Ya-Fang,
Wow, I sympathize with your questions.
If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for
that matter). I've been doing it quite a while and it continues to "kick my
butt" to this day. :)) But I would guess this is not one of your choices.
You said you're configuring to authenticate to your organization's LDAP
server - does it do "TLS" (encryption)?. Check with your organization's
LDAP administrator. If the answer is no, stop here. As I understand it,
when RHEL moved to v6, it will not authenticate unless TLS is active.
The next question is whether or not you are using the "authconfig-tui"
command for setting up client authentication. I would recommend that you
do, but you're not sure exactly what has changed. If so, an important part
is that, I believe, you need to copy the LDAP server's certificate to each
of the clients. Have you done that?
Hope this helps.
-Mike MacIsaac
On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang <yafang-c...@ti.com> wrote:
> Hi,
>
> I'm new to Linux system and just installed a Red Hat 6.6 on system z by
> following the cookbook. I tried to configure the Linux system to be a LDAP
> client to connect to company's LDAP server for user authentication but am
> still having issue when logon on saying "access denied".
>
> I've configured the below 3 files.
> 1). /etc/ldap.conf (point to ldap hosts and base, and have below statement)
>
> tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem
>
> 2)./etc/nsswitch.conf
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> 3). /etc/pam.d/system-auth (contains below statement)
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
>
> Do I need to configure /etc/openldap/ldap.conf and/or any other file?
>
>
> Here are the packages I've installed. Not sure if I missed anything?
>
> [root@slevmdb /]# rpm -qa | grep openldap
> openldap-clients-2.4.39-8.el6.s390x
> openldap-2.4.39-8.el6.s390x
> [root@slevmdb /]# rpm -qa | grep sssd
> sssd-client-1.11.6-30.el6.s390x
> sssd-common-1.11.6-30.el6.s390x
> sssd-proxy-1.11.6-30.el6.s390x
> sssd-krb5-common-1.11.6-30.el6.s390x
> sssd-common-pac-1.11.6-30.el6.s390x
> sssd-ad-1.11.6-30.el6.s390x
> sssd-ldap-1.11.6-30.el6.s390x
> sssd-1.11.6-30.el6.s390x
> python-sssdconfig-1.11.6-30.el6.noarch
> sssd-ipa-1.11.6-30.el6.s390x
> sssd-krb5-1.11.6-30.el6.s390x
> [root@slevmdb /]# rpm -qa | grep pam
> pam-1.1.1-20.el6.s390x
> pam_passwdqc-1.0.5-6.el6.s390x
> pam_krb5-2.3.11-9.el6.s390x
> nss-pam-ldapd-0.7.5-18.2.el6_4.s390x
> pam_ldap-185-11.el6.s390x
>
>
> thanks for help.
>
>
> Thanks and Regards,
> Ya-Fang
>
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
