[opensuse] Introduction + system boot failure after LDAPS configuration
Hi, Since this is my first message on this list, let me introduce myself. I'm a 52 year old Austrian living in Montpezat, a small village in South France. And I'm the manager of a small IT business with a focus on Linux and Open Source software. I'm running CentOS 7.6 on all my servers and OpenSUSE Leap 15.1 KDE on all my desktop clients. I'm currently fiddling with 389 Directory Server, the Open Source variant of Red Hat Directory Server. I've installed and configured it on a sandbox server running CentOS. Now I'd like my OpenSUSE Leap clients to get their authentication information from this machine. Here's what I do on a fresh install, vanilla OpenSUSE without any tweaks. Import CA certificate: # cp ca.crt /etc/pki/trust/anchors/ # update-ca-certificates --------------------------------------------------------------------- YaST > Network Services > LDAP and Kerberos Client > Change Settings: [X] Allow LDAP Users To Authenticate (pam_ldap) [X] Cache LDAP Entries For Faster Rsponse (nscd) [X] Automatically Create Home Directory Read the following items from LDAP data source: [X] Users [X] Groups [ ] Super-User Commands (sudo) [ ] Network Disk Locations (automount) Enter LDAP server locations: ldaps://amandine.microlinux.lan:636 DN of Search Base: dc=microlinux,dc=lan DN of Bind User : <empty> Password of the Bind User : <empty> [ ] Identify Group Members by Their DNs [X] Leave LDAP Connections Open for Consecutive Requests Secure LDAP communication: [X] Secure Communication via TLS --------------------------------------------------------------------- At this point, when I click on "Test Connection" in YaST's LDAP configuration module, I get this: "Successfully contacted LDAP server on URI ldaps://amandine.microlinux.lan:636!" I configure everything by clicking OK > OK and the proceed to a reboot. And then the next reboot is a total failure with errors everywhere pretty early in the process. After D-Bus starts, pretty much every service fails to start. NSCD fails, Modem Manager fails, etc. and I never get to see a login. And now I'm clueless. Any suggestions ? Cheers from the sunny South of France, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 25/08/2019 15.39, Nicolas Kovacs wrote:
Hi,
Since this is my first message on this list, let me introduce myself. I'm a 52 year old Austrian living in Montpezat, a small village in South France. And I'm the manager of a small IT business with a focus on Linux and Open Source software. I'm running CentOS 7.6 on all my servers and OpenSUSE Leap 15.1 KDE on all my desktop clients.
I'm currently fiddling with 389 Directory Server, the Open Source variant of Red Hat Directory Server. I've installed and configured it on a sandbox server running CentOS. Now I'd like my OpenSUSE Leap clients to get their authentication information from this machine.
Here's what I do on a fresh install, vanilla OpenSUSE without any tweaks.
Import CA certificate:
# cp ca.crt /etc/pki/trust/anchors/ # update-ca-certificates
--------------------------------------------------------------------- YaST > Network Services > LDAP and Kerberos Client > Change Settings:
[X] Allow LDAP Users To Authenticate (pam_ldap) [X] Cache LDAP Entries For Faster Rsponse (nscd) [X] Automatically Create Home Directory
Read the following items from LDAP data source: [X] Users [X] Groups
Just an non-educated guess: This means the equivalent to the /etc/group and /etc/passwd? Then before LDAP client is active, the machine has no group and user information to start any daemon during boot. ...
"Successfully contacted LDAP server on URI ldaps://amandine.microlinux.lan:636!"
I configure everything by clicking OK > OK and the proceed to a reboot.
And then the next reboot is a total failure with errors everywhere pretty early in the process. After D-Bus starts, pretty much every service fails to start. NSCD fails, Modem Manager fails, etc. and I never get to see a login.
And now I'm clueless. Any suggestions ?
Cheers from the sunny South of France,
Niki Kovacs
-- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Le 25/08/2019 à 15:50, Carlos E. R. a écrit :
I'm currently fiddling with 389 Directory Server, the Open Source variant of Red Hat Directory Server. I've installed and configured it on a sandbox server running CentOS. Now I'd like my OpenSUSE Leap clients to get their authentication information from this machine.
More generally. Can anyone point me to a relevant documentation on how to configure LDAP/LDAPS authentication on OpenSUSE Leap 15.1 ? After having spent the best part of a sunny sunday wading through obscure tech blogs, I'm a bit wary of obsolete or downright false information on the subject. Cheers, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
On 25/08/2019 19.49, Nicolas Kovacs wrote:
Le 25/08/2019 à 15:50, Carlos E. R. a écrit :
I'm currently fiddling with 389 Directory Server, the Open Source variant of Red Hat Directory Server. I've installed and configured it on a sandbox server running CentOS. Now I'd like my OpenSUSE Leap clients to get their authentication information from this machine.
More generally. Can anyone point me to a relevant documentation on how to configure LDAP/LDAPS authentication on OpenSUSE Leap 15.1 ? After having spent the best part of a sunny sunday wading through obscure tech blogs, I'm a bit wary of obsolete or downright false information on the subject.
doc.opensuse.org somewhere. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Le 25/08/2019 à 20:24, Carlos E.R. a écrit :
doc.opensuse.org somewhere.
Just out of curiosity. Do you actually use LDAP over TLS for client authentication ? -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
On 25/08/2019 22.15, Nicolas Kovacs wrote:
Le 25/08/2019 à 20:24, Carlos E.R. a écrit :
doc.opensuse.org somewhere.
Just out of curiosity. Do you actually use LDAP over TLS for client authentication ?
Nope, I don't use LDAP at all. Which is why I said "non-educated guess". But the documentation is there in that site, I saw it once. <https://doc.opensuse.org/documentation/leap/reference/single-html/book.opensuse.reference/index.html> Multiple references, not the actual setup of LDAP. <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.ldap.html> 5 LDAP—A Directory Service Abstract The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works. 5.1 LDAP versus NIS 5.2 Structure of an LDAP Directory Tree 5.3 Configuring an LDAP Client with YaST 5.4 Configuring LDAP Users and Groups in YaST 5.5 Manually Configuring an LDAP Server 5.6 Manually Administering LDAP Data 5.7 For More Information -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Le 25/08/2019 à 22:26, Carlos E. R. a écrit :
The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works.
Thanks, I already read that document. Which doesn't help. So I'm looking for someone who actually *uses* LDAPS - eventually with RHDS or 389 DS, and who can point me in the right direction. -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I have used this setup extensively in the past with older versions of openSUSE and SLES and have a ton of documentation, but will need to dig it up since I'm currently not supporting the environment. The docs are kinda specific to the OpenDJ directory service, but ldap is ldap so they should still apply. I'll see what I can find and share it when I have some free time. -- Later, Darin On Sun, Aug 25, 2019 at 5:13 PM Nicolas Kovacs <info@microlinux.fr> wrote:
Le 25/08/2019 à 22:26, Carlos E. R. a écrit :
The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works.
Thanks, I already read that document. Which doesn't help.
So I'm looking for someone who actually *uses* LDAPS - eventually with RHDS or 389 DS, and who can point me in the right direction.
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/25/19 11:13 PM, Nicolas Kovacs wrote:
Le 25/08/2019 à 22:26, Carlos E. R. a écrit :
The Lightweight Directory Access Protocol (LDAP) is a set of protocols designed to access and maintain information directories. LDAP can be used for user and group management, system configuration management, address management, and more. This chapter provides a basic understanding of how OpenLDAP works.
Thanks, I already read that document. Which doesn't help.
So I'm looking for someone who actually *uses* LDAPS - eventually with RHDS or 389 DS, and who can point me in the right direction.
I do. However, I don't use 389-ds but OpenLDAP instead. I have a server instance of OpenLDAP with TLS configured (with my own CA authenticated certs ;-) and serving my home network with all members and some more. The server runs on TW. The clients all authenthicate against that server by using sssd with full TLS support through the openLDAP libraries. I have the following clients in use: TW, Leap 15.0, Leap 42.3, Debian 9, Debian 8, and CentOS 6.x no 15.1 yet This works like a charm. My sssd config file on my notebook looks like this (this even supports offline authentication, with some hickups occasionally which I cannot reliably reproduce): [sssd] config_file_version = 2 services = pam,nss domains = <name>.home [pam] [nss] [domain/<name>.home] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis enumerate = false cache_credentials = true case_sensitive = true ldap_use_tokengroups = true ldap_uri = ldaps://ldap.<name>.home ldap_search_base = dc=<name>,dc=home ldap_tls_reqcert = hard ldap_tls_cacertdir = /var/lib/ca-certificates/pem chpass_provider = ldap ldap_group_uuid = entryuuid ldap_user_uuid = entryuuid account_cache_expiration = 0 Follow the sssd and openLDAP documentation for the clients. Also, if you go down the TLS route, configure TLS with cert requirement "hard", as "allow" will sometimes not work and is insecure anyway. I'm not sure, but seem to recall that self-signed certs are not supported anymore (this is all for openLDAP and sssd) It took me a while to have this working. I'm not using 389-ds as it is way beyond my needs, and openLDAP does its job pretty well since ages. HTH Otrebor -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Carlos E.R. -
Darin Perusich -
Nicolas Kovacs -
otrebor@swissonline.ch