search for: ldap_tls_reqcert

...ap://ldap.mydomain.tld ldap_search_base = o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, aga...

I have a large number of CentOS machines (both 6 & 7) getting account information from an LDAP database using SSSD. It all works fine and is fairly reliable. However, I'm having problems with persuading the caching system to forget about users when they are deleted from LDAP. I know about sss_cache with either -E or -U options, but that doesn't delete anything, just invalidates the

...a = rfc2307bis > id_provider = ldap > ldap_user_uuid = entryuuid > ldap_group_uuid = entryuuid > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ > chpass_provider = ldap > auth_provider = ldap > ldap_tls_reqcert = never > ldap_user_search_base = ou=YYY,o=XXX > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host > autofs_provider = ldap > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = default > > [nss] >...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

...search, ldapadd, ldapmodify). > The sssd.conf is this: ... > [nss] > filter_groups = root > filter_users = root nitpick: those are the defaults. Probably don't need to set them. > [domain/default] > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/ssl/certs > ldap_tls_reqcert = never Not sure about that setting. "allow" is probably what you want if you're using starttls. > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host ... > When i stop the sssd deamon, no login at all is possible. OK. Remember that p...

...ieving self-signed certificates, even if the CA for those certificates is in place on the host. It used to work, but now doesn't. The consequence of this is that the connection to the LDAP server fails and it falls back to the cache contents, even if the cache is marked invalid. Setting "ldap_tls_reqcert = never" in sssd.conf fixed it - it still encrypts, but the certificate isn't checked. This is not a cue for a diatribe about how self signed certificates are bad and how easy it is to get a real SSL certificate. There are reasons. It's just annoying that something that used to work,...

Hi! I can make ldap authentication to work using LDAPS in CentOS 6. On CentOS 5, I just simply set tls_cheekpeer no to /etc/ldap.conf and it works! I tried all /etc/nslcd.conf /etc/pam_ldap.conf /etc/openldap/ldap.conf It 's really confusing on CentOS 6. Why so many files???? CentOS 5 LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://xxxx (works!) CentOS 6 LDAPTLS_REQCERT=never ldapsearch -x

...er_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [autofs] ldap_autofs_search_base = CN=automount,dc=example,dc=com ## Domain Configurations [domain/example.com] debug_level = 9 id_provider = ldap access_provider = ldap auth_provider = krb5 ldap_uri = ldap://ad.example.com ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_referrals = false ldap_disable_referrals = true ldap_force_upper_case_realm = true ldap_page_size = 4000 ldap_access_order = expire ldap_account_expire_policy = ad ldap_default_bind_dn = CN=LINUXAUTH,DC=EXAMPLE,DC=COM ldap_id_mapping = False ldap_search_base =...

On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >>

Hi, I'm planing to setup a new samba fileserver as a member to an existing samba 3.x SMB. The old server is still nss-pam-ldapd configured (historic left overs). As I dont have any pressure to have the new server up and running within the next few hours, I liked to set up sssd with our existing openldap. After googling and reading some documentations from redhat/fedora I think I do have a

...er.com/ ldap_search_base = ou=YYY,o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] My /etc/pam.d/system-auth #%PA...

...dap_schema = rfc2307bis > id_provider = ldap > ldap_user_uuid = entryuuid > ldap_group_uuid = entryuuid > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap > auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = > ou=YYY,o=XXX access_provider = ldap ldap_access_order = host > ldap_user_authorized_host = host autofs_provider = ldap > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = default > > [nss] > > [pam] &...

...rver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/ldap.conf: ---------------------- # # LDAP Defaults # # See ldap.conf(5) for details # This file should be...

...base = ou=Main,o=company id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.our.domain/ ldap_group_search_base = ou=Group,ou=Main,o=company ldap_user_search_base = ou=People,ou=Main,o=company ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = allow #debug_level = 4 refresh_expired_interval = 120 enumerate = True ldap_referrals = False [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home entry_cache_timeout = 5400 [pam] pam_id_timeout=20 apache: LDAPCacheTTL 30 <VirtualHost...

...f is this: > ... >> [nss] >> filter_groups = root >> filter_users = root > > nitpick: those are the defaults. Probably don't need to set them. > >> [domain/default] >> ldap_id_use_start_tls = True >> ldap_tls_cacertdir = /etc/ssl/certs >> ldap_tls_reqcert = never > > Not sure about that setting. "allow" is probably what you want if > you're using starttls. > >> access_provider = ldap >> ldap_access_order = host >> ldap_user_authorized_host = host > ... >> When i stop the sssd deamon, no login a...

...; Using enumerate = true leads to high load and slow response > enumerate = false > cache_credentials = true > > id_provider = ldap > auth_provider = krb5 > chpass_provider = krb5 > > ldap_uri = ldap://serveur.radiodjiido.nc > ldap_search_base = DC=radiodjiido,DC=nc > ldap_tls_reqcert = demand > ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt > > krb5_kdcip = serveur.radiodjiido.nc > krb5_realm = RADIODJIIDO.NC > krb5_changepw_principle = kadmin/changepw > krb5_auth_timeout = 15 sudo service sssd stop tar -xzvf sssd-1.11.1.tar.gz cd sssd-1.11.1 ./configure...

...ame = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_force_upper_case_realm = True ldap_uri = ldap://192.168.192.50 ldap_search_base = dc=ad,dc=company,dc=com ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_tls_cacert = /etc/sssd/ca.company.com.crt access_provider = ldap ldap_access_filter = memberOf=cn=ServerAdmins,ou=Groups,dc=ad,dc=company,dc=com ldap_default_authtok_type = password ldap_default_bind_dn = sssd at ad.company.com ldap_default_authtok = Password1 [pam] I tried addi...

...rver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be dest...