Re: [SLE] SUSe 9.3 and LDAP Docu?
On 5/23/05, Jerry Westrick <jerry@westrick.com> wrote:
On Monday 23 May 2005 16:44, Markus Natter wrote:
On 5/23/05, Markus Natter <markus.natter@gmail.com> wrote:
On 5/23/05, Jerry Westrick <jerry@westrick.com> wrote:
On Monday 23 May 2005 09:29, Markus Natter wrote:
On 5/22/05, Jerry Westrick <jerry@westrick.com> wrote:
Is there a step by step docu on how to get SuSE 9.3 to use openldap for authorization....
I worked my way through the Admin Guide... but All I get is connection failures....
anybody seen a decent how to?
Jerry
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Hi Jerry,
YaST could do this for you ( see chapter 29.5 SuSE Admin. Guide ).. but on the other hand you need a working LDAP - configuration and and a working database first.
Have you already tried to connect and made a successful request with any cmd-line ldap tools ( ldapsearch ... ) or any ldap client?
Markus
Thanks for the answer Markus...
Yes I got ldap running by following the instructions at /usr/share/doc/packages/openldap2/admin-guide/quickstart.html
There I issued:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts ldapadd -x -D "cn=Manager,dc=<MY-DOMAIN>,dc=<COM>" -W -f example.ldif ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
all of which worked.
I guess is that either the User (as setup by quick installation guide) is not yast compatible, or that the security method is not the one that yast expects?
Jerry
well, there could be some caveats..
could you post your /etc/openldap/slapd.conf & /etc/ldap.conf? (e.g. did you include the required .schema files, like yast.schema [as I remember, yast uses member entries instead of memberUID per default (you could change this behavior-> extended settings)..])
the idea behind this all is, that yast would help you setting up the other configs correctly.. (some hints: /etc/pam.d, nss_ldap / pam_ldap, /etc/security, /etc/nsswitch.conf )
another idea is to let yast create the standard objects etc.. [ extended settings ], if your setup does not fit into the yast expectations. And also try one thing after another.. [ e.g. do not start with TLS/SSL related stuff before you have fixed the other problems ]
Markus
well I just tried this by setting up a very simple base.. (only the root-dir, and configured a rootdn and rootpw using slapadd, for setting things up.. then I configured a basic /etc/ldap.conf to point to the new slapd running on the localhost) and yast configured the rest for me.. it was not that difficult..
here are the lines I used for this test:
/etc/slapd.conf: ============
# this should be the schema section as it was shipped.. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema
suffix "dc=test,dc=example,dc=com" rootdn "cn=Manager,dc=test,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret
base.ldif ( note: be careful with empty spaces at the end of a line, if you copy/paste! ) =======
## ## TEST.EXAMPLE.COM ## ## Basis of the LDAP-tree test.example.com ## dn: dc=test,dc=example,dc=com dc: test o: example objectClass: organization objectClass: dcObject structuralObjectClass: organization
=======
install this ldiff.. you should remove your old database before that.. please, keep your DB_CONFIG!!!
rcldap stop
cd /var/lib/ldap rm *.bdb log.* __db.*
cd /etc/openldap/ # or wherever your base.ldif is slapadd -p -w -l base.ldif
rcldap start
/etc/ldap.conf ========== # Your LDAP server. Must be resolvable without using LDAP. # if you want tls / ssl later on, you should replace localhost with your fq. hostname host localhost
# The distinguished name of the search base. base dc=test,dc=example,dc=com
# this could be your anonymous-bind substitute later.. #binddn cn=pam,dc=test,dc=example,dc=com #bindpw another_secret
# The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=Manager,dc=natter,dc=itellium,dc=net
nss_base_passwd dc=natter,dc=itellium,dc=net?sub nss_base_shadow dc=natter,dc=itellium,dc=net?sub nss_base_group dc=natter,dc=itellium,dc=net?sub
===================
then I called YaST -> Nw -> LDAP-Client
(x) use LDAP
Addresses of LDAP Servers localhost
LDAP base DN dc=test,dc=example,dc=com
[Advanced Configuration] <= choose this one!
---------------------------------------------------------------
check
[x] Create Default Configuration Objects
=> Continue (enter the rootdn password ) and you're done.
puh.. it's a lot to write..
I hope this helps..
Markus
A Millliion thx... WIll try tonight...
Jerry
good luck.. ;) Markus
participants (1)
-
Markus Natter