[Novalug] LDAP auth, RHEL/CentOS8

Dan Lavu dan@redhat.com
Mon Jun 29 18:05:32 EDT 2020


Out of the gate, they're a few things that are helpful.

   - Do not use SSL and StartTLS together, one or the other, they're both
   fine.
   - Certs have to be hashed in  /etc/openldap/cacerts  (openssl x509 -hash
   -in $file  -noout, IIRC)  it should automatically do this and sym link your
   cert to $hash_id.0
   - You don't need a bind user if you can anonymously browse your
   directory, test by doing a search (ldapsearch -x -h $ldapserver uid)
   - Users must have posix attributes for them to be able to login, uid,
   gid, gecos, shell some directories do not have these objectClass enabled by
   default



On Mon, Jun 29, 2020 at 5:23 PM Nick Danger <nick@hackermonkey.com> wrote:

> Thanks! Its still not working but I gave up early last week to work on a
> few other projects. Going to pick it up again tomorrow. I have a feeling
> its an easy config I am mistaking (besides the spelling mistake, that I
> already fixed), but sometimes the errors are less than direct in "its
> broken right here dummy!". Once I can formulate a good question and have my
> facts in line I will reach out. Really appreciate any advice.
>
> -Nick
> On 6/29/20 1:18 AM, Dan Lavu wrote:
>
> Are you still having issues with this? Is "Attribute
> 'ldap_default_authok' verbatim, because that syntax is invalid.
>
> Feel free to ping me with any LDAP issues, I work on the SSSD QE team and
> have tons of sample config files and I'm familiar with 389/ipa/AD.
>
>
>
> On Mon, Jun 8, 2020 at 5:59 PM Nick Danger via Novalug <
> novalug@firemountain.net> wrote:
>
>>
>> Odd question but is anyone doing LDAP authentication with CentOS or RHEL
>> 8 and authselect? Been trying to figure out sssd and running into some
>> troubles. Most of the documentation I find online are on how to do
>> authroization and authentication using AD (close) but I just want the
>> authentication piece. The account exists, I want people to use the same
>> password they do with AD so I am hitting an LDAP instance of AADDS on
>> Office365.
>>
>> sssd.conf is giving me errors, and I think thats where I am stuck even
>> before PAM gets involved. (or should I say, PAM calls sssd and dies, so
>> PAM hasn't really done much yet)
>>
>> There are tons of internet sites/posts that all do the same thing
>> (authentication AND authorization) and oddly all say put the same line
>> in sssd.conf which is the one my sssd is dumping with the error.
>> "Attribute 'ldap_default_authok' is not allowed in section".  So finding
>> more people saying I should do it the way that isn't working is not so
>> helpful!
>>
>>
>> Thanks,
>>
>> Nick
>>
>>
>>
>>
>> **********************************************************************
>> The Novalug mailing list is hosted by firemountain.net.
>>
>> To unsubscribe or change delivery options:
>> http://www.firemountain.net/mailman/listinfo/novalug
>>
>



More information about the Novalug mailing list