LDAP on FC3 - buggy or is it me?!
From: Mark (msalists_at_gmx.net)
Date: 06/30/05
- Previous message: Rahul Sundaram: "Re: FC4 good new tech, bad legacy support"
- Next in thread: Uno Engborg: "Re: LDAP on FC3 - buggy or is it me?!"
- Reply: Uno Engborg: "Re: LDAP on FC3 - buggy or is it me?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <fedora-list@redhat.com> Date: Thu, 30 Jun 2005 14:06:59 -0700
Hi everybody,
I have been fighting with FC3 for a while now, trying to get authentication to work via LDAP.
The configuration that worked under FC1 (using TLS) did not work under FC3, apparently because FC1 would do TLS without verifying
the server certificate, whereas FC3 had this security whole closed. So I got to a point where my certificates where fine and FC3
would do LDAP via TLS for everything (finger, getent, ldapsearch, etc), except for the logon password authentication.
Finally, I found the solution by accident, and it has to do with using the "host" vs "URI" directive:
The only way I can login to the system is with /etc/ldap.conf using "host":
base dc=mydomain,dc=com
host ldap1.hq.mydomain.com:636
pam_password md5
ssl yes
TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem
"ldapsearch -x", however, only works with the "URI" directive in /etc/openldap/ldap.conf:
base dc=mydomain,dc=com
URI ldaps://ldap1.hq.mydomain.com
pam_password md5
ssl yes
TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem
Does anybody know what is going on with this? Is this just a bug in openLDAP?
What is really the difference between these two ways?
I saw a post somewhere saying that the openLDAP version shipped with FC3 is rather buggy and unstable. Unfortunately, there is no
update available. I tried installing the FC4 openLDAP RPMs, but had too many problems with missing libcrypto and other libraries,
and I dont want to mess up the rest of the system by trying to patch in FC4 RPMs...
BTW, in case this gives any more clues: the only way I got phpLDAPAdmin (0.9.6c) to work is this:
$servers[$i]['name'] = 'ldap1.hq';
$servers[$i]['host'] = 'ldaps://ldap1.hq.mydomain.com';
$servers[$i]['base'] = 'dc=mydomain,dc=com';
$servers[$i]['port'] = 636;
$servers[$i]['auth_type'] = 'session';
$servers[$i]['login_dn'] = 'cn=Administrator,dc=mydomain,dc=com';
$servers[$i]['login_pass'] = 'secret';
$servers[$i]['tls'] = false;
$servers[$i]['low_bandwidth'] = false;
$servers[$i]['default_hash'] = 'ssha';
$servers[$i]['login_attr'] = 'dn';
$servers[$i]['login_string'] = 'uid=<username>,ou=People,dc=example,dc=com';
$servers[$i]['login_class'] = '';
$servers[$i]['read_only'] = false;
$servers[$i]['show_create'] = true;
$servers[$i]['disable_anon_bind'] = false;
$servers[$i]['custom_pages_prefix'] = 'custom_';
$servers[$i]['unique_attrs_dn'] = '';
$servers[$i]['unique_attrs_dn_pass'] = '';
Thanks,
MARK
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Rahul Sundaram: "Re: FC4 good new tech, bad legacy support"
- Next in thread: Uno Engborg: "Re: LDAP on FC3 - buggy or is it me?!"
- Reply: Uno Engborg: "Re: LDAP on FC3 - buggy or is it me?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
