Mike,
Thank you for your information.
Yes, our LDAP server does TLS encryption, and I've copied the certificate to
/var/ldap directory and specified in /etc/ldap.conf as I mention in the below
email.
No, I didn't use authconfig-tui as I'm not sure what to put in BASE DN.
(Cookbook example: Base DN: dc=itso,dc=ibm,dc=com)
Instead, I ran a script provided by our LDAP server support. The script copied
/etc/ldap.conf, /etc/pam.d/system-auth, /etc/pam.d/system-auth, and then copied
the certificate to /var/ldap/VeriSignRsaSecureServerCA.pem. He said the script
used to work for the old Redhat (probably 5 or earlier).
I also tried to use ldapsearch command by specified the LDAP host name. I got
SASL error if without -x option. With -x option, it can display my LDAP account
information. If I didn't specify host name, it said "Can't contact LDAP server".
[root@slevmdb ~]# ldapsearch -h dledirnvip -b ou=le uid=a0867719
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
[root@slevmdb ~]# ldapsearch -x -h dledirnvip -b ou=le uid=a0867719
# extended LDIF
#
# LDAPv3
# base <ou=le> with scope subtree
# filter: uid=a0867719
# requesting: ALL
#
# a0867719, people, le
dn: uid=a0867719,ou=people,ou=le
uid: a0867719
....
[root@slevmdb ~]# ldapsearch -x -b ou=le uid=a0867719
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Regards,
Ya-Fang
-----Original Message-----
From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Michael
MacIsaac
Sent: Wednesday, November 05, 2014 6:17 PM
To: [email protected]
Subject: Re: Configure LDAP client on Red Hat 6.6
Ya-Fang,
Wow, I sympathize with your questions.
If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for that
matter). I've been doing it quite a while and it continues to "kick my butt" to
this day. :)) But I would guess this is not one of your choices.
You said you're configuring to authenticate to your organization's LDAP server
- does it do "TLS" (encryption)?. Check with your organization's LDAP
administrator. If the answer is no, stop here. As I understand it, when RHEL
moved to v6, it will not authenticate unless TLS is active.
The next question is whether or not you are using the "authconfig-tui"
command for setting up client authentication. I would recommend that you do,
but you're not sure exactly what has changed. If so, an important part is that,
I believe, you need to copy the LDAP server's certificate to each of the
clients. Have you done that?
Hope this helps.
-Mike MacIsaac
On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang <[email protected]> wrote:
> Hi,
>
> I'm new to Linux system and just installed a Red Hat 6.6 on system z
> by following the cookbook. I tried to configure the Linux system to be
> a LDAP client to connect to company's LDAP server for user
> authentication but am still having issue when logon on saying "access denied".
>
> I've configured the below 3 files.
> 1). /etc/ldap.conf (point to ldap hosts and base, and have below
> statement)
>
> tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem
>
> 2)./etc/nsswitch.conf
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> 3). /etc/pam.d/system-auth (contains below statement)
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
>
> Do I need to configure /etc/openldap/ldap.conf and/or any other file?
>
>
> Here are the packages I've installed. Not sure if I missed anything?
>
> [root@slevmdb /]# rpm -qa | grep openldap
> openldap-clients-2.4.39-8.el6.s390x
> openldap-2.4.39-8.el6.s390x
> [root@slevmdb /]# rpm -qa | grep sssd
> sssd-client-1.11.6-30.el6.s390x
> sssd-common-1.11.6-30.el6.s390x
> sssd-proxy-1.11.6-30.el6.s390x
> sssd-krb5-common-1.11.6-30.el6.s390x
> sssd-common-pac-1.11.6-30.el6.s390x
> sssd-ad-1.11.6-30.el6.s390x
> sssd-ldap-1.11.6-30.el6.s390x
> sssd-1.11.6-30.el6.s390x
> python-sssdconfig-1.11.6-30.el6.noarch
> sssd-ipa-1.11.6-30.el6.s390x
> sssd-krb5-1.11.6-30.el6.s390x
> [root@slevmdb /]# rpm -qa | grep pam
> pam-1.1.1-20.el6.s390x
> pam_passwdqc-1.0.5-6.el6.s390x
> pam_krb5-2.3.11-9.el6.s390x
> nss-pam-ldapd-0.7.5-18.2.el6_4.s390x
> pam_ldap-185-11.el6.s390x
>
>
> thanks for help.
>
>
> Thanks and Regards,
> Ya-Fang
>
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit http://wiki.linuxvm.org/
