, allow, or not support SSL and/or TLS *) What bind method do you use Simple, SASL-??? Here's a few sets of tests I use, in roughly ascending order of functionality. This is assuming non-anonymous binds, simple binding, and no SSL/TLS 1) Can you do a manual ldapsearch at all, with fully specified parameters? E.g. something like this: ldapsearch -x -h your_ldap_host -D bindname -W -b ldap_base \ -s one objectclass=* If this fails, examine your assumptions. This should always be able to made work, if your assumptions are correct. 2) Do an ldapsearch leaving default some of the search parameters, to insure you have them configured correctly on your client host. E.g: ldapsearch -x -s one objectclass=* If this fails, use a process of elimination to find and correct the saved search parameters (LDAP server hostnames, ldap base, ldap bind names and passwords, etc). Most of this data is in the file /etc/ldap.conf and the directory /etc/openldap 3) Does the client OS see account / group information? getent passwd ; getent group ; id some_ldap_account There's lots of possible failures here. First check /etc/nsswitch.conf, and insure it's setup for either files ldap or compat for everything you care to get from the LDAP server. If it's compat there also needs to be a compat_passwd ... and other compat_* entries. Next, look for SSL / TLS connection failures, if you're using them. In particular, check the client's certdb is correct. If your server supports non-SSL connections, try testing this non-SSL to positively confirm whether this is an SSL problem or not. Next, check for extra search filters in /etc/ldap.conf specified as part of an nss_base_*' statements. Try commenting these out as a test. Also look in /etc/ldap.conf for attribute mapping statements -- make sure these match what the server actually provides, as seen in the output of a manual ldapsearch. Finally, check the server's schema, and insure it's compatible. The server needs some form of RFC2307 schema, and of course, each account and group used with linux LDAP needs the proper objectclasses and attributes. (E.g. objectclass: posixaccount, uidNumber: 123456, loginShell: /bin/ksh, etc etc) 4) Can you su - to an LDAP served account Check pam settings, existence of shell, home directory 5) Last, can you ssh / telnet to an LDAP served account If not, check your pam settings and sshd config. - I am also trying to do ldap authentication in a php page. I have installed the PHP5-ldap package, but my php page is failing to make the ldap connection. I don't see any ldap related error in the apache log, so I am not sure what exactly is happening. Is it possible that the ldap errors are going to a different log file? Are there additional php packages that must be installed to make it work? Recall here that you can have apache (via mod_auth_ldap) do session authentication, or you can do manual authentication in php via trying to do an ldap_bind in your php code. Which are you trying to do, here? - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk1pjAACgkQNObCqA8uBsx2zQCcCTFjg2P5bj9uPZ9076atLIIh AFsAn1Xr1J+tRMmIpEYiht5N3CqFNWV/ =+ubc -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access
