[ale] RHEL 6 authenticate against LDAP?

Jim Kinney jim.kinney at gmail.com
Mon Jun 16 14:27:10 EDT 2014 

Other than activating the correct AD -> LDAP binding, SSSD does just that
setup. It's supposed to make all of those links and connections with the
exception of uncommenting the AD bindings. It may do that now with the
latest updates. I installed sssd right as 6.5 came out and IdM (FreeIPA)
about 2 weeks later.

for unknown reasons, maybe I'm thinking of an older RHEL (5?), I can't find
the default ldap.conf file that had the multiple bindings listed.

Glad it's working.


On Mon, Jun 16, 2014 at 1:33 PM, James Sumners <james.sumners at gmail.com>
wrote:

> Okay, for the Internet at large, forget about that SSSD garbage. The
> following will get a fresh install of RHEL 6 (and I assume 7)
> authenticating against and Active Directory server (without caring about
> updating the AD password and such):
>
> $ yum install pam_ldap
> $ authconfig --enableldapauth --enablelocauthorize --update
> $ openssl s_client -connect ldap.example.com:636 2>&1 | sed -ne '/-BEGIN
> CERTIFICATE-/,/-END CERTIFICATE-/p' >
> /etc/openldap/cacerts/ldap.example.com.crt # press "return" again to
> terminate process
> $ cacertdir_rehash
>
> Finally, configure /etc/pam_ldap.conf appropriately:
>
> `````
> # Set to the base LDAP tree for the users you want to authorize
> base OU=Cool Guys,OU=Departments,dc=example,dc=com
>
> # URI of the LDAP server
> uri ldaps://ldap.example.com/
> # A user that can search the LDAP tree
> binddn CN=Searcher,cn=Users,DC=example,DC=com
> # The search user's password
> bindpw the_correct_directory_reader_password
>
> scope sub
>
> pam_filter objectClass=User
> pam_login_attribute sAMAccountName
> pam_password ad
>
> # RFC 2307 (AD) mappings
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_attribute uid sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowLastChange pwdLastSet
> nss_map_objectclass posixGroup group
> nss_map_attribute uniquteMember member
>
> ssl on
> sasl_secprops maxssf=0
> referrals no
> `````
>
>
> On Fri, Jun 13, 2014 at 9:21 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> You will need to check nsswitch file to have password by LDAP or sssd and
>> home by files. Then every user add will require multiple steps. Add in AD
>> then again on each machine.
>> On Jun 13, 2014 9:10 AM, "James Sumners" <james.sumners at gmail.com> wrote:
>>
>>> I'm sorry, I do not know what question you are answering. I never
>>> mentioned wanting password changes propagated to anything. In fact, these
>>> accounts are normally created with no valid password at all on the local
>>> machine. That's what I want: user attempts to login, system checks with AD
>>> to verify credentials, and then home dir shell etc is pulled from the the
>>> local user account.
>>>
>>> On Sat, Jun 7, 2014 at 10:20 AM, Jim Kinney <jim.kinney at gmail.com>
>>> wrote:
>>>
>>>> Hmm. As much as it pains me to say this, sssd can use AD as the master
>>>> auth process. Unless AD admin provides an access id  with write ability,
>>>> password changes will have to occur on AD and then propagate to IPA.
>>>>
>>>
>>>
>>>
>>> --
>>> James Sumners
>>> http://james.roomfullofmirrors.com/
>>>
>>> "All governments suffer a recurring problem: Power attracts pathological
>>> personalities. It is not that power corrupts but that it is magnetic to the
>>> corruptible. Such people have a tendency to become drunk on violence, a
>>> condition to which they are quickly addicted."
>>>
>>> Missionaria Protectiva, Text QIV (decto)
>>> CH:D 5
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts pathological
> personalities. It is not that power corrupts but that it is magnetic to the
> corruptible. Such people have a tendency to become drunk on violence, a
> condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140616/079538c4/attachment-0001.html>

More information about the Ale mailing list