Ya-Fang,
> I'm not sure what to put in BASE DN
Looking at your e-mail address I would guess "dc=ti,dc=com", but I see
"ou=le" in an above example, so maybe your organization uses this older
approach in the DIT architecture.
> Instead, I ran a script provided by our LDAP server support
Hmm, is there anyone who supports that script whom you can work with?
If not, you can get hints by turning up debug levels. For example, you can
try ssh'ing to a Linux system pointing to LDAP with the -d3 ssh flag. This
might give you some hints, but if you think about it from a security point
of view, the LDAP server doesn't want to give a lot of information about a
failed login attempt. So I have started the LDAP server with a debug level
(again -d3 works). Then a lot of info comes out on the LDAP server console
which might be useful.
Hope this helps.
-Mike
On Thu, Nov 6, 2014 at 5:10 PM, Chen, Ya-Fang <[email protected]> wrote:
> Mike,
>
> Thank you for your information.
> Yes, our LDAP server does TLS encryption, and I've copied the certificate
> to /var/ldap directory and specified in /etc/ldap.conf as I mention in the
> below email.
>
> No, I didn't use authconfig-tui as I'm not sure what to put in BASE DN.
> (Cookbook example: Base DN: dc=itso,dc=ibm,dc=com)
> Instead, I ran a script provided by our LDAP server support. The script
> copied /etc/ldap.conf, /etc/pam.d/system-auth, /etc/pam.d/system-auth, and
> then copied the certificate to /var/ldap/VeriSignRsaSecureServerCA.pem. He
> said the script used to work for the old Redhat (probably 5 or earlier).
>
> I also tried to use ldapsearch command by specified the LDAP host name. I
> got SASL error if without -x option. With -x option, it can display my LDAP
> account information. If I didn't specify host name, it said "Can't contact
> LDAP server".
>
> [root@slevmdb ~]# ldapsearch -h dledirnvip -b ou=le uid=a0867719
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> [root@slevmdb ~]# ldapsearch -x -h dledirnvip -b ou=le uid=a0867719
> # extended LDIF
> #
> # LDAPv3
> # base <ou=le> with scope subtree
> # filter: uid=a0867719
> # requesting: ALL
> #
>
> # a0867719, people, le
> dn: uid=a0867719,ou=people,ou=le
> uid: a0867719
> ....
>
> [root@slevmdb ~]# ldapsearch -x -b ou=le uid=a0867719
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
>
> Regards,
> Ya-Fang
>
>
> -----Original Message-----
> From: Linux on 390 Port [mailto:[email protected]] On Behalf Of
> Michael MacIsaac
> Sent: Wednesday, November 05, 2014 6:17 PM
> To: [email protected]
> Subject: Re: Configure LDAP client on Red Hat 6.6
>
> Ya-Fang,
>
> Wow, I sympathize with your questions.
>
> If you're new to Linux, don't try to configure LDAP on RHEL (or SLES for
> that matter). I've been doing it quite a while and it continues to "kick my
> butt" to this day. :)) But I would guess this is not one of your choices.
>
> You said you're configuring to authenticate to your organization's LDAP
> server - does it do "TLS" (encryption)?. Check with your organization's
> LDAP administrator. If the answer is no, stop here. As I understand it,
> when RHEL moved to v6, it will not authenticate unless TLS is active.
>
> The next question is whether or not you are using the "authconfig-tui"
> command for setting up client authentication. I would recommend that you
> do, but you're not sure exactly what has changed. If so, an important part
> is that, I believe, you need to copy the LDAP server's certificate to each
> of the clients. Have you done that?
>
> Hope this helps.
>
> -Mike MacIsaac
>
>
>
> On Wed, Nov 5, 2014 at 5:24 PM, Chen, Ya-Fang <[email protected]> wrote:
>
> > Hi,
> >
> > I'm new to Linux system and just installed a Red Hat 6.6 on system z
> > by following the cookbook. I tried to configure the Linux system to be
> > a LDAP client to connect to company's LDAP server for user
> > authentication but am still having issue when logon on saying "access
> denied".
> >
> > I've configured the below 3 files.
> > 1). /etc/ldap.conf (point to ldap hosts and base, and have below
> > statement)
> >
> > tls_cacertfile /var/ldap/VeriSignRsaSecureServerCA.pem
> >
> > 2)./etc/nsswitch.conf
> > passwd: files ldap
> > shadow: files ldap
> > group: files ldap
> >
> > 3). /etc/pam.d/system-auth (contains below statement)
> > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> >
> > Do I need to configure /etc/openldap/ldap.conf and/or any other file?
> >
> >
> > Here are the packages I've installed. Not sure if I missed anything?
> >
> > [root@slevmdb /]# rpm -qa | grep openldap
> > openldap-clients-2.4.39-8.el6.s390x
> > openldap-2.4.39-8.el6.s390x
> > [root@slevmdb /]# rpm -qa | grep sssd
> > sssd-client-1.11.6-30.el6.s390x
> > sssd-common-1.11.6-30.el6.s390x
> > sssd-proxy-1.11.6-30.el6.s390x
> > sssd-krb5-common-1.11.6-30.el6.s390x
> > sssd-common-pac-1.11.6-30.el6.s390x
> > sssd-ad-1.11.6-30.el6.s390x
> > sssd-ldap-1.11.6-30.el6.s390x
> > sssd-1.11.6-30.el6.s390x
> > python-sssdconfig-1.11.6-30.el6.noarch
> > sssd-ipa-1.11.6-30.el6.s390x
> > sssd-krb5-1.11.6-30.el6.s390x
> > [root@slevmdb /]# rpm -qa | grep pam
> > pam-1.1.1-20.el6.s390x
> > pam_passwdqc-1.0.5-6.el6.s390x
> > pam_krb5-2.3.11-9.el6.s390x
> > nss-pam-ldapd-0.7.5-18.2.el6_4.s390x
> > pam_ldap-185-11.el6.s390x
> >
> >
> > thanks for help.
> >
> >
> > Thanks and Regards,
> > Ya-Fang
> >
> >
> > ----------------------------------------------------------------------
> > For LINUX-390 subscribe / signoff / archive access instructions, send
> > email to [email protected] with the message: INFO LINUX-390 or
> > visit
> > http://www.marist.edu/htbin/wlvindex?LINUX-390
> > ----------------------------------------------------------------------
> > For more information on Linux on System z, visit
> > http://wiki.linuxvm.org/
> >
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit http://wiki.linuxvm.org/
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
