Re: OpenLDAP client configuration with CentOS 5.3

[Echedey Lorenzo <echedey@gmail.com>]

So there it is,

Import your server's certificate in your client. Check out some nice tutorials you can find in the net, like this useful blog:

http://networknerd.wordpress.com/2008/10/26/configuring-openldap-for-client-certificate-authentication/

KR

2010/3/1 Cool The Breezer <techcool.kumar@yahoo.com>

I got the error

ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

---

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Cool The Breezer <techcool.kumar@yahoo.com>; Echedey Lorenzo <echedey@gmail.com>
Cc: Jonathan Clarke <jonathan@phillipoux.net>; "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Sent: Mon, March 1, 2010 3:35:14 PM

Subject: RE: OpenLDAP client configuration with CentOS 5.3

change ldap:// to ldaps:// in your command.

---

From: Cool The Breezer [mailto:techcool.kumar@yahoo.com]
Sent: Monday, March 01, 2010 6:02 PM
To: Xu, Qiang (FXSGSC); Echedey Lorenzo
Cc: Jonathan Clarke; openldap-technical@openldap.org
Subject: Re: OpenLDAP client configuration with CentOS 5.3

I think it uses. We use the same for Windows login. 

---

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Cool The Breezer <techcool.kumar@yahoo.com>; Echedey Lorenzo <echedey@gmail.com>
Cc: Jonathan Clarke <jonathan@phillipoux.net>; "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Sent: Mon, March 1, 2010 3:16:28 PM
Subject: RE: OpenLDAP client configuration with CentOS 5.3

Is the server using SSL/TLS connection?

---

From: openldap-technical-bounces+qiang.xu=fujixerox.com@OpenLDAP.org [mailto:openldap-technical-bounces+qiang.xu=fujixerox.com@OpenLDAP.org] On Behalf Of Cool The Breezer
Sent: Monday, March 01, 2010 4:56 PM
To: Echedey Lorenzo
Cc: Jonathan Clarke; openldap-technical@openldap.org
Subject: Re: OpenLDAP client configuration with CentOS 5.3

Still no luck. It gave following errors

ldap_bind: Invalid credentials (49)

        additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

All credentials used correctly.

regards,

RB

---

From: Echedey Lorenzo <echedey@gmail.com>
To: Cool The Breezer <techcool.kumar@yahoo.com>
Cc: Jonathan Clarke <jonathan@phillipoux.net>; openldap-technical@openldap.org
Sent: Mon, March 1, 2010 2:14:36 PM
Subject: Re: OpenLDAP client configuration with CentOS 5.3

Try:

ldapsearch -x -H ldap://xxx.yyy.com-D "cn=Directory Manager" "(objectclass=*)" -W _e3user

KR

2010/3/1 Cool The Breezer <techcool.kumar@yahoo.com>

I tried as per suggestions using man page. But still getting the error

ldapsearch -H ldap://xxx.yyy.com-D "cn=Directory Manager" "(objectclass=*)" -W -X _e3user
Enter LDAP Password:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
       additional info: SASL(-4): no mechanism available:

It now generates a new error. I tried using authconfig with --enableldap,  --enablewinbind  and  --disableldaptls.
Still users are not able to login to linux box using LDAP credentials.

----- Original Message ----
From: Jonathan Clarke <jonathan@phillipoux.net>
To: Cool The Breezer <techcool.kumar@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Mon, March 1, 2010 1:16:32 PM
Subject: Re: OpenLDAP client configuration with CentOS 5.3

Le 01/03/2010 06:53, Cool The Breezer a écrit :
> Thanks for your suggestion. But still there is some problem.
> /ldapsearch -H ldap://ldap-sunnyvale.juniper.net -x -LL
> ou=people,dc=jnpr,dc=net "{mail=*norton*}" sn cn mail/
> /
> /
> /Output: version: 1/
> /
> /
> /Operations error (1)/
> /Additional information: 00000000: LdapErr: DSID-0C090627, comment: In
> order to perform this operation a successful bind must be completed on
> the connection., data 0, vece/
>
> Not sure the reason behind such errors. I think there is something
> wrong, because when I am trying to login linux box using ldap
> credentials, it simply closes the connection.

As it says in this error message: "a successful bind must be completed on the connection". This means you must authenticate to the LDAP server in order to search in it.

Check the -D and -w/-W options in the ldapsearch(1) man page. You'll need a valid account in your LDAP server and it's password.

Jonathan
-- --------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

--
--------------------------------------------
| Echedey Lorenzo Arencibia  |
--------------------------------------------

-- 
--------------------------------------------
| Echedey Lorenzo Arencibia  |
--------------------------------------------