- Copy internal post link
- Copy external post link
- Report article
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html
[content:579380]
Anleitung zu LDAP Konfiguration für CentOS 6.10
hat jemand eine Anleitung wie ich LDAP konfiguriere?
Im Internet gibt es hierzu einiges aber die sind meißt nicht vollständig, sitze schon geraume Zeit vor dieser
Aufgabe.
Danke
Mike
Content-Key: 579380
Url: https://administrator.de/contentid/579380
Printed on: April 19, 2024 at 17:04 o'clock
- Comment overview - Please log in
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1457943
[content:579380#1457943]
Ein klein bisschen mehr Details was genau du erreichen willst wären bestimmt hilfreich.
Gruß
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1457957
[content:579380#1457957]
Du sagst einfach mal nix wo du hängst, welche Fehler es gibt,... Nun, damit würde ich vermuten dir fehlt nen "yum install" mit den richtigen Paketen...
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1457986
[content:579380#1457986]
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1457988
[content:579380#1457988]
https://www.linux-magazin.de/ausgaben/2001/05/straffe-verwaltung/
https://dokuwiki.nausch.org/doku.php/centos:open_ldap_server
https://www.riecken.de/2016/01/openldap-ab-2-4-installieren-und-einricht ...
usw. usw.
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1457982
[content:579380#1457982]
Ich habe schon einiges probiert.
Nun zur Installation.
Server seitig
yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
service slapd start
chkconfig slapd on
slappasswd durchgeführt
cat chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=test,dc=local" read by * none
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=test,dc=local
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=test,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=test,dc=local" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
cat basedomain.ldif
dn: dc=test,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test local
dc: Test
dn: cn=root,dc=test,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=test,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=local
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=root,dc=test,dc=local -W -f basedomain.ldif
Neuer Benutzer angelegt:
slappasswd
cat ldapuser.ldif
dn: uid=cent,ou=People,dc=test,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: mike
sn: Linux
userPassword: {SSHA}xxxxxxxxxxxxxxxxx
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/mike
dn: cn=mike,ou=Group,dc=test,dc=local
objectClass: posixGroup
cn: Mike
gidNumber: 1000
memberUid: mike
Server / Client-seitig durchgeführt
yum -y install openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=laptop.test.local --ldapbasedn="dc=test,dc=local" --enablemkhomedir --update
root abgemeldet und versucht mit mike anzumelden.
im secure log sehe ich.
laptop pam: gdm-password: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mike
Jun 15 00:27:14 laptop pam: gdm-password: pam_sss(gdm-password:auth): received for user mike: 6 (Permission denied)
laptop pam: gdm-password: pam_unix(gdm-password:session): session opened for user root by (uid=0)
cat ldap.conf
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/certs
URI ldap://laptop.test.local/
BASE dc=test,dc=local
cat sssd.conf
[domain/default]
debug_level = 10
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=test,dc=local
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://laptop.test.local/
ldap_tls_cacertdir = /etc/openldap/certs
ldap_id_use_start_tls = True
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
ldapsearch -x -d 1 -ZZ
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP laptop.test.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.20.30:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 3
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
in /etc/nsswitch.conf wurde nichts angepasst
cat /etc/pam_ldap.conf
base dc=test,dc=local
ssl start_tls
uri ldap://laptop.test.local/
tls_cacertdir /etc/openldap/certs
pam_password md5
tls_reqcert allow
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458018
[content:579380#1458018]
Ganz ehrlich - bevor du das nächste schreibst setzt dich mal kurz hin und überlege: DU hast ein problem, du möchtest das sich hier Leute hinsetzen und ihre Zeit nutzen um DEIN Problem kostenlos zu lösen... Meinst du nicht das DU dann wenigstens soviel Infos wie möglich liefern solltest?!?
Alternativ: Rufe ein Systemhaus in deiner Umgebung an und lasse die kommen. DA darfst du dann natürlich sagen "Mir egal warum es nich geht - mach heile" und die schauen sich das auch entsprechend gegen Einwurf kleiner Münzen gerne für dich an. DA brauchst du dann auch nix zu liefern - wird dann halt teurer aber ok...
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458030
[content:579380#1458030]
Die Fehlermeldung hatte ich gepostet
laptop pam: gdm-password: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mike
Jun 15 00:27:14 laptop pam: gdm-password: pam_sss(gdm-password:auth): received for user mike: 6 (Permission denied)
laptop pam: gdm-password: pam_unix(gdm-password:session): session opened for user root by (uid=0)
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458033
[content:579380#1458033]
> Neuer Benutzer angelegt:
> dn: uid=cent,ou=People,dc=test,dc=local
Wie heißt der Benutzer, den Du hier anlegst? Mike? Oder vielleicht doch "cent"?
> dn: cn=mike,ou=Group,dc=test,dc=local
Ist das ein User? Wohl eher nicht.
> objectClass: posixGroup
> cn: Mike
> gidNumber: 1000
> memberUid: mike
Gibt es die UID "Mike"?
> Jun 15 00:27:14 laptop pam: gdm-password: pam_sss(gdm-password:auth): received for user mike: 6 (Permission denied)
Kann nicht klappen, weil es Mike nicht gibt.
>
hth
Erik
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458091
[content:579380#1458091]
der Benutzer mike existiert.
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP laptop.test.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1bea2e0 msgid 1
wait4msg ld 0x1bea2e0 msgid 1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid 1 all 1
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1bea2e0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1bea2e0 0 new referrals
read1msg: mark request completed, ld 0x1bea2e0 msgid 1
request done: ld 0x1bea2e0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: certificate [E=email@addresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: E=email@adresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE, issuer: E=email@addresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE, cipher: ChaCha20-Poly1305, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x1bea2e0 msgid 2
wait4msg ld 0x1bea2e0 msgid 2 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid 2 all 1
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid 2 all 1
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1bea2e0 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1bea2e0 0 new referrals
read1msg: mark request completed, ld 0x1bea2e0 msgid 2
request done: ld 0x1bea2e0 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 55 bytes to sd 3
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 104 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# test.local
dn: dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: dcObject
objectClass: organization
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
o: Test local
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
dc: Test
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 120 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# root, test.local
dn: cn=root,dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: organizationalRole
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: root
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
description: Directory Manager
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 88 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# People, test.local
dn: ou=People,dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: organizationalUnit
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ou: People
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 86 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# Group, test.local
dn: ou=Group,dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: organizationalUnit
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ou: Group
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 251 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# mike, People, test.local
dn: uid=mike,ou=People,dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: Mike
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
sn: Linux
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
loginShell: /bin/bash
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uidNumber: 1000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 1000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
homeDirectory: /home/mike
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uid: mike
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 134 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
# mike, Group, test.local
dn: cn=mike,ou=Group,dc=test,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: posixGroup
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: Mike
cn: mike
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
gidNumber: 1000
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
memberUid: mike
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1bea2e0 msgid -1
wait4msg ld 0x1bea2e0 msgid -1 (infinite timeout)
wait4msg continue ld 0x1bea2e0 msgid -1 all 0
** ld 0x1bea2e0 Connections:
* host: laptop.test.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 15 14:56:04 2020
** ld 0x1bea2e0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x1bea2e0 request count 1 (abandoned 0)
** ld 0x1bea2e0 Response Queue:
Empty
ld 0x1bea2e0 response count 0
ldap_chkResponseList ld 0x1bea2e0 msgid -1 all 0
ldap_chkResponseList returns ld 0x1bea2e0 NULL
ldap_int_select
read1msg: ld 0x1bea2e0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1bea2e0 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1bea2e0 0 new referrals
read1msg: mark request completed, ld 0x1bea2e0 msgid 3
request done: ld 0x1bea2e0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
# search result
search: 3
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success
ldap_msgfree
# numResponses: 7
# numEntries: 6
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Das scheint mir der Fehler zu sein.
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: certificate [E=email@addresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: E=email@adresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE, issuer: E=email@addresse.com,CN=laptop,OU=Test,O=Default Company Ltd,L=Neu-Ulm,ST=BAVARIA,C=DE, cipher: ChaCha20-Poly1305, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
Beim erstellen des Zertifikates habe ich mich an diese Anleitung gehalten.
https://www.server-world.info/en/note?os=CentOS_6&p=ssl
Ich habe allerdings nicht den FQDN angegeben sondern nur den hostnamen.
Fehlermeldung im /var/log/messages
14:53:52 laptop sssd[be[default]]: Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458101
[content:579380#1458101]
ldapsearch -x -LLL -b dc=test,dc=local
dn: dc=test,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test local
dc: Test
dn: cn=root,dc=test,dc=local
objectClass: organizationalRole
cn: root
description: Directory Manager
dn: ou=People,dc=test,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=local
objectClass: organizationalUnit
ou: Group
dn: uid=mike,ou=People,dc=test,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Mike
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/mike
uid: mike
dn: cn=mike,ou=Group,dc=test,dc=local
objectClass: posixGroup
cn: Mike
gidNumber: 1000
memberUid: mike
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458241
[content:579380#1458241]
den hast Du aber nicht mit dem oben geposteten LDIF angelegt, da in dem LDIF die UID "cent" lautet und nicht "Mike". Egal.
https://www.server-world.info/en/note?os=CentOS_6&p=ssl
Ich habe allerdings nicht den FQDN angegeben sondern nur den hostnamen.
Dann würde ich das doch mal richtig machen. Dann noch das Stammzertifikat der CA verteilen und es sollte gehen.
hth
Erik
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458346
[content:579380#1458346]
Danke für deine Rückmeldung. Ich habe jetzt nochmal das Zertifikat erzeugt. Wie folgt
cd /etc/pki/tls/certs
make server.key
openssl rsa -in server.key -out server.key
-- Passphrase eingetippt --
make server.csr
-- Information entsprechend ausgefüllt mit FQDN "laptop.test.local"
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
chmod 400 server.*
cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
chown ldap. /etc/openldap/certs/server.key /etc/openldap/certs/server.crt /etc/openldap/certs/ca-bundle.crt
cat mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
-- Rückmeldung vom System -- Beim ersten mal gab es hier keine Meldung in dieser Form
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCACertificateFile: no equality matching rule
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes <--- auf yes geändert
service slapd restart
echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
echo "tls_reqcert allow" >> /etc/nslcd.conf
echo "tls_reqcert allow" >> /etc/pam_ldap.conf
authconfig --enableldaptls --update
root <-- abgemeldet
mike <-- Anmeldung schlägt fehl
Meldung vom System --> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Die Situation ist die gleiche. Was hat es mit dem CA Zertifikat aufsich? Kannst du auf eine andere Vorgegensweise verweisen?
Gruss Mike
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458358
[content:579380#1458358]
Na das ist das Zertifikat für das Zertifikat. Ein Zertifikat, das vorgelegt wird, wird gegen das Stammzertifikat der ausstellenden Stelle (CA Certificate Authority) geprüft. Erst dann ist es wirklich valide. Fehlt nun das Stammzertifikat, kann das vorgelegte Zertifikat nicht validiert werden. Die von die gepostete Fehlermeldung deutet darauf hin, dass es damit ein Problem gibt.
https://de.wikipedia.org/wiki/Public-Key-Infrastruktur
hth
Erik
- Copy internal comment link
- Copy external comment link
- To the beginning of the comments
https://administrator.de/forum/anleitung-zu-ldap-konfiguration-fuer-centos-6-10-579380.html#comment-1458362
[content:579380#1458362]
ist an meiner Vorgehensweise etwas falsch? Fehlt mir ein Zertifikat?
Grüße
Mike