Re: zLinux authentication on windows AD LDAP
Hello, FYI. To make linux LDAP client working with AD, I had to add posix attributes (uid,gid,uidNumber, etc..) to my AD user. I configured LDAP client using "sssd" on SLES12 and I'm happily authenticating against AD. Thanks for help, Mariusz pon., 1 kwi 2019 o 16:19 Alan Altmark napisał(a): > On Monday, 04/01/2019 at 08:21 GMT, "Harder, Pieter" > wrote: > > Until 2 years ago our AD was 2003. And that was a really big headache. > And I > > think they dropped the last win2003 servers quite recently. > > Since moving to a more recent AD the win guys have been debating moving > off > > NTLM. But it seems there are some oldish applications that don't talk > Kerberos > > and require NTLM. > > Anyway, it's not my problem. But I thought I would just mention it when > I saw > > your statement, in case anybody else does have NTLM still active. > > To your original question, though, many clients have integrated LDAP-based > clients with AD. As David said, AD is just a variation of LDAP. If all > you need is authentication, then it's supposedly pretty straightforward > (I've never personally done it). > > Ignoring the specific application (ITM), I found this to be helpful in > understanding how LDAP fits into AD: > > https://www.ibm.com/support/knowledgecenter/en/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/msad_ldap_beforeyoubegin.htm#msad_ldap_beforeyoubegin__tepuser > . Mostly I was happy because it had screen shots. :-) It may be that AD > administration for LDAP clients is more integrated into the AD admin tools > than is shown. > > Alan Altmark > > Senior Managing z/VM and Linux Consultant > IBM Systems Lab Services > IBM Z Delivery Practice > ibm.com/systems/services/labservices > office: 607.429.3323 > mobile; 607.321.7556 > alan_altm...@us.ibm.com > IBM Endicott > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: zLinux authentication on windows AD LDAP
On Monday, 04/01/2019 at 08:21 GMT, "Harder, Pieter" wrote: > Until 2 years ago our AD was 2003. And that was a really big headache. And I > think they dropped the last win2003 servers quite recently. > Since moving to a more recent AD the win guys have been debating moving off > NTLM. But it seems there are some oldish applications that don't talk Kerberos > and require NTLM. > Anyway, it's not my problem. But I thought I would just mention it when I saw > your statement, in case anybody else does have NTLM still active. To your original question, though, many clients have integrated LDAP-based clients with AD. As David said, AD is just a variation of LDAP. If all you need is authentication, then it's supposedly pretty straightforward (I've never personally done it). Ignoring the specific application (ITM), I found this to be helpful in understanding how LDAP fits into AD: https://www.ibm.com/support/knowledgecenter/en/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/msad_ldap_beforeyoubegin.htm#msad_ldap_beforeyoubegin__tepuser . Mostly I was happy because it had screen shots. :-) It may be that AD administration for LDAP clients is more integrated into the AD admin tools than is shown. Alan Altmark Senior Managing z/VM and Linux Consultant IBM Systems Lab Services IBM Z Delivery Practice ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: zLinux authentication on windows AD LDAP
Until 2 years ago our AD was 2003. And that was a really big headache. And I think they dropped the last win2003 servers quite recently. Since moving to a more recent AD the win guys have been debating moving off NTLM. But it seems there are some oldish applications that don't talk Kerberos and require NTLM. Anyway, it's not my problem. But I thought I would just mention it when I saw your statement, in case anybody else does have NTLM still active. -Oorspronkelijk bericht- Van: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] Namens David Boyes Verzonden: maandag 1 april 2019 07:23 Aan: LINUX-390@VM.MARIST.EDU Onderwerp: Re: zLinux authentication on windows AD LDAP If you’ve been running in NTLM compatibility mode for nigh on 20 years (1999 was a long time ago), you’ve got much, much bigger headaches to worry about. There is a chapter in the document I referenced on what to do with NTLM-based authentication sources. Linux is actually a pretty decent AD client and server these days now that AD is relatively free of the weird wire protocols - even works with some GPO operations, which keeps the Windows folks happy. Just out of curiosity, how many pure NetBIOS/LAN Manager systems do you still have? They’re about the only thing I can think of that would still care about the old way. Anything post-Win9x with service packs should be able to do the Kerberos stuff. > On Mar 31, 2019, at 6:15 PM, Harder, Pieter > wrote: > > Not if you AD is still running in NTLM... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: zLinux authentication on windows AD LDAP
If you’ve been running in NTLM compatibility mode for nigh on 20 years (1999 was a long time ago), you’ve got much, much bigger headaches to worry about. There is a chapter in the document I referenced on what to do with NTLM-based authentication sources. Linux is actually a pretty decent AD client and server these days now that AD is relatively free of the weird wire protocols - even works with some GPO operations, which keeps the Windows folks happy. Just out of curiosity, how many pure NetBIOS/LAN Manager systems do you still have? They’re about the only thing I can think of that would still care about the old way. Anything post-Win9x with service packs should be able to do the Kerberos stuff. > On Mar 31, 2019, at 6:15 PM, Harder, Pieter > wrote: > > Not if you AD is still running in NTLM... -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: zLinux authentication on windows AD LDAP
Not if you AD is still running in NTLM mode. Van: Linux on 390 Port namens David Boyes Verzonden: zondag 31 maart 2019 20:43 Aan: LINUX-390@VM.MARIST.EDU Onderwerp: Re: zLinux authentication on windows AD LDAP > Is it technically possible to authenticate logon with Active Directory LDAP AD is just LDAP + Kerberos. Cookbook for doing this at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/introduction. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: zLinux authentication on windows AD LDAP
> Is it technically possible to authenticate logon with Active Directory LDAP AD is just LDAP + Kerberos. Cookbook for doing this at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/introduction. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
zLinux authentication on windows AD LDAP
Hello Group, We are running zLinux SLES 12-3 on zVM. I'm looking for a way to authenticate user logon to zLinux server over windows AD LDAP. I configured LDAP client to point to windows LDAP. Then I used ldapsearch to make a query for id user01 - I got results. I used yast "auth" module to "test connection" - bind was successfull. Then I tried to logon user01 which is not defined localy on Linux - only in AD. SSH returns error "sshd: input_userauth_request: invalid user [preauth]". Is it technically possible to authenticate logon with Active Directory LDAP ? I've heard rumors this might be a problem, because AD users are not posix. Anyone tried to authenticate over AD ? Thanks in advance, Mariusz -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldap question
Thx - I'll try that -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mark Post Sent: Tuesday, February 26, 2019 9:17 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: ldap question On 2/26/19 9:05 AM, Levy, Alan wrote: > I changed the ldap server name and certificate yesterday and rebooted the > sles 12sp3 server. I logged into the application and was successful. How can > I tell if I am binding to the right ldap server (was my change really > successful or not) ? The way I would do that is to run tcpdump, then log in to the application, and see if the traffic was going to the IP address I expected. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldap question
On 2/26/19 9:05 AM, Levy, Alan wrote: > I changed the ldap server name and certificate yesterday and rebooted the > sles 12sp3 server. I logged into the application and was successful. How can > I tell if I am binding to the right ldap server (was my change really > successful or not) ? The way I would do that is to run tcpdump, then log in to the application, and see if the traffic was going to the IP address I expected. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
ldap question
I changed the ldap server name and certificate yesterday and rebooted the sles 12sp3 server. I logged into the application and was successful. How can I tell if I am binding to the right ldap server (was my change really successful or not) ? This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux?
For those of you with z/VM, you already have the IBM Directory Server, a full LDAP server included with base z/VM. The z/VM LDAP server is derived from the LDAP server included in the base z/OS operating system. Here's the technical introduction for z/VM 6.4's LDAP server: https://www.ibm.com/support/knowledgecenter/en/SSB27U_6.4.0/com.ibm.zvm.v640.kldl0/tivdint1001262.htm It's fully IBM supported, so you can open PMRs and whatnot. If you have z/VM RACF then z/VM LDAP is fully integrated with that, if you wish. (You don't have to. You can use it as a "generic" LDAP server, too.) Alan Altmark explains how some of the LDAP-RACF integration works in this older presentation here: http://www.vm.ibm.com/devpages/altmarka/ldaplinx.pdf That information was published around the time of z/VM 5.4, but it's still mostly relevant to the current release. And it's all free if you already have z/VM. There's no additional licensing required for LDAP clients, whether or not they are z/VM guests. As an example, z/VSE includes LDAP sign-on support, and you can turn on that feature and use it with your licensed z/VM (with z/VM LDAP server) installation, no additional charge. Got some cloud servers halfway across the country that need a LDAP server? Sure, fine, no problem -- hook 'em up to z/VM LDAP. It's just part of the base z/VM package, with unlimited clients of any/every type that understand standard LDAPv3 protocol. There are also quite a large number of IBM software products for Linux on Z/LinuxONE that include the IBM Security Directory Server (formerly IBM Tivoli Directory Server) for Linux on Z/LinuxONE, so you might already have LDAP servers that way. Just check the license, though, since they vary. Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE, Multi-Geography E-Mail: sipp...@sg.ibm.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux?
On Jul 24, 2018, at 6:32 AM, Brimacomb, Brent (TPF) wrote: > Anyone hosting a LDAP server on z/Linux?Assume you're running OpenLDAP? > What, if any, GUI are you using for admin? I did, almost ten years ago, when I was last involved with Linux on z. Straight OpenLDAP, ppolicy overlay, no GUI. > Other gotcha's we should be aware of? Getting a linux client with NSS and PAM configured so "it works" is (relatively) easy. Getting it configured so it works without surprising edge cases in the event of, for example, LDAP being unavailable, or if you want password policy implemented, is extremely challenging---and keeps changing from release to release (sometimes in not-so-subtle ways). The documentation for this has always sucked, lacking many important details and glossing over fine points which turn out to be extremely relevant. I had to go to the source on more than one occasion to discover things like two options which are documented as equivalent actually have different code paths. But this isn't z-specific, or even OpenLDAP specific. Also, the opposite of a gotcha: our particular use case at that time (centralized auth for a lot of penguins all virtualized on one machine) meant that the usual drawbacks of a multi-master replication setup were immaterial (i.e. no realistic chance of a network split on a shared VSWITCH), which greatly simplified things. ok bear. -- until further notice -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux?
On 7/24/18, 9:33 AM, "Linux on 390 Port on behalf of Brimacomb, Brent (TPF)" wrote: > Anyone hosting a LDAP server on z/Linux?Assume you're running OpenLDAP? Yes and yes. Same as all our other Linux platforms in order to not confuse the mundanes. Everything's in the same places and it just works. > What, if any, GUI are you using for admin? Depends on the use. If you're using it to back up a Samba 4 implementation, the ones supplied with Windows domain management services work fine, as do the Apple OpenDirectory tools. Applications running their own interfaces work just as they do elsewhere. We mostly use the line mode commands, but we're cavemen like that. > Other gotcha's we should be aware of? Other than defusing their instinctive whining about no hardware for them to touch, it's exactly like any other OpenLDAP implementation. It's the same code and you plan and engineer for it in the exact same way. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux?
We use it, but for a fairly static application layer authentication. No GUI, no gotchas. From: Linux on 390 Port on behalf of Brimacomb, Brent (TPF) Sent: Tuesday, July 24, 2018 9:32:38 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux? Anyone hosting a LDAP server on z/Linux?Assume you're running OpenLDAP? What, if any, GUI are you using for admin? Other gotcha's we should be aware of? Regards, Brent Brimacomb CISSP, CISM DXC Technology TPF Technology Consultant, TPF Infrastructure / Development Tools ( cell phone: +01-918-906-1499 + mailto:brent.brimac...@hpe.com A dream is just a dream; but a goal is a dream with a plan. DXC - This is a PRIVATE message - If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind the Company to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.marist.edu%2Fhtbin%2Fwlvindex%3FLINUX-390data=02%7C01%7Cjonathan.quay%40IHG.COM%7C66cda94506da4755ac8308d5f16a1fb3%7C2762c43f29c1448a89f67ac903cf8316%7C1%7C1%7C636680360456768728sdata=IMI4V8qTLcMSZf7Jd1KBEM2cjdlb6dQQK8N%2BHHyJl2Q%3Dreserved=0 -- For more information on Linux on System z, visit https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.linuxvm.org%2Fdata=02%7C01%7Cjonathan.quay%40IHG.COM%7C66cda94506da4755ac8308d5f16a1fb3%7C2762c43f29c1448a89f67ac903cf8316%7C1%7C1%7C636680360456768728sdata=qiAKZGN14Vlr9JIek7ugTGvVkJRxDr68fNM2HLMRa5g%3Dreserved=0 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
LDAP on z/Linux: Anyone hosting a LDAP server on z/Linux?
Anyone hosting a LDAP server on z/Linux?Assume you're running OpenLDAP? What, if any, GUI are you using for admin? Other gotcha's we should be aware of? Regards, Brent Brimacomb CISSP, CISM DXC Technology TPF Technology Consultant, TPF Infrastructure / Development Tools ( cell phone: +01-918-906-1499 + mailto:brent.brimac...@hpe.com A dream is just a dream; but a goal is a dream with a plan. DXC - This is a PRIVATE message - If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind the Company to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: openssh ssh-ldap-wrapper missing for SLES 11 SP4
Mark, openssh-helpers is what I am looking for. But as I wrote, I can't find it. I do see: openssh openssh-fips And from another package: openssh-askpass openssh-askpass-gnome openssh-fips But I can not find the following two subpackages: openssh-cavs openssh-helpers I do not care about openssh-cavs, but I need openssh-helpers. So can you tell me which binary repository I need to use? Op maandag 27 juli 2015 heeft Mark Post mp...@suse.com het volgende geschreven: On 7/27/2015 at 01:55 PM, Ronald van der Laan nl50...@gmail.com javascript:; wrote: With SLES11 SP3, we used the /usr/lib64/ssh/ssh-ldap-wrapper that was part of the openssh package, but with SP4, the LDAP integration part seems to have been split off into openssh-helpers. I only cannot find the package among the base packages, nor among the sdk ones. Has it somehow dropped of the packaging list or I am looking in the wrong repositories? Look for the openssh-helpers package. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu javascript:; with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Ronald van der Laan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: openssh ssh-ldap-wrapper missing for SLES 11 SP4
On 7/28/2015 at 10:48 AM, Ronald van der Laan nl50...@gmail.com wrote: But I can not find the following two subpackages: openssh-cavs openssh-helpers I do not care about openssh-cavs, but I need openssh-helpers. So can you tell me which binary repository I need to use? It's possible that they were not added to the list of packages that wind up on the media. I recommend you open up a bug with your service provider to get that fixed. The packages do exist in the build service, so they should be able to get you a copy of the current package while they work on the underlying problem. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: openssh ssh-ldap-wrapper missing for SLES 11 SP4
Mark, Thanks, I'll open a ticket... Op dinsdag 28 juli 2015 heeft Mark Post mp...@suse.com het volgende geschreven: On 7/28/2015 at 10:48 AM, Ronald van der Laan nl50...@gmail.com javascript:; wrote: But I can not find the following two subpackages: openssh-cavs openssh-helpers I do not care about openssh-cavs, but I need openssh-helpers. So can you tell me which binary repository I need to use? It's possible that they were not added to the list of packages that wind up on the media. I recommend you open up a bug with your service provider to get that fixed. The packages do exist in the build service, so they should be able to get you a copy of the current package while they work on the underlying problem. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu javascript:; with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Ronald van der Laan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
openssh ssh-ldap-wrapper missing for SLES 11 SP4
With SLES11 SP3, we used the /usr/lib64/ssh/ssh-ldap-wrapper that was part of the openssh package, but with SP4, the LDAP integration part seems to have been split off into openssh-helpers. I only cannot find the package among the base packages, nor among the sdk ones. Has it somehow dropped of the packaging list or I am looking in the wrong repositories? -- Ronald van der Laan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: openssh ssh-ldap-wrapper missing for SLES 11 SP4
On 7/27/2015 at 01:55 PM, Ronald van der Laan nl50...@gmail.com wrote: With SLES11 SP3, we used the /usr/lib64/ssh/ssh-ldap-wrapper that was part of the openssh package, but with SP4, the LDAP integration part seems to have been split off into openssh-helpers. I only cannot find the package among the base packages, nor among the sdk ones. Has it somehow dropped of the packaging list or I am looking in the wrong repositories? Look for the openssh-helpers package. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Configure LDAP client on Red Hat 6.6
Ya-Fang, I'm not sure what to put in BASE DN Looking at your e-mail address I would guess dc=ti,dc=com, but I see ou=le in an above example, so maybe your organization uses this older approach in the DIT architecture. Instead, I ran a script provided by our LDAP server support Hmm, is there anyone who supports that script whom you can work with? If not, you can get hints by turning up debug levels. For example, you can try ssh'ing to a Linux system pointing to LDAP with the -d3 ssh flag. This might give you some hints, but if you think about it from a security point of view, the LDAP server doesn't want to give a lot of information about a failed login attempt. So I have started the LDAP server with a debug level (again -d3 works). Then a lot of info comes out on the LDAP server console which might be useful. Hope this helps. -Mike On Thu, Nov 6, 2014 at 5:10 PM, Chen, Ya-Fang yafang-c...@ti.com wrote: Mike, Thank you for your information. Yes, our LDAP server does TLS encryption, and I've copied the certificate to /var/ldap directory and specified in /etc/ldap.conf as I mention in the below email. No, I didn't use authconfig-tui as I'm not sure what to put in BASE DN. (Cookbook example: Base DN: dc=itso,dc=ibm,dc=com) Instead, I ran a script provided by our LDAP server support. The script copied /etc/ldap.conf, /etc/pam.d/system-auth, /etc/pam.d/system-auth, and then copied the certificate to /var/ldap/VeriSignRsaSecureServerCA.pem. He said the script used to work for the old Redhat (probably 5 or earlier). I also tried to use ldapsearch command by specified the LDAP host name. I got SASL error if without -x option. With -x option, it can display my LDAP account information. If I didn't specify host name, it said Can't contact LDAP server. [root@slevmdb ~]# ldapsearch -h dledirnvip -b ou=le uid=a0867719 SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: [root@slevmdb ~]# ldapsearch -x -h dledirnvip -b ou=le uid=a0867719 # extended LDIF # # LDAPv3 # base ou=le with scope subtree # filter: uid=a0867719 # requesting: ALL # # a0867719, people, le dn: uid=a0867719,ou=people,ou=le uid: a0867719 [root@slevmdb ~]# ldapsearch -x -b ou=le uid=a0867719 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Regards, Ya-Fang -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Michael MacIsaac Sent: Wednesday, November 05, 2014 6:17 PM To: LINUX-390@vm.marist.edu Subject: Re: Configure LDAP client on Red Hat 6.6 Ya-Fang, Wow, I sympathize with your questions. If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for that matter). I've been doing it quite a while and it continues to kick my butt to this day. :)) But I would guess this is not one of your choices. You said you're configuring to authenticate to your organization's LDAP server - does it do TLS (encryption)?. Check with your organization's LDAP administrator. If the answer is no, stop here. As I understand it, when RHEL moved to v6, it will not authenticate unless TLS is active. The next question is whether or not you are using the authconfig-tui command for setting up client authentication. I would recommend that you do, but you're not sure exactly what has changed. If so, an important part is that, I believe, you need to copy the LDAP server's certificate to each of the clients. Have you done that? Hope this helps. -Mike MacIsaac On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang yafang-c...@ti.com wrote: Hi, I'm new to Linux system and just installed a Red Hat 6.6 on system z by following the cookbook. I tried to configure the Linux system to be a LDAP client to connect to company's LDAP server for user authentication but am still having issue when logon on saying access denied. I've configured the below 3 files. 1). /etc/ldap.conf (point to ldap hosts and base, and have below statement) tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem 2)./etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 3). /etc/pam.d/system-auth (contains below statement) authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass Do I need to configure /etc/openldap/ldap.conf and/or any other file? Here are the packages I've installed. Not sure if I missed anything? [root@slevmdb /]# rpm -qa | grep openldap openldap-clients-2.4.39-8.el6.s390x openldap-2.4.39-8.el6.s390x [root@slevmdb /]# rpm -qa | grep sssd sssd-client-1.11.6-30.el6.s390x sssd-common-1.11.6-30.el6.s390x sssd-proxy-1.11.6-30.el6.s390x sssd-krb5-common-1.11.6-30.el6.s390x sssd-common-pac-1.11.6-30.el6.s390x sssd-ad-1.11.6-30.el6.s390x sssd-ldap-1.11.6-30.el6.s390x sssd-1.11.6-30.el6.s390x python-sssdconfig-1.11.6-30
Re: Configure LDAP client on Red Hat 6.6
Mike, Thank you for your information. Yes, our LDAP server does TLS encryption, and I've copied the certificate to /var/ldap directory and specified in /etc/ldap.conf as I mention in the below email. No, I didn't use authconfig-tui as I'm not sure what to put in BASE DN. (Cookbook example: Base DN: dc=itso,dc=ibm,dc=com) Instead, I ran a script provided by our LDAP server support. The script copied /etc/ldap.conf, /etc/pam.d/system-auth, /etc/pam.d/system-auth, and then copied the certificate to /var/ldap/VeriSignRsaSecureServerCA.pem. He said the script used to work for the old Redhat (probably 5 or earlier). I also tried to use ldapsearch command by specified the LDAP host name. I got SASL error if without -x option. With -x option, it can display my LDAP account information. If I didn't specify host name, it said Can't contact LDAP server. [root@slevmdb ~]# ldapsearch -h dledirnvip -b ou=le uid=a0867719 SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: [root@slevmdb ~]# ldapsearch -x -h dledirnvip -b ou=le uid=a0867719 # extended LDIF # # LDAPv3 # base ou=le with scope subtree # filter: uid=a0867719 # requesting: ALL # # a0867719, people, le dn: uid=a0867719,ou=people,ou=le uid: a0867719 [root@slevmdb ~]# ldapsearch -x -b ou=le uid=a0867719 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Regards, Ya-Fang -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Michael MacIsaac Sent: Wednesday, November 05, 2014 6:17 PM To: LINUX-390@vm.marist.edu Subject: Re: Configure LDAP client on Red Hat 6.6 Ya-Fang, Wow, I sympathize with your questions. If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for that matter). I've been doing it quite a while and it continues to kick my butt to this day. :)) But I would guess this is not one of your choices. You said you're configuring to authenticate to your organization's LDAP server - does it do TLS (encryption)?. Check with your organization's LDAP administrator. If the answer is no, stop here. As I understand it, when RHEL moved to v6, it will not authenticate unless TLS is active. The next question is whether or not you are using the authconfig-tui command for setting up client authentication. I would recommend that you do, but you're not sure exactly what has changed. If so, an important part is that, I believe, you need to copy the LDAP server's certificate to each of the clients. Have you done that? Hope this helps. -Mike MacIsaac On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang yafang-c...@ti.com wrote: Hi, I'm new to Linux system and just installed a Red Hat 6.6 on system z by following the cookbook. I tried to configure the Linux system to be a LDAP client to connect to company's LDAP server for user authentication but am still having issue when logon on saying access denied. I've configured the below 3 files. 1). /etc/ldap.conf (point to ldap hosts and base, and have below statement) tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem 2)./etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 3). /etc/pam.d/system-auth (contains below statement) authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass Do I need to configure /etc/openldap/ldap.conf and/or any other file? Here are the packages I've installed. Not sure if I missed anything? [root@slevmdb /]# rpm -qa | grep openldap openldap-clients-2.4.39-8.el6.s390x openldap-2.4.39-8.el6.s390x [root@slevmdb /]# rpm -qa | grep sssd sssd-client-1.11.6-30.el6.s390x sssd-common-1.11.6-30.el6.s390x sssd-proxy-1.11.6-30.el6.s390x sssd-krb5-common-1.11.6-30.el6.s390x sssd-common-pac-1.11.6-30.el6.s390x sssd-ad-1.11.6-30.el6.s390x sssd-ldap-1.11.6-30.el6.s390x sssd-1.11.6-30.el6.s390x python-sssdconfig-1.11.6-30.el6.noarch sssd-ipa-1.11.6-30.el6.s390x sssd-krb5-1.11.6-30.el6.s390x [root@slevmdb /]# rpm -qa | grep pam pam-1.1.1-20.el6.s390x pam_passwdqc-1.0.5-6.el6.s390x pam_krb5-2.3.11-9.el6.s390x nss-pam-ldapd-0.7.5-18.2.el6_4.s390x pam_ldap-185-11.el6.s390x thanks for help. Thanks and Regards, Ya-Fang -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Configure LDAP client on Red Hat 6.6
Hi, I'm new to Linux system and just installed a Red Hat 6.6 on system z by following the cookbook. I tried to configure the Linux system to be a LDAP client to connect to company's LDAP server for user authentication but am still having issue when logon on saying access denied. I've configured the below 3 files. 1). /etc/ldap.conf (point to ldap hosts and base, and have below statement) tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem 2)./etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 3). /etc/pam.d/system-auth (contains below statement) authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass Do I need to configure /etc/openldap/ldap.conf and/or any other file? Here are the packages I've installed. Not sure if I missed anything? [root@slevmdb /]# rpm -qa | grep openldap openldap-clients-2.4.39-8.el6.s390x openldap-2.4.39-8.el6.s390x [root@slevmdb /]# rpm -qa | grep sssd sssd-client-1.11.6-30.el6.s390x sssd-common-1.11.6-30.el6.s390x sssd-proxy-1.11.6-30.el6.s390x sssd-krb5-common-1.11.6-30.el6.s390x sssd-common-pac-1.11.6-30.el6.s390x sssd-ad-1.11.6-30.el6.s390x sssd-ldap-1.11.6-30.el6.s390x sssd-1.11.6-30.el6.s390x python-sssdconfig-1.11.6-30.el6.noarch sssd-ipa-1.11.6-30.el6.s390x sssd-krb5-1.11.6-30.el6.s390x [root@slevmdb /]# rpm -qa | grep pam pam-1.1.1-20.el6.s390x pam_passwdqc-1.0.5-6.el6.s390x pam_krb5-2.3.11-9.el6.s390x nss-pam-ldapd-0.7.5-18.2.el6_4.s390x pam_ldap-185-11.el6.s390x thanks for help. Thanks and Regards, Ya-Fang -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Configure LDAP client on Red Hat 6.6
Ya-Fang, Wow, I sympathize with your questions. If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for that matter). I've been doing it quite a while and it continues to kick my butt to this day. :)) But I would guess this is not one of your choices. You said you're configuring to authenticate to your organization's LDAP server - does it do TLS (encryption)?. Check with your organization's LDAP administrator. If the answer is no, stop here. As I understand it, when RHEL moved to v6, it will not authenticate unless TLS is active. The next question is whether or not you are using the authconfig-tui command for setting up client authentication. I would recommend that you do, but you're not sure exactly what has changed. If so, an important part is that, I believe, you need to copy the LDAP server's certificate to each of the clients. Have you done that? Hope this helps. -Mike MacIsaac On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang yafang-c...@ti.com wrote: Hi, I'm new to Linux system and just installed a Red Hat 6.6 on system z by following the cookbook. I tried to configure the Linux system to be a LDAP client to connect to company's LDAP server for user authentication but am still having issue when logon on saying access denied. I've configured the below 3 files. 1). /etc/ldap.conf (point to ldap hosts and base, and have below statement) tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem 2)./etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 3). /etc/pam.d/system-auth (contains below statement) authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass Do I need to configure /etc/openldap/ldap.conf and/or any other file? Here are the packages I've installed. Not sure if I missed anything? [root@slevmdb /]# rpm -qa | grep openldap openldap-clients-2.4.39-8.el6.s390x openldap-2.4.39-8.el6.s390x [root@slevmdb /]# rpm -qa | grep sssd sssd-client-1.11.6-30.el6.s390x sssd-common-1.11.6-30.el6.s390x sssd-proxy-1.11.6-30.el6.s390x sssd-krb5-common-1.11.6-30.el6.s390x sssd-common-pac-1.11.6-30.el6.s390x sssd-ad-1.11.6-30.el6.s390x sssd-ldap-1.11.6-30.el6.s390x sssd-1.11.6-30.el6.s390x python-sssdconfig-1.11.6-30.el6.noarch sssd-ipa-1.11.6-30.el6.s390x sssd-krb5-1.11.6-30.el6.s390x [root@slevmdb /]# rpm -qa | grep pam pam-1.1.1-20.el6.s390x pam_passwdqc-1.0.5-6.el6.s390x pam_krb5-2.3.11-9.el6.s390x nss-pam-ldapd-0.7.5-18.2.el6_4.s390x pam_ldap-185-11.el6.s390x thanks for help. Thanks and Regards, Ya-Fang -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP on SLES 11 SP3 and the PADL migration tools
Mark, Thanks for the reply. I dug on this some more and found that the rfc2307bis.schema file is now used instead of the old nis.schema, and posixGroup is no longer a structural object. Why this changed is beyond me. So I'll answer my own append - to change it back was tricky, but this seemed to work: # cd /etc/sysconfig # diff openldap openldap.orig 148c148 OPENLDAP_CONFIG_BACKEND=files --- OPENLDAP_CONFIG_BACKEND=ldap //Note: now the /etc/openldap/slapd.conf file will be read... # cd /etc/openldap # diff slapd.conf slapd.conf.default 8,10c8 # replace rfc2307bis.schema with nis.schema #include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/nis.schema --- include /etc/openldap/schema/rfc2307bis.schema ... # service ldap restart ... I'm not sure these changes are a Good Thing, but at least I can now ldapadd the LDIF file created by the PADL migration tools. If you have any LDAP guys in house you might want to bounce this off of them. ( http://www.padl.com/~lukeh/rfc2307bis.txt is related and goes back to 2002) Thanks. -Mike On Wed, Apr 23, 2014 at 2:18 PM, Mark Post mp...@suse.com wrote: On 4/23/2014 at 11:28 AM, Michael MacIsaac mike99...@gmail.com wrote: ldap_add: Object class violation (65) additional info: no structural object class provided A search on this turned up a number of interesting hits, but nothing specific to your case. It might be worthwhile to see if the schema generated by the tool looks right. The hit that gave a little bit of illustration was this: http://www.openldap.org/lists/openldap-software/200309/msg00459.html Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
LDAP on SLES 11 SP3 and the PADL migration tools
Hello list, I'm far from an expert with LDAP, but am trying to set up a sample environment to demonstrate centralized authentication. For a long time, the Migration Tools from padl.com worked, but this no longer seems to be the case on SLES 11 SP3. I set up LDAP using yast as described in section 18.3 the latest Virtualizaiton Cookbook. I download Migration-Tools-47, create an initial.ldif file from /etc/passwd and /etc/group, but cannot add it to create an initial LDAP database. The error is below. It seems to be because posixGroup is no longer a structural object in the schema. Has anyone seen this? Is there a way to load a different (classic :)) schema? Thanks. -Mike MacIsaac # ldapadd -x -h localhost -D cn=Administrator,dc=example,dc=com -w secret -f initial.ldif adding new entry dc=example,dc=com adding new entry ou=Hosts,dc=example,dc=com adding new entry ou=Rpc,dc=example,dc=com adding new entry ou=Services,dc=example,dc=com adding new entry nisMapName=netgroup.byuser,dc=example,dc=com adding new entry ou=Mounts,dc=example,dc=com adding new entry ou=Networks,dc=example,dc=com adding new entry ou=People,dc=example,dc=com adding new entry ou=Group,dc=example,dc=com adding new entry ou=Netgroup,dc=example,dc=com adding new entry ou=Protocols,dc=example,dc=com adding new entry ou=Aliases,dc=example,dc=com adding new entry nisMapName=netgroup.byhost,dc=example,dc=com adding new entry cn=at,ou=Group,dc=example,dc=com ldap_add: Object class violation (65) additional info: no structural object class provided -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP on SLES 11 SP3 and the PADL migration tools
On 4/23/2014 at 11:28 AM, Michael MacIsaac mike99...@gmail.com wrote: ldap_add: Object class violation (65) additional info: no structural object class provided A search on this turned up a number of interesting hits, but nothing specific to your case. It might be worthwhile to see if the schema generated by the tool looks right. The hit that gave a little bit of illustration was this: http://www.openldap.org/lists/openldap-software/200309/msg00459.html Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
stop ldap
Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? David M. Dean [cid:image001.jpg@01CE6C06.2124B360] - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ inline: image001.jpg
Re: stop ldap
pkill slapd? -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Dean, David (I/S) Sent: Tuesday, June 18, 2013 8:28 AM To: LINUX-390@VM.MARIST.EDU Subject: stop ldap Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? David M. Dean [cid:image001.jpg@01CE6C06.2124B360] - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
Yes THANK YOU!!! -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Veencamp, Jonathon D. Sent: Tuesday, June 18, 2013 9:32 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: stop ldap pkill slapd? -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Dean, David (I/S) Sent: Tuesday, June 18, 2013 8:28 AM To: LINUX-390@VM.MARIST.EDU Subject: stop ldap Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? David M. Dean [cid:image001.jpg@01CE6C06.2124B360] - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
On 6/18/2013 at 09:28 AM, Dean, David (I/S) david_d...@bcbst.com wrote: Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? rcldap stop Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
Pkill slapd worked, now how do I turn it off permanently before reboot? THANKS ALL -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mark Post Sent: Tuesday, June 18, 2013 9:37 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: stop ldap On 6/18/2013 at 09:28 AM, Dean, David (I/S) david_d...@bcbst.com wrote: Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? rcldap stop Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
Ok, all, help again. I was able to kill the service, but I can't figure out where to turn it off permanentl? Xinet.d, inet.d?? I know I should RT$@%M but I have buzzards flying over my cubicle. -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mark Post Sent: Tuesday, June 18, 2013 9:37 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: stop ldap On 6/18/2013 at 09:28 AM, Dean, David (I/S) david_d...@bcbst.com wrote: Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? rcldap stop Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
On 6/18/2013 at 09:45 AM, Dean, David (I/S) david_d...@bcbst.com wrote: Pkill slapd worked, now how do I turn it off permanently before reboot? I would say that uninstalling the package should work. Otherwise chkconfig ldap off. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
Well, because there are 80 ways to do everything, I can't say for sure which method you used to turn it on. If this is SLES, I'd start with 'yast2 runlevel' and see if it was enabled to auto start there... -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Dean, David (I/S) Sent: Tuesday, June 18, 2013 9:32 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: stop ldap Ok, all, help again. I was able to kill the service, but I can't figure out where to turn it off permanentl? Xinet.d, inet.d?? I know I should RT$@%M but I have buzzards flying over my cubicle. The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: stop ldap
I think that on RHEL and SuSE, it is still chkconfig. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-services-chkconfig.html If not, then it is systemctl . http://sys-log.tumblr.com/post/16117093002/cheat-sheet-chkconfig-vs-systemctl On Tue, Jun 18, 2013 at 9:31 AM, Dean, David (I/S) david_d...@bcbst.comwrote: Ok, all, help again. I was able to kill the service, but I can't figure out where to turn it off permanentl? Xinet.d, inet.d?? I know I should RT$@%M but I have buzzards flying over my cubicle. -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Mark Post Sent: Tuesday, June 18, 2013 9:37 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: stop ldap On 6/18/2013 at 09:28 AM, Dean, David (I/S) david_d...@bcbst.com wrote: Help, in production problem. I cannot ssh to the zlnux 11.2 server because ldap is running. How do I turn it off? I am logged in at a terminal screen. It is openldap. Need more info? rcldap stop Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you? Maranatha! John McKown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. It should be sufficient to setup NSS to list the locked password in getent shadow (as root). Normally you have libnss-ldap(d) in addition to libpam-ldap(d). Kind regards Philipp Kern -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Dear Philip I tried to look into that deeper but I could not find any information about how to configure that: nsswitch.conf states: shadow: ldap files A getent delivers: $ getent shadow bilek1 bilek1:*:::0 There is no difference if the user is locked or not. In case I state a userid which does not exists getent delivers nothing. Kind regards, Florian On Tue, Jul 24, 2012 at 8:52 AM, Philipp Kern pk...@debian.org wrote: On Mon, Jul 23, 2012 at 10:25:34AM +0100, Malcolm Beattie wrote: There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. It should be sufficient to setup NSS to list the locked password in getent shadow (as root). Normally you have libnss-ldap(d) in addition to libpam-ldap(d). Kind regards Philipp Kern -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Hi Malcom, I will give this work around a try. But the idea was that a simple CMS 'rac alu userid' revoke would deny access of a user to all systems. With the workaround I need again a sort of exec that connects/disconnects the user to a NOLOG group. Or I need to disable the whole feature with the RSA keys which is also quite painful when you have to maintain a lot of LINUX guests. Maybe I find another way to configure the PAM properly. BTW: I find it a pity that there is no easy way to use the OVM segment of the RACF user profile to save the default shell, uid and gid etc. It is required to mess around with the posixAccount objectclass which is not even part of the official delivery of the IBM/Tivoli LDAP server and requires schema modifications etc. It works but it requires a lot of work to make that work. Seems there is a lot of room for improvements. ;-) BR Florian On Mon, Jul 23, 2012 at 11:25 AM, Malcolm Beattie beatt...@uk.ibm.comwrote: Florian Bilek writes: 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. What about, as a workaround, creating a RACF group named NOLOGIN, connecting revoked users to that group (an extra step, but that's why I called it a workaround not a proper solution) and then putting DenyGroups nologin in your sshd_config? If z/VM LDAP doesn't special case group membership lookups for revoked users then I think that may work. --Malcolm -- Malcolm Beattie Mainframe Systems and Software Business, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Florian Bilek writes: 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? There's a section of the sshd(8) man page beginning: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups. The definition of a locked account is system dependant. Some platforms... and which then (as I try to ignore the misspelling of dependent) gives O/S-specific ways that it checks for locked accounts, usually by special contents of a directly-accessed shadow password field such as *LK, Nologin, !. From that, I'd guess that sshd may not invoke PAM in a way that would let you use pam_ldap to do the appropriate lookup via LDAP. What about, as a workaround, creating a RACF group named NOLOGIN, connecting revoked users to that group (an extra step, but that's why I called it a workaround not a proper solution) and then putting DenyGroups nologin in your sshd_config? If z/VM LDAP doesn't special case group membership lookups for revoked users then I think that may work. --Malcolm -- Malcolm Beattie Mainframe Systems and Software Business, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
On 7/21/12 3:39 PM, Florian Bilek wrote: 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Ssh apparently bypasses the pam auth step if it has a ssh key match. Perhaps experiment by adding a pam account or pam session step which refers to pam_ldap? I'm unclear if the pam_ldap module supports these steps, though, the documentation is unclear. One other useful pam module which may apply here is pam_access. Pam_access does explicitly support the account and session module types, and it's quite flexible. You might be able to craft an e.g. denied_users group which would deny access to any member of that group. One final thought, I seem to recall there's patches flying around which allow ssh public keys to be stored in LDAP. Perhaps investigate this idea. If pubkeys could only be in a user's LDAP entry, then as part of a revoke process, these keys could be removed. Google ssh public key ldap Hope that helps, -- Pat -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
Hi Mauro, Thank you for this hint. I hope it can be possible to check both ways and not disable the certificate logins. Kind regards, Florian On Sun, Jul 22, 2012 at 3:30 AM, Mauro Souza thoriu...@gmail.com wrote: I don't have a sles handy to take a look and see about the password length, but solving the key issue is simple: Edit /etc/ssh/sshd_config and change PubkeyAuthentication to no. This way nobody can login using a key and RACF takes care is auth for you. Em 21/07/2012 16:43, Florian Bilek florian.bi...@gmail.com escreveu: Dear all, I have a quite some difficult problems in the configuration of SLES 11 SP2 and SSH when using LDAP (on z/VM with RACF) for user authentication. That configuration works in principle quite well. Nevertheless I have following issues which I don't know how to solve: 1.) In this configuration I have now three components (RACF, LDAP and SLES) who can enforce password checking rules. In LDAP and RACF there are NO rules set yet. I have tried several combinations in the PAM configs but I do not succeed in having one common policy. I want to have a minimum length of 5 characters but I cannot convince SLES to allow this. It asks always for minimum 6 characters. 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Do you have any hints how those problems can be solved? Of course it has to do with PAM configuration but for the moment is looks like voodoo to me. Any help would be appreciated. Thank you very much in advance. -- Best regards Florian -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
SSH and LDAP/RACF
Dear all, I have a quite some difficult problems in the configuration of SLES 11 SP2 and SSH when using LDAP (on z/VM with RACF) for user authentication. That configuration works in principle quite well. Nevertheless I have following issues which I don't know how to solve: 1.) In this configuration I have now three components (RACF, LDAP and SLES) who can enforce password checking rules. In LDAP and RACF there are NO rules set yet. I have tried several combinations in the PAM configs but I do not succeed in having one common policy. I want to have a minimum length of 5 characters but I cannot convince SLES to allow this. It asks always for minimum 6 characters. 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Do you have any hints how those problems can be solved? Of course it has to do with PAM configuration but for the moment is looks like voodoo to me. Any help would be appreciated. Thank you very much in advance. -- Best regards Florian -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: SSH and LDAP/RACF
I don't have a sles handy to take a look and see about the password length, but solving the key issue is simple: Edit /etc/ssh/sshd_config and change PubkeyAuthentication to no. This way nobody can login using a key and RACF takes care is auth for you. Em 21/07/2012 16:43, Florian Bilek florian.bi...@gmail.com escreveu: Dear all, I have a quite some difficult problems in the configuration of SLES 11 SP2 and SSH when using LDAP (on z/VM with RACF) for user authentication. That configuration works in principle quite well. Nevertheless I have following issues which I don't know how to solve: 1.) In this configuration I have now three components (RACF, LDAP and SLES) who can enforce password checking rules. In LDAP and RACF there are NO rules set yet. I have tried several combinations in the PAM configs but I do not succeed in having one common policy. I want to have a minimum length of 5 characters but I cannot convince SLES to allow this. It asks always for minimum 6 characters. 2.) In principle the login via SSH is working very good. I encountered recently a kind of weakness in the configuration: A RACF user that uses its own RSA keys to log into the system. When I do a RACF revoke on that user, it seems that the LDAP check not takes place and the user can still login. What can be done about that? Do you have any hints how those problems can be solved? Of course it has to do with PAM configuration but for the moment is looks like voodoo to me. Any help would be appreciated. Thank you very much in advance. -- Best regards Florian -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Question to LDAP/RACF
Dear Robert, In the case the nsswitch.conf is correctly set, id delivers also the membership in posixGroups from LDAP. You have to add ldap next to file in the config. I did several tests and the posixGroups work well, while the dynamic groups are not supported. by pam_ldap. There is also something with I would like to see: RACF supports in either OMVS or OVM profile all the relevant posixAttributes such as uid, gid, shell, home directory. This is also not supported by pam_ldap. If this would be supported you could manage the user/groups simply from RACF while in the current situation you must maintain the LDAP part as well. For our system administrators it would be much more convenient to manage users from RACF than to handle any LDAP tools. Kind regards, Florian On Thu, Jun 7, 2012 at 2:12 AM, Robert Hart pbch...@au1.ibm.com wrote: Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Question to LDAP/RACF
Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Question to LDAP/RACF
I'm not familiar with the dynamic groups feature of LDAP but have other LDAP experience. If I had to guess, the one? portion of your memberurl attribute looks like the scope of the query. Assuming your group members are down the tree in another OU, I'd try changing that to sub? making your memberurl: memberurl: ldap:///dc=xxx??sub?((objectClass=person)(uid=*)) I typically work out my queries via the ldapsearch command. Notice the -s scope option for more on what I'm talking about. (LESS=Ipsub man ldapsearch) -- Jon Miller On Wed, Jun 6, 2012 at 8:12 PM, Robert Hart pbch...@au1.ibm.com wrote: Florian, Not too familiar with dynamic groups but I'm wondering if your expectations are correct. You seem to be expecting that a dynamic group set up in LDAP will reflect in the output of the linux id and getent commands. I don't see why that should be the case - id and getent display information from the file system and databases on the linux machine, not from the LDAP server backend. Regards, Robert Hart Australia Development Laboratory (ADL), West Perth Western Australia Internet: pbch...@au1.ibm.com Telephone: 61-8-9261-8560 Tie-line: 701-18560 Fax: 61-8-9261-8453 - Message from Florian Bilek florian.bi...@gmail.com on Mon, 21 May 2012 22:57:21 +0200 - Subject: Question to LDAP/RACF Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Question to LDAP/RACF
Dear all, I am trying to enable z/VM LDAP/RACF configuration to consolidate to user administration into one directory. In principle the thing works fine however I have a question regarding the right configuration: LDAP allows for dynamic groups. Those groups are based on LDAP queries and avoid the need of adding/deleting manually users to such groups. I defined a dynamic group called users that would qualify all accounts that have the attribute uid. The memberURL is as follows: dn: cn=users,dc=xxx objectclass: posixGroup objectclass: top objectclass: ibm-dynamicGroup cn: users gidnumber: 100 memberurl: ldap:///dc=xxx??one?((objectClass=person)(uid=*)) When I login now with a user I see the following: $ id uid=11002(xbilek) gid=9(usrys) groups=9(usrys) but it should look like id=11002(xbilek) gid=9(usrys) groups=100(users), 9(usrys) The getent group command shows only the name of the groups but no members: getent group users shows only: users:x:100: getent group usrys: shows only: users:x:9: Maybe the posixGroup is not the best. Is there a howto describing the parameters that need to be checked in ldap.conf? Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: z/VM 6.2 LDAP Question
Dear Dave, Yes indeedd, that is correct and when I read your answer thought I would had forgotten to load the BFS. However I checked with the original BFS (VMSYS). This specific file is also not there. So I will add that file in the LDAP-BFS load exec. Hope that this will solve the problem otherwise I will open a PMR. Kind regards, Florian On Mon, May 7, 2012 at 11:39 AM, Florian Bilek florian.bi...@gmail.comwrote: Dear all, I tried to enable advanced replication on z/VM 6.2 LDAP server. Unfortunately I face an unknown error. When I look at the console of the LDAP server it states LDAP: Unable to open message catalog gldrmsgs.cat Does somebody know what this means? gldrmsgs.cat is a file that exists on TCPIP 591 and the LDAP server machine has access to this minidisk. I could not find any hint regarding this message. Maybe LDAPSRV would give more information regarding my replication problem when it could open that message file. Thanks for your advise. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: z/VM 6.2 LDAP Question
Dear all, After investigated this problem, it turned out that this is indeed an error. In the file LDAPSRV LOADBFS the message catalogs for US English and Kanji for this new component Advanced replication are missing. Those catalogs are the files gldrmsgs.cat and gldrmsga.cat. Loading them manually into the BFS (via LOADBFS utility) is working. I will open a corresponding PMR at IBM. Kind regards, Florian On Tue, May 8, 2012 at 8:23 AM, Florian Bilek florian.bi...@gmail.comwrote: Dear Dave, Yes indeedd, that is correct and when I read your answer thought I would had forgotten to load the BFS. However I checked with the original BFS (VMSYS). This specific file is also not there. So I will add that file in the LDAP-BFS load exec. Hope that this will solve the problem otherwise I will open a PMR. Kind regards, Florian On Mon, May 7, 2012 at 11:39 AM, Florian Bilek florian.bi...@gmail.comwrote: Dear all, I tried to enable advanced replication on z/VM 6.2 LDAP server. Unfortunately I face an unknown error. When I look at the console of the LDAP server it states LDAP: Unable to open message catalog gldrmsgs.cat Does somebody know what this means? gldrmsgs.cat is a file that exists on TCPIP 591 and the LDAP server machine has access to this minidisk. I could not find any hint regarding this message. Maybe LDAPSRV would give more information regarding my replication problem when it could open that message file. Thanks for your advise. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
z/VM 6.2 LDAP Question
Dear all, I tried to enable advanced replication on z/VM 6.2 LDAP server. Unfortunately I face an unknown error. When I look at the console of the LDAP server it states LDAP: Unable to open message catalog gldrmsgs.cat Does somebody know what this means? gldrmsgs.cat is a file that exists on TCPIP 591 and the LDAP server machine has access to this minidisk. I could not find any hint regarding this message. Maybe LDAPSRV would give more information regarding my replication problem when it could open that message file. Thanks for your advise. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: z/VM 6.2 LDAP Question
Hi, Florian. The LDAP server provided by z/VM requires that it's message catalog file be stored in the BFS and not just on TCPMAINT's 591 mdisk. Here's what the manual has to say: The LDAP server requires use of the OpenExtensions Byte File System to access the LDAP server message catalog files and to store the schema backend and other database files associated with the LDBM or GDBM backends. The message catalog files are installed by default in /../VMBFS:VMSYS:ROOT. The working directory in which the LDAP server creates its schema and other database files defaults is /../VMBFS:VMSYS:userid/, where userid is the user ID of the LDAP server. I think this is because the LDAP code in z/VM is a port from z/OS, where it uses the USS-HFS to store its files in. Good luck. DJ On 05/07/2012 04:39 AM, Florian Bilek wrote: Dear all, I tried to enable advanced replication on z/VM 6.2 LDAP server. Unfortunately I face an unknown error. When I look at the console of the LDAP server it states LDAP: Unable to open message catalog gldrmsgs.cat Does somebody know what this means? gldrmsgs.cat is a file that exists on TCPIP 591 and the LDAP server machine has access to this minidisk. I could not find any hint regarding this message. Maybe LDAPSRV would give more information regarding my replication problem when it could open that message file. Thanks for your advise. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP
Brad Hinson wrote: Hi Erik, I'm not an LDAP expert, but I know it's changed a lot since RHEL 5. Check these links: https://access.redhat.com/kb/docs/DOC-66593 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam quote 16.1.5.1. Migrating Old Authentication Information to LDAP Format The migrationtools package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt: ~]# yum install migrationtools This will install the scripts to the /usr/share/migrationtools/ directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph file and change the following lines to reflect the correct domain, for example: /quote http://proton.pathname.com/fhs/ quote /quote Chapter 4. The /usr Hierarchy Purpose /usr is the second major section of the filesystem. /usr is shareable, read-only data. That means that /usr should be shareable between various FHS-compliant hosts and must not be written to. Any information that is host-specific or varies with time is stored elsewhere. That is the current version, there is a draft of a new version, but this does not change. What happened to FHS compliance? If that doesn't have what you need, I recommend opening a support call. There are LDAP specialists who can probably answer that one very quickly. -Brad -- Brad Hinson bhin...@redhat.com Worldwide System z Sales, Strategy, Marketing Red Hat, Inc. +1 (919) 360-0443 http://www.redhat.com/z On Feb 3, 2012, at 9:32 AM, Eric K. Dickinson wrote: I reworded and resent it so it makes more sense. On 02/03/2012 09:23 AM, Bauer, Bobby (NIH/CIT) [E] wrote: Greek to me but hopefully somebody who is LDAP/AD knowledgeable will respond. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: Dickinson, Eric (CIT) Sent: Friday, February 03, 2012 9:18 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP
Thank you for the reply. These are the docs that I have reading and re-reading. I do have a call into our support. They are researching Thank you again. eric On 02/06/2012 11:20 AM, Brad Hinson wrote: Hi Erik, I'm not an LDAP expert, but I know it's changed a lot since RHEL 5. Check these links: https://access.redhat.com/kb/docs/DOC-66593 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam If that doesn't have what you need, I recommend opening a support call. There are LDAP specialists who can probably answer that one very quickly. -Brad -- Brad Hinsonbhin...@redhat.com Worldwide System z Sales, Strategy, Marketing Red Hat, Inc. +1 (919) 360-0443 http://www.redhat.com/z On Feb 3, 2012, at 9:32 AM, Eric K. Dickinson wrote: I reworded and resent it so it makes more sense. On 02/03/2012 09:23 AM, Bauer, Bobby (NIH/CIT) [E] wrote: Greek to me but hopefully somebody who is LDAP/AD knowledgeable will respond. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: Dickinson, Eric (CIT) Sent: Friday, February 03, 2012 9:18 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP
Hi Erik, I'm not an LDAP expert, but I know it's changed a lot since RHEL 5. Check these links: https://access.redhat.com/kb/docs/DOC-66593 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam If that doesn't have what you need, I recommend opening a support call. There are LDAP specialists who can probably answer that one very quickly. -Brad -- Brad Hinson bhin...@redhat.com Worldwide System z Sales, Strategy, Marketing Red Hat, Inc. +1 (919) 360-0443 http://www.redhat.com/z On Feb 3, 2012, at 9:32 AM, Eric K. Dickinson wrote: I reworded and resent it so it makes more sense. On 02/03/2012 09:23 AM, Bauer, Bobby (NIH/CIT) [E] wrote: Greek to me but hopefully somebody who is LDAP/AD knowledgeable will respond. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: Dickinson, Eric (CIT) Sent: Friday, February 03, 2012 9:18 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
LDAP
I have been trying to REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. The manuals are very terse. I was also emailed the certificate and the books are all about download it. I think I have it all working but the TLS. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
LDAP
Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP
Greek to me but hopefully somebody who is LDAP/AD knowledgeable will respond. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: Dickinson, Eric (CIT) Sent: Friday, February 03, 2012 9:18 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: LDAP
I reworded and resent it so it makes more sense. On 02/03/2012 09:23 AM, Bauer, Bobby (NIH/CIT) [E] wrote: Greek to me but hopefully somebody who is LDAP/AD knowledgeable will respond. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: Dickinson, Eric (CIT) Sent: Friday, February 03, 2012 9:18 AM To: LINUX-390@VM.MARIST.EDU Subject: LDAP Re worded so it makes sense{8^) I have been trying to configure REHL6 on a z114 to authenticate to an Active Directory Domain Controller with LDAP. What I was hoping was to be directed to a document or procedure to help me along. I think I have it all working but the TLS. The manuals are very terse. I was also emailed the certificate and the books are all about downloading the certificate. I am not clear exactly where to put it or name it. Thank you! eric -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
We use YaST to configure everything and it made no difference. We also eliminated PAM as the problem as well. Additional testing results are as follows: If we shut down the remote LDAP server everything is fine, nss will get ?not available? and will continue with the local files. This allows us to logon to the Linux Console as root since root is a local Linux account. However, if we lose the network connection, (simulated by shutting down the network interface), nss will hang and the logon will timeout, no matter how high the timeout value is increased. Another words, not root or any local account authentication can occurred when specifying the following in nsswitch.conf when the network is down. passwd: ldap files shadow: ldap files group: ldap files We believe the problem lies with is nss_ldap. We are running nss_ldap-262-11.32.31.1. The problem seems to be that nss is not recognizing the timeout parameter in /etc/ldap.conf. If the network connection is not there, then it just keeps trying instead of timing out and looking at the local files. If the network is there, it immediately recognizes that LDAP is not running and moves on. Googling this issue reveals many hits identical to this. Bug 176209 (https://bugzilla.redhat.com/show_bug.cgi?id=176209) seems to address it. There are others that describe various symptoms of this same problem. How can I tell if this is a known issue with SuSE, Novell, or Attachmate? Is anyone else using LDAP and experiencing this problem? Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 01/26/2012 04:52 PM Subject:Re: When LDAP Fails Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? I would be tempted to use YaST to configure all this, and compare the results with what has already been done. Perhaps the Redbook missed something subtle, or things changed somewhat between when it was published and SLES11 SP1, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 2/2/2012 at 04:34 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: How can I tell if this is a known issue with SuSE, Novell, or Attachmate? Is anyone else using LDAP and experiencing this problem? By opening a service request with your support provider. Share your research with them and see what they can find out. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
We faced something similar with Redhat, albeit 3+ years ago, and I ended up implementing the following as part of our build procedure. It might be worthwhile to at least read the kbase article and see if this sounds similar: === # Add a stanza to /etc/pam.d/system-auth # to fix bug about logging in when networking is # down and the ldap servers can't be contacted. # # This should be inserted as the second account ... # stanza # # See the following document for details: # http://kbase.redhat.com/faq/docs/DOC-8322 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig perl -n -e 'print; if (!$didit m/^account/) { $didit=1; print account sufficient /lib/security/\$ISA/pam_localuser.so\n }' /etc/pam.d/system-auth.orig /etc/pam.d/system-auth Sorry for the line wrap, and gGood luck! -- Pat On 02/02/2012 03:34 PM, Peter E. Abresch Jr. - at Pepco wrote: We use YaST to configure everything and it made no difference. We also eliminated PAM as the problem as well. Additional testing results are as follows: If we shut down the remote LDAP server everything is fine, nss will get ?not available? and will continue with the local files. This allows us to logon to the Linux Console as root since root is a local Linux account. However, if we lose the network connection, (simulated by shutting down the network interface), nss will hang and the logon will timeout, no matter how high the timeout value is increased. Another words, not root or any local account authentication can occurred when specifying the following in nsswitch.conf when the network is down. passwd: ldap files shadow: ldap files group: ldap files We believe the problem lies with is nss_ldap. We are running nss_ldap-262-11.32.31.1. The problem seems to be that nss is not recognizing the timeout parameter in /etc/ldap.conf. If the network connection is not there, then it just keeps trying instead of timing out and looking at the local files. If the network is there, it immediately recognizes that LDAP is not running and moves on. Googling this issue reveals many hits identical to this. Bug 176209 (https://bugzilla.redhat.com/show_bug.cgi?id=176209) seems to address it. There are others that describe various symptoms of this same problem. How can I tell if this is a known issue with SuSE, Novell, or Attachmate? Is anyone else using LDAP and experiencing this problem? Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 01/26/2012 04:52 PM Subject:Re: When LDAP Fails Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? I would be tempted to use YaST to configure all this, and compare the results with what has already been done. Perhaps the Redbook missed something subtle, or things changed somewhat between when it was published and SLES11 SP1, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http
When LDAP Fails
We are running SLES11-SP1 at latest maintenance levels. We use RACF LDAP and authenticate our Linux users to z/OS RACF. Everything works fine with no problems. Our root user is not defined in LDAP but to the local Linux. We have the following /etc/pam.d/login: #%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth requisite pam_unix2.so auth required pam_env.so auth required pam_mail.so account sufficient pam_ldap.so account required pam_unix2.so password sufficient pam_ldap.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_loginuid.so session required pam_limits.so session required pam_unix2.so session optional pam_umask.so session required pam_lastlog.sonowtmp session optional pam_mail.so standard session optional pam_ck_connector.so It all works, for the most part. When we login with root, or any other ID not defined to LDAP, it will authenticate to the local Linux. However, here is the crux: When the RACF LDAP server on z/OS is down or if there is a network issue, the process hangs. Instead of failing at: auth sufficient pam_ldap.so and moving on to auth requisite pam_unix2.so auth required pam_env.so auth required pam_mail.so it just hangs and the login times out and fails: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Peter This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 1/26/2012 at 01:36 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Did you use YaST to set up the authenticate via LDAP configuration, or did you do it manually? Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 01/26/2012 02:35 PM Subject:Re: When LDAP Fails Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 1/26/2012 at 01:36 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Did you use YaST to set up the authenticate via LDAP configuration, or did you do it manually? Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? I would be tempted to use YaST to configure all this, and compare the results with what has already been done. Perhaps the Redbook missed something subtle, or things changed somewhat between when it was published and SLES11 SP1, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
z/VM LDAP RACF change password
Dear all, I have set up a configuration where I use the LDAP server from z/VM 540 to store the password in RACF. Following all the presentations and hints on the Internet how to setup the configuration works fine. In principle. However I encountered that a user cannot change his own password with passwd command: $ passwd Changing password for xrun. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Insufficient access R003070 Access denied because user does not have 'write' permission for all modified attributes (ldbm_modify_entry) passwd: Permission denied Change of password with oldpw/newpw during login is working. Any ideas? I use SLES 11 on z/VM 540. Thank you very much in advance. -- Best regards Florian Bilek -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Thanks for responding. I agree that changing the order to ?files ldap? for passwd, shadow, and group will eliminate the overly burdensome messages, I question if this is the correct approach. All our external information is stored in LDAP and is intended to be share with multiple Linux systems. Some IDs are defined locally and to LDAP as these IDs would be used when there are LDAP issues that cause authentication issues. I made the change as suggested and with some slight PAM config changes, confirmed that these messages are eliminated. However, I am thinking that we would still rather go to LDAP first and files second. I understand that these messages are produced because the network is not available and communications to the ldap server is lost. This occurs during shutdown and IPL. I believe this is why the LDAP parameter nss_initgroups_ignoreusers was developed. By specifying a list of known local users that will be running between network availability and network unavailability in the nss_initgroups_ignoreusers, that NSS will simply return a notfound condition. Of course this parameter can also be used to prevent a wasted LDAP lookup for local users we know are not defined to ldap. The default nss action is to continue so when we have ?ldap files?, the call to ldap is bypassed and we move on to files. It is my understanding that the notfound condition is immediately passed thus eliminating any ldap interaction for those users specified in nss_initgroups_ignoreusers. I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks Peter From: Patrick Spinler spinler.patr...@mayo.edu To: LINUX-390@vm.marist.edu Date: 08/18/2011 03:37 PM Subject:Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . Sent by:Linux on 390 Port LINUX-390@vm.marist.edu Your nsswitch says to search ldap before anything local. I use passwd: files ldap (same for shadow group). Thus, it never even tries ldap if it finds a local entry. This has also come in handy for a few weird exceptions where the application absolutely had to do something weird and exceptional: I could override it on the local box. For example, two apps which absolutely had to use the same group name, with different memberships. Here, we have an enterprise oracle group with dozens of hosts for which their dba's are all members of a common group. We also have a couple of one off oracle hosts for non-enterprise groups who want the same names but different memberships. It's a bit of a pain to manage those specific host exceptions, but at least it's possible using 'files ldap'. -- Pat On 8/18/11 12:47 PM, Peter E. Abresch Jr. - at Pepco wrote: I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
On 8/19/2011 at 10:53 AM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd ,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks A Google search found something that indicates perhaps having too many users listed can be a problem. They were able to get the ignore list to work with 2 entries, but having 13 didn't. This was on RHEL5 from June of this year, so fairly recent. Give that a try and see what happens. Then regardless of the result, open up a support request. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Thanks, I saw that, the default is root,ldap but that did not make a difference. I also tried other combinations and a couple of times with only root with the same results. There are many hits on a google search for this condition but no resolutions. I am seeing this condition for udevd, securitytty, and some othe services. I assume these all run under root as there are no ids or groups specifically for udevd and the rest. I am kind of stumped. I am leaning towards a possible bug at this point. Maybe something will come to be over a couple (or six) beers this weekend. Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 08/19/2011 02:45 PM Subject:Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 8/19/2011 at 10:53 AM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: I have the following specified: nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd ,100,101 I know I probably only need a few of these but I wanted to eliminate the messages. This does not appear to be working as expected. Of course my expectations could be off. What are everyone?s thoughts on this? Is this an issue that I need to push to support? What are others doing with Linux RACF LDAP authorizations? All comments are welcome. Thanks A Google search found something that indicates perhaps having too many users listed can be a problem. They were able to get the ignore list to work with 2 entries, but having 13 didn't. This was on RHEL5 from June of this year, so fairly recent. Give that a try and see what happens. Then regardless of the result, open up a support request. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . .
Your nsswitch says to search ldap before anything local. I use passwd: files ldap (same for shadow group). Thus, it never even tries ldap if it finds a local entry. This has also come in handy for a few weird exceptions where the application absolutely had to do something weird and exceptional: I could override it on the local box. For example, two apps which absolutely had to use the same group name, with different memberships. Here, we have an enterprise oracle group with dozens of hosts for which their dba's are all members of a common group. We also have a couple of one off oracle hosts for non-enterprise groups who want the same names but different memberships. It's a bit of a pain to manage those specific host exceptions, but at least it's possible using 'files ldap'. -- Pat On 8/18/11 12:47 PM, Peter E. Abresch Jr. - at Pepco wrote: I have the following set in /etc/ldap.conf bind_policy soft nss_initgroups_ignoreusers root,ldap,haldaemon,messagebus,dbus,bin,daemon,postfix,sshd,polkituser,uuidd,100,101 However, these messages are overwhelming. I get them for udevd and vol_id. These might be a startup timing issue as soon as the network is available, they go away. However, the nss_initgroups_ignoreusers should ignore this. Am I still missing something? /etc/nsswitch.conf contains: passwd: ldap compat shadow: ldap compat group: ldap compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files From: Peter E Abresch/EP/PEP To: LINUX-390@vm.marist.edu Date: 08/18/2011 09:00 AM Subject:udevd-349-: nss_ldap: failed to bind to LDAP server ldap:// . . . We finally have RACF LDAP server running on z/OS with the TDBM backend and native authentication. We thought we were done as all our testing completed successfully. However, when the operator booted Linux, the console is flooded with the following messages on the shutdown and startup. It is very difficult to catch a real error with these flood of messages. Also, these messages are somewhat misleading as the LDAP server is up and running and available. I am thinking that these messages are produced as some service is shutdown and before some service starts. Here is the challenge: How can we eliminate these messages during shutdowns and boots? There are all coming from udevd. Thanks in advance. Peter udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: could not search LDAP server - Server is unavailable udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server udevd-349-: nss_ldap: failed to bind to LDAP server ldap://contest: Can't contact LDAP server This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more
Re: RACF LDAP and Linux passwd command
After a good night sleep, I delved into this problem further. I do not think this is an ACL issue as I can change the password using the ldapmodify command. On the z/OS LDAP Server, we are using TDBM and RACF for native authentication. We have the following: Server Configuration adminDN: cn=ldapadm, o=PHI adminPW: *not configured* allowAnonymousBinds: on armName: GLDSRVR audit 1: off commThreads: 10 db2StartUpRetryInterval: 45 db2StartUpRetryLimit: 0 db2Terminate: recover dnCacheSize: 1000 idleConnectionTimeout: 0 listen 1: ldap://:389 logfile: /tmp/gldlog.output maxConnections: 65535 operationsMonitor: IPANY operationsMonitorSize: 1000 pcIdleConnectionTimeout: 0 pcThreads: 10 pwSearchOutput: binary schemaPath: /var/ldap/schema schemaReplaceByValue: on securityLabel: off sendV3StringsOverV2As: UTF-8 serverCompatLevel: 5 serverEtherAddr: 4020980269E6 serverSysplexGroup: undefined sizeLimit: 500 srvStartUpError: ignore sslAuth: serverAuth sslCertificate: none sslCipherSpecs: 050435363738392F303132330A1613100D0915120F0C0306 sslMapCertificate: off fail supportKrb5: off tcpTerminate: recover timeLimit: 3600 validateIncomingV2Strings: on database TDBM GLDBTD31 TDBM-0001 aclSourceCacheSize: 100 attrOverflowCount: 512 attrOverflowSize: 255 changeLoggingParticipant: on dbUserid: LDAPSRV dnToEidCacheSize: 1000 entryCacheSize: 5000 entryOwnerCacheSize: 100 extendedGroupSearching: off filterCacheBypassLimit: 100 filterCacheSize: 5000 krbIdentityMap: off multiServer: off nativeAuthSubtree: all nativeUpdateAllowed: on persistentSearch: off pwCryptCompat: on pwEncryption: none readOnly: off secretEncryption: none serverName: USPHIDSNC sizeLimit: 500 suffix 1: o=PHI timeLimit: 3600 useNativeAuth: all I have the following specified in SLES11-SP1?s /etc/ldap.conf pam_password racf /etc/pam.d/passwd looks like the following: auth required pam_env.so auth sufficientpam_ldap.so auth required pam_unix2.so account sufficientpam_ldap.so account required pam_unix2.so password sufficientpam_ldap.so session sufficientpam_ldap.so session required pam_limits.so session required pam_unix2.so session optional pam_umask.so The Red Paper titled ?Securing Linux for zSeries with Central z/OS LDAP Server (RACF)? available at http://www.redbooks.ibm.com/redpapers/pdfs/redp0221.pdf on page 21 suggest that the pam_password racf in the Linux ldap.conf allows the Linux passwd command to work with RACF. Am I missing something or have something misconfigured? Any experiences out there? Thanks as always. Peter From: Peter E Abresch/EP/PEP To: Linux on 390 Port LINUX-390@vm.marist.edu Date: 08/15/2011 05:51 PM Subject:RACF LDAP and Linux passwd command We have RACF LDAP server setup under z/OS Version 1.11. We are using SLES11-SP1 Linux. We are using LDAP to authenticate with RACF passwords and DB2 for the TDBM backend. We populated the TDBM and everything is working great with one exception. We cannot change the RACF password from Linux using the passwd command. This should work. Here is what we are seeing: x062tst@linuxm02:~ passwd Changing password for x062tst. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Protocol error R006010 Unsupported extended operation '1.3.6.1.4.1.4203.1.11.1' (srv_process_extended_request) passwd: Permission denied I am thinking this is an ACL issue but am clueless how to setup the ldif file for the ACL permission for the ldapmodify command. This is how it looks now: # ESE Testing ID, ESE, IT, PHI dn: cn=ESE Testing ID,ou=ESE,ou=IT,o=PHI cn: ESE Testing ID aclentry: cn=this:critical:w aclentry: cn=anybody:NORMAL:RSC:SYSTEM:RSC aclpropagate: TRUE aclsource: ou=ESE, ou=IT, o=PHI entryowner: access-id:cn=ldapadm,o=PHI ownerpropagate: TRUE ownersource: ou=ESE, ou=IT, o=PHI Does anyone have experience with this or can point be in the right direction. Thanks in advance. Peter This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications
Re: RACF LDAP and Linux passwd command
On Tuesday, 08/16/2011 at 07:35 EDT, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: After a good night sleep, I delved into this problem further. I do not think this is an ACL issue as I can change the password using the ldapmodify command. That's a bit confusing since R006010 Unsupported extended operation '1.3.6.1.4.1.4203.1.11.1' is a reference to Modify password. Consider looking, too, at Rich Smrcina's presentation, http://linuxvm.org/present/SHARE112/S9156rs.pdf. The z/VM LDAP server is at the z/OS R10 level. Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: RACF LDAP and Linux passwd command
Thanks, I saw Rich?s presentation. This really had me stumped so I figure this had to be something on my side. I went back to the drawing board and reviewed everything and then by mistake, I found the issue. In /etc/ldap.conf, I had pam_password racf configured correctly but later on in the ldap.conf there was a pam_password exop configured. I commented out pam_password exop and now everything is working correctly. So far, RACF LDAP with TDBM is working great now. Thanks to all that viewed this issue. Peter From: Alan Altmark alan_altm...@us.ibm.com To: LINUX-390@vm.marist.edu Date: 08/16/2011 11:38 AM Subject:Re: RACF LDAP and Linux passwd command Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On Tuesday, 08/16/2011 at 07:35 EDT, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: After a good night sleep, I delved into this problem further. I do not think this is an ACL issue as I can change the password using the ldapmodify command. That's a bit confusing since R006010 Unsupported extended operation '1.3.6.1.4.1.4203.1.11.1' is a reference to Modify password. Consider looking, too, at Rich Smrcina's presentation, http://linuxvm.org/present/SHARE112/S9156rs.pdf. The z/VM LDAP server is at the z/OS R10 level. Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: RACF LDAP and Linux passwd command
On 8/16/2011 at 12:17 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: Thanks, I saw Rich?s presentation. This really had me stumped so I figure this had to be something on my side. I went back to the drawing board and reviewed everything and then by mistake, I found the issue. That's not finding something by mistake/accident, that's just solid systems programming work. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: RACF LDAP and Linux passwd command
I looked at trying to do password changes from Linux, thinking that would be the icing on the cake for the presentation. But never had time to get that far. I'm glad you got it working... I'll be revisiting the process again fairly soon. Thanks for the update. On 08/16/2011 11:17 AM, Peter E. Abresch Jr. - at Pepco wrote: Thanks, I saw Rich?s presentation. This really had me stumped so I figure this had to be something on my side. I went back to the drawing board and reviewed everything and then by mistake, I found the issue. In /etc/ldap.conf, I had pam_password racf configured correctly but later on in the ldap.conf there was a pam_password exop configured. I commented out pam_password exop and now everything is working correctly. So far, RACF LDAP with TDBM is working great now. Thanks to all that viewed this issue. Peter -- Rich Smrcina Velocity Software, Inc. http://www.velocitysoftware.com Catch the WAVV! http://www.wavv.org WAVV 2012 - April 13-17, 2012 Covington, KY -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
RACF LDAP and Linux passwd command
We have RACF LDAP server setup under z/OS Version 1.11. We are using SLES11-SP1 Linux. We are using LDAP to authenticate with RACF passwords and DB2 for the TDBM backend. We populated the TDBM and everything is working great with one exception. We cannot change the RACF password from Linux using the passwd command. This should work. Here is what we are seeing: x062tst@linuxm02:~ passwd Changing password for x062tst. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Protocol error R006010 Unsupported extended operation '1.3.6.1.4.1.4203.1.11.1' (srv_process_extended_request) passwd: Permission denied I am thinking this is an ACL issue but am clueless how to setup the ldif file for the ACL permission for the ldapmodify command. This is how it looks now: # ESE Testing ID, ESE, IT, PHI dn: cn=ESE Testing ID,ou=ESE,ou=IT,o=PHI cn: ESE Testing ID aclentry: cn=this:critical:w aclentry: cn=anybody:NORMAL:RSC:SYSTEM:RSC aclpropagate: TRUE aclsource: ou=ESE, ou=IT, o=PHI entryowner: access-id:cn=ldapadm,o=PHI ownerpropagate: TRUE ownersource: ou=ESE, ou=IT, o=PHI Does anyone have experience with this or can point be in the right direction. Thanks in advance. Peter This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On Monday, January 10, 2011 06:50:22 pm you wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Others have answered this, but there's a couple of points I'd like to add: 1) You should *always* make your root user a local user (defined in /etc/passwd). If you don't and there's a network problem, you won't be able to log in. This implies that /etc/nsswitch should always list files as a service for the passwd, shadow and group databases. 2) Lookups from Active Directory can require several searches to wade through Microsoft's forest of directory entries. If your link to the AD server is slow (as on some of my remote systems), lookups can take several seconds. This isn't bad on logins, but you're also doing lookups every time you have to translate a UID to a user name, which means every ls -l or ps command does these lookups. If performance is bad, run the Name Service Cache Daemon (nscd) by doing service nscd start insmod nscd. This will speed things up again for you. - MacK. - Edmund R. MacKenty Software Architect Rocket Software 275 Grove Street - Newton, MA 02466-2272 - USA Tel: +1.617.614.4321 Email: m...@rs.com Web: www.rocketsoftware.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 1/10/2011 at 06:50 PM, David Stuart david.stu...@ventura.org wrote: LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? As others have answered, it should be possible. Look at YaST - Security and Users - User and Group Management - Authentication Settings. The Authentication Settings is one of the choices along the top of the panel. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
A Mix of LDAP and non-LDAP Users
Afternoon, New admin here. I am configuring a SLES 11 SP 1 system. LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Thanks, Dave Dave Stuart Prin. Info. Systems Support Analyst County of Ventura, CA 805-662-6731 david.stu...@ventura.org -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 11 January 2011 12:50, David Stuart david.stu...@ventura.org wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? That should be pretty much default; check /etc/nsswitch.conf Look for passwd, shadow groups; if they say XXX files ldap you're already there in regards to the mix. The system will first check for users locally, then in LDAP. The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Not sure how SuSE handles LDAP, but there might be a /etc/ldap.conf file ? Thanks, Dave Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
Thanks Andrej, That gives me hope. I haven't gotten so far as to actually configure the LDAP client yet. I didn't want to 'break' what was currently working. Dave Dave Stuart Prin. Info. Systems Support Analyst County of Ventura, CA 805-662-6731 david.stu...@ventura.org Andrej andrej.gro...@gmail.com 1/10/2011 4:25 PM On 11 January 2011 12:50, David Stuart david.stu...@ventura.org wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? That should be pretty much default; check /etc/nsswitch.conf Look for passwd, shadow groups; if they say XXX files ldap you're already there in regards to the mix. The system will first check for users locally, then in LDAP. The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Not sure how SuSE handles LDAP, but there might be a /etc/ldap.conf file ? Thanks, Dave Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 1/10/11 5:50 PM, David Stuart wrote: Afternoon, New admin here. I am configuring a SLES 11 SP 1 system. LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Thanks, Dave Should be no problem at all. Both our SLES and RHEL boxes use LDAP, and have a few local accounts. The split we make is to have application accounts (e.g. oracle, apache, etc) and other accounts that have no password local and real people's accounts on LDAP. There's a very few exceptions, but this works pretty well for us overall. Make sure that whatever LDAP service you are using has the Posix attributes added to your accounts (objectclass posixAccount mostly) and pre-populated. Also make sure that you have no uid/gid conflicts in LDAP or between LDAP and local accounts. I recommend allocating uid's in LDAP by a program for consistency, and starting somewhere up high enough that there's no worries of conflict (2 million or so works well). You're also may want some mechanism to provision specific users from LDAP to specific servers, depending on the size of your shop. At least in our environment we don't want to automatically allow every single employee access to all servers. We use the optional filters on service search descriptors for this (the 5th field of nss_base_passwd and nss_base_user attributes). Good luck! Feel free to contact me offlist if you'd like more specific advice. -- Pat -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
using ldappasswd with zLinux and LDAP
We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unless you've explicitly set up a SASL authentication method, you're probably using simple authentication. Indicate this to linux via the -x command line option to most ldap utils. Test it via ldapsearch, first. E.g.: ldapsearch -H ldap://hostname uid=some_known_uid should fail with a similar error. whereas: ldapsearch -x -H ldap://hostname uid=some_known_uid should work. Another note. You should be able to put most of the necessary default host, search base and similar information into /etc/ldap.conf and /etc/openldap/ldap.conf (you can cheat and make them symlinks to each other) so that you don't have to enter -H options, and suchlike. - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLntQACgkQNObCqA8uBswM7ACghYxhK8En+SB9NF3x1dBW1lv0 M8AAn3w56kG9xvDsGk3mEMvxAfS3J+hH =0mCU -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One more thing before I forget, if you have a password sufficient pam_ldap.so ... statement in the appropriate /etc/pam.d/... file, with the appropriate defaults in /etc/ldap.conf, then users should be able to use the standard unix 'passwd' command. Warnings: pam_ldap didn't used to set the shadow_last_changed ldap attribute. So expired passwords stayed expired no matter how many times they were changed. This was two years ago+ though, so test it and it might be fixed. insure that if you're working from a master - slave ldap replication environment that your slaves properly give referrals to your masters, and that your clients follow referrals. Luck, - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLoDAACgkQNObCqA8uBsy/CACgntk5lD1zZQbaLZMMrxkouQEl ONYAnR+8c6W6H4r8+RGHXcrX/m51VouP =c1IP -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
What you are looking for can be done. It will require a connector between the LDAP server and Top Secret. I've set this up to run between eDirectory and RACF using a DirXML RACF connector that we bought from Novell. You would need to find a similar tool that would run between your LDAP server and Top Secret. Jerry Ekegren IT - Infrastructure Architecture jerry.ekeg...@thrivent.com Office: 612-844-3320 Mobile: 612-791-5223 CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov Sent by: Linux on 390 Port LINUX-390@VM.MARIST.EDU 03/26/2009 08:44 AM Please respond to Linux on 390 Port LINUX-390@VM.MARIST.EDU To LINUX-390@VM.MARIST.EDU cc Subject using ldappasswd with zLinux and LDAP We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
I like you're thinking and tested your idea however got a different error: ldappasswd -A -S -x -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: Result: Protocol error (2) Additional info: No backend for OID=1.3.6.1.4.1.4203.1.11.1 James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Patrick Spinler Sent: Thursday, March 26, 2009 11:27 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: using ldappasswd with zLinux and LDAP -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unless you've explicitly set up a SASL authentication method, you're probably using simple authentication. Indicate this to linux via the -x command line option to most ldap utils. Test it via ldapsearch, first. E.g.: ldapsearch -H ldap://hostname uid=some_known_uid should fail with a similar error. whereas: ldapsearch -x -H ldap://hostname uid=some_known_uid should work. Another note. You should be able to put most of the necessary default host, search base and similar information into /etc/ldap.conf and /etc/openldap/ldap.conf (you can cheat and make them symlinks to each other) so that you don't have to enter -H options, and suchlike. - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLntQACgkQNObCqA8uBswM7ACghYxhK8En+SB9NF3x1dBW1lv0 M8AAn3w56kG9xvDsGk3mEMvxAfS3J+hH =0mCU -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CHAPLIN, JAMES (CTR) wrote: I like you're thinking and tested your idea however got a different error: ldappasswd -A -S -x -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: Result: Protocol error (2) Additional info: No backend for OID=1.3.6.1.4.1.4203.1.11.1 My apologies. I misunderstood the implications of the involvement of the Top Secret product, since I know literally nothing about it. Pretty much disregard what I said, since my notes were all with regard to keeping the password in an LDAP server. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJy7D2NObCqA8uBswRAlwiAJ4gqTc7CCXQhzL/J5bOLcBhAuH8nwCfRNh0 Tz/sHyEq+yx1fPAtHBPE95M= =19DW -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Enterprise LDAP authentication
John Summerfield wrote: Bauer, Bobby (NIH/CIT) [E] wrote: We have a new client requesting to use the enterprise ldap server (running on a windows box I think). First reading indicates I can run an ldap server on a zlinux machine and point it to the enterprise ldap server for authentication. I found the Redhat rpms. Anybody know any gotchas or recommendations. I don'tm but to add to the confusion:-) there's also Red Hat Directory Server. If all you're doing is connecting into a remote LDAP server, you don't need to run a local one. You should be able to use openldap-clients, then run authconfig-tui to tie into it. You'll need your baseDN info. Authenticating Linux against Windows AD is spelt out at http://kbase.redhat.com/faq/docs/DOC-3639.pdf;jsessionid=E0D00EA7230FC2DA119FDD73BFBE42CE.066ef7ba -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Enterprise LDAP authentication
We have a new client requesting to use the enterprise ldap server (running on a windows box I think). First reading indicates I can run an ldap server on a zlinux machine and point it to the enterprise ldap server for authentication. I found the Redhat rpms. Anybody know any gotchas or recommendations. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Enterprise LDAP authentication
Bauer, Bobby (NIH/CIT) [E] wrote: We have a new client requesting to use the enterprise ldap server (running on a windows box I think). First reading indicates I can run an ldap server on a zlinux machine and point it to the enterprise ldap server for authentication. I found the Redhat rpms. Anybody know any gotchas or recommendations. I don'tm but to add to the confusion:-) there's also Red Hat Directory Server. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
PAM - LDAP - RACF
I am trying to get SLES 10 to authenticate users through RACF. I have read and tried the instructions in Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server, but without success. I am able to interactively use ldapsearch and get user information from RACF, but something is going on with the bind function and PAM. When attempting to bind using the information in /etc/ldap.conf, it's passing the credentials for the user logging, instead of the user defined in the ldap.conf file. I am only attempting to use /etc/pam.d/sshd and nothing else at this point. Here's what I can offer up for config files so far: /etc/ldap.conf: hostip address port9270 basec=odot binddn racfid=BNDUSR,profiletype=USER,c=DOT bindpw clear text password ldap_version3 pam_login_attribute racfid /etc/pam.d/sshd: #%PAM-1.0 auth includecommon-auth auth required pam_nologin.so auth sufficient pam_ldap.so account includecommon-account account sufficient pam_ldap.so password includecommon-password password sufficient pam_ldap.so session includecommon-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname When attempting to log in using SSH password authentication, the following error appears in the /var/log/messages file: sshd[28103]: pam_ldap: error trying to bind as user racfid=userid,profiletype=USER,c=DOT (Invalid credentials) The UserID following the racfid= is NOT the account authorized to bind to RACF, but the UserID logging in through SSH. Seems to me this is where the process is breaking - it should be the binddn that would bind as user. Thanks in advance, Dave -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: PAM - LDAP - RACF
I gave a SHARE presentation about this very same topic. See 'Configuring LDAP on z/VM and Linux' at http://www.linuxvm.org/Present/index.html I see a pam_login_attribute tag in the ldap.conf file that I used. Dave Keeton wrote: I am trying to get SLES 10 to authenticate users through RACF. I have read and tried the instructions in Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server, but without success. I am able to interactively use ldapsearch and get user information from RACF, but something is going on with the bind function and PAM. When attempting to bind using the information in /etc/ldap.conf, it's passing the credentials for the user logging, instead of the user defined in the ldap.conf file. I am only attempting to use /etc/pam.d/sshd and nothing else at this point. Here's what I can offer up for config files so far: /etc/ldap.conf: hostip address port9270 basec=odot binddn racfid=BNDUSR,profiletype=USER,c=DOT bindpw clear text password ldap_version3 pam_login_attribute racfid /etc/pam.d/sshd: #%PAM-1.0 auth includecommon-auth auth required pam_nologin.so auth sufficient pam_ldap.so account includecommon-account account sufficient pam_ldap.so password includecommon-password password sufficient pam_ldap.so session includecommon-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname When attempting to log in using SSH password authentication, the following error appears in the /var/log/messages file: sshd[28103]: pam_ldap: error trying to bind as user racfid=userid,profiletype=USER,c=DOT (Invalid credentials) The UserID following the racfid= is NOT the account authorized to bind to RACF, but the UserID logging in through SSH. Seems to me this is where the process is breaking - it should be the binddn that would bind as user. Thanks in advance, Dave -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: PAM - LDAP - RACF
Ugh! I meant I don't see a pam_login_attribute tag... :( Rich Smrcina wrote: I see a pam_login_attribute tag in the ldap.conf file that I used. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: PAM - LDAP - RACF
Rich, It's in the ldap.conf file I posted. It's at the bottom. The value is 'racfid'. Dave On Thu, 2009-02-05 at 12:07 -0600, Rich Smrcina wrote: Ugh! I meant I don't see a pam_login_attribute tag... :( Rich Smrcina wrote: I see a pam_login_attribute tag in the ldap.conf file that I used. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: PAM - LDAP - RACF
On 2/5/2009 at 12:25 PM, Dave Keeton dave.kee...@state.or.us wrote: I am trying to get SLES 10 to authenticate users through RACF. I have -snip- /etc/pam.d/sshd: #%PAM-1.0 auth includecommon-auth auth required pam_nologin.so auth sufficient pam_ldap.so account includecommon-account account sufficient pam_ldap.so password includecommon-password password sufficient pam_ldap.so I've never played with this before, but I believe you would need to have the pam_ldap.so line _before_ the include common-password line. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: PAM - LDAP - RACF
I meant in my ldap.conf. Dave Keeton wrote: Rich, It's in the ldap.conf file I posted. It's at the bottom. The value is 'racfid'. Dave -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390