search for: ldap_tls_cacertdir

...ood as far as I know. Hashes only work on a single cert, right? 2. Unless told otherwise, openssl looks in only one place for a cert bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can be discovered by running "openssl version -d"). You might take a peek at the ldap_tls_cacertdir discussion in the sssd-ldap(5) man page, which specifies that certificates should be in individual files. My suggestion would be to isolate the CA certificate used to sign your LDAP server certs, install that as a separate file in ldap_tls_cacertdir, and run cacertdir_rehash to get the hash co...

..._provider = simple #simple_allow_users = myuser enumerate = false cache_credentials = True id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = HH3.SITE krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site ldap_uri = ldap://hh16.hh3.site/ ldap_search_base = dc=hh3,dc=site ldap_tls_cacertdir = /usr/local/samba/private/tls ldap_id_use_start_tls = False ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site ldap_default_authtok = xx ldap_default_authtok_type = password ldap_user_object_class = person ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number =...

...filter_groups = root filter_users = root [pam] [domain/default] ldap_uri = ldap://ldap.mydomain.tld ldap_search_base = o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i...

...ttp://ada.de/>] enumerate = true cache_credentials = True krb5_realm = ADA.DE <http://ada.de/> ldap_search_base = dc=ada,dc=de krb5_server = ad01.ada.de, ad02.ada.de id_provider = ad auth_provider = ad ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 0x0270 [nss] homedir_substring = /home debug_level = 0x0270 [pam] debug_level = 0x0270 [sudo] debug_level = 0x0270 [autofs] debug_level = 0x0270 [ssh] debug_level = 0x0270 [pac] debug_level = 0x0270 [ifp] debug_level = 0x0270 [secrets] debug_level = 0x0...

Hi, I'm facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days. Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes. This show that the server side is running fine. At this time the message is #systemctl status sssd |....

.../default] > ldap_uri = ldap://myldapserver.com/ > ldap_search_base = ou=YYY,o=XXX > ldap_schema = rfc2307bis > id_provider = ldap > ldap_user_uuid = entryuuid > ldap_group_uuid = entryuuid > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ > chpass_provider = ldap > auth_provider = ldap > ldap_tls_reqcert = never > ldap_user_search_base = ou=YYY,o=XXX > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host > autofs_provider = ldap > > [sssd] > s...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

...n. Mostly just the openldap tools (ldapsearch, ldapadd, ldapmodify). > The sssd.conf is this: ... > [nss] > filter_groups = root > filter_users = root nitpick: those are the defaults. Probably don't need to set them. > [domain/default] > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/ssl/certs > ldap_tls_reqcert = never Not sure about that setting. "allow" is probably what you want if you're using starttls. > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host ... > When i stop the sssd deamon, no login at...

Hi! I can make ldap authentication to work using LDAPS in CentOS 6. On CentOS 5, I just simply set tls_cheekpeer no to /etc/ldap.conf and it works! I tried all /etc/nslcd.conf /etc/pam_ldap.conf /etc/openldap/ldap.conf It 's really confusing on CentOS 6. Why so many files???? CentOS 5 LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://xxxx (works!) CentOS 6 LDAPTLS_REQCERT=never ldapsearch -x

Hi all, On a C6 box, when I want to enable LDAP authentication, I issue: # yum -y install nss-pam-ldapd pam_ldap nscd # authconfig --enableldap --enableldapauth --enablemkhomedir \ --ldapserver=ldap://ldap-blabla/ \ --ldapbasedn="blabla" \ --enablecache --disablefingerprint \ --kickstart --update All is working fine, the directory structure is fine and compliant.

On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >>

...e_credentials = True > krb5_realm = ADA.DE <http://ada.de/> > ldap_search_base = dc=ada,dc=de > krb5_server = ad01.ada.de, ad02.ada.de > id_provider = ad > auth_provider = ad > ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/ > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/openldap/cacerts > debug_level = 0x0270 > > [nss] > homedir_substring = /home > debug_level = 0x0270 > > [pam] > debug_level = 0x0270 > > [sudo] > debug_level = 0x0270 > > [autofs] > debug_level = 0x0270 > > [ssh] > debug_level = 0x0270...

Hi, I'm planing to setup a new samba fileserver as a member to an existing samba 3.x SMB. The old server is still nss-pam-ldapd configured (historic left overs). As I dont have any pressure to have the new server up and running within the next few hours, I liked to set up sssd with our existing openldap. After googling and reading some documentations from redhat/fedora I think I do have a

...ASL_NOCANON on My /etc/sssd/sssd.conf: [domain/default] ldap_uri = ldap://myldapserver.com/ ldap_search_base = ou=YYY,o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap [sssd] services = nss, pam, autofs config_file_version = 2 doma...

.../default] > ldap_uri = ldap://myldapserver.com/ > ldap_search_base = ou=YYY,o=XXX > ldap_schema = rfc2307bis > id_provider = ldap > ldap_user_uuid = entryuuid > ldap_group_uuid = entryuuid > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap > auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = > ou=YYY,o=XXX access_provider = ldap ldap_access_order = host > ldap_user_authorized_host = host autofs_provider = ldap > > [sssd] > services = nss, pam, au...

...er_groups = root filter_users = root [pam] [domain/default] ldap_uri = ldap://myldapserver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/ldap.conf: ------------...

...dentials = True krb5_realm = # ldap_search_base = ou=Main,o=company id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.our.domain/ ldap_group_search_base = ou=Group,ou=Main,o=company ldap_user_search_base = ou=People,ou=Main,o=company ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = allow #debug_level = 4 refresh_expired_interval = 120 enumerate = True ldap_referrals = False [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home entry_cache_timeout = 5400 [pam] pam_id_timeout=20...

...m = ADA.DE <http://ada.de/> > > ldap_search_base = dc=ada,dc=de > > krb5_server = ad01.ada.de, ad02.ada.de > > id_provider = ad > > auth_provider = ad > > ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/ > > ldap_id_use_start_tls = True > > ldap_tls_cacertdir = /etc/openldap/cacerts > > debug_level = 0x0270 > > > > [nss] > > homedir_substring = /home > > debug_level = 0x0270 > > > > [pam] > > debug_level = 0x0270 > > > > [sudo] > > debug_level = 0x0270 > > > > [autofs] > &g...

...add, ldapmodify). > >> The sssd.conf is this: > ... >> [nss] >> filter_groups = root >> filter_users = root > > nitpick: those are the defaults. Probably don't need to set them. > >> [domain/default] >> ldap_id_use_start_tls = True >> ldap_tls_cacertdir = /etc/ssl/certs >> ldap_tls_reqcert = never > > Not sure about that setting. "allow" is probably what you want if > you're using starttls. > >> access_provider = ldap >> ldap_access_order = host >> ldap_user_authorized_host = host > ... >&...

>> But instead i get >> centos: sshd[7929]: pam_unix(sshd:session): session opened for user >> <username> > > "pam_unix" should be an indication that <username> appears in the local > unix password files. Make sure that it doesn't. Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow > > What do /etc/pam.d/sshd and