topic Re: LDAP Single sign on server RH 4 update 2 or 3 in Operating System - Linux

LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Tue, 21 Mar 2006 07:15:29 GMT

Following guides like this:
http://www.faqs.org/docs/Linux-HOWTO/LDAP-Implementation-HOWTO.html

I get errors like this.

ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database

The daemon is running fine.

I would like to create a single sign on server to serve three or four other Linux servers. It would be nice to be able to sign on Windows users as well to share the enormous amount of storage I have in the Linux cluster.

I think LDAP is the ticket. I've installed all the open LDAP software but can't get past the error.

Questions:
1) Has anybody done this, if so, which doc did you use?
2) Has anybody encountered the error above and if so, defeated the error above?
3) Do I need a directory server like Netscape's LDAP product?
4) Does by any chance RH 4 update 3 solve this issue?
4) Do I need to to a more complete domain controller style setup including Samba integration.

My goal for the Linux cluster is for one machine to the the LDAP master and handle authentication. If the LDAP master is down, I want one other machine to be a slave that will handle authentication.

SEP

Re: LDAP Single sign on server RH 4 update 2 or 3

Ivan Ferreira — Tue, 21 Mar 2006 08:09:51 GMT

I implemented LDAP but there is no one document that describes the full procedure, documentation is dispersed and outdated. You must use several documents and create one that matchs your needs. Instead of using openldap, you can use Red Hat / Fedora Directory server, installation and configuration is easy. Directory server can be multi-master, or you can configure it as master/slave for fault tolerance.

Single sing-on for windows can be achieved if you create a SAMBA+LDAP domain controller.

To test and openldap server I use:

ldapsearch -x -H ldaps://dns.name.on.certificate 'dc=data,dc=net,dc=py' \
-D 'cn=root,dc=domain,dc=com' '(objectclass=*)'

Specify the username that you want to use for the connection.

Re: LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Tue, 21 Mar 2006 08:46:54 GMT

Red Hat/Fedora open directory server?

What's that? Where do I get it?

If you provide me your doc, I'll 10 point your prior post and the post that includes the doc.

Bribery is a wonderful thing.

SEP

Re: LDAP Single sign on server RH 4 update 2 or 3

Ivan Ferreira — Tue, 21 Mar 2006 08:59:26 GMT

The web site is:

http://directory.fedora.redhat.com/wiki/Main_Page

For documentation, use http://www.redhat.com/docs/manuals/dir-server/

Re: LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Tue, 21 Mar 2006 09:24:07 GMT

Not totally resolved.

I don't understand why I need a directory server, but I guess I do.

SEP

Re: LDAP Single sign on server RH 4 update 2 or 3

Ivan Ferreira — Tue, 21 Mar 2006 09:31:05 GMT

A directory server is just an LDAP server, in this case, the red hat/fedora directory servers are ldap server, but with a GUI for administration. This is a replacement for openldap. You will do with the directory server the same things that you would do with openldap, store user accounts, machine accounts for samba, etc.

Re: LDAP Single sign on server RH 4 update 2 or 3

Stuart Browne — Tue, 21 Mar 2006 17:35:05 GMT

You don't *need* Open Directory Server, but it makes life a hell-of-alot easier (and as Ivan said, it has multi-master, which OpenLDAP does NOT).

Re: LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Tue, 21 Mar 2006 22:45:49 GMT

My extensive research seems to show to openldap as are many other features are broken in redhat's openldap implementation.

Guess I will have to try the installation.

I don't hate gui's but wonder why I have to use them so often.

SEP

Re: LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Mon, 03 Apr 2006 12:51:56 GMT

Shalom all,

More questions:
What have you worked with the Fedora DS that says it works with RH ES 4 or the RedHat product they want money for?

How hard is the integration with sendmail work?

Hard or easy?

SEP

Re: LDAP Single sign on server RH 4 update 2 or 3

Steven E. Protter — Mon, 03 Apr 2006 12:52:21 GMT

Re: LDAP Single sign on server RH 4 update 2 or 3

Ivan Ferreira — Mon, 03 Apr 2006 13:42:08 GMT

Your first question I didn't understand.

Sendmail integration is not hard, just ensure that sendmail has been compiled with ldap support (sendmail -d 0.1 -v) search for LDAPMAP in compiled with, it should be and use FEATURE(ldap_routing). But this is only needed if you will have multiple servers and you want to use a single repository for map configuration.

If this is not the case, then you don't have to worry about, because sendmail doesn't handle the actual delivery into the mailbox part.

That's left to the MDA (procmail or whatever). You won't have to tell
the MDA to do LDAP lookups either, nss_ldap makes LDAP accounts available to low-level system functions the same way that the other nss modules.

And thanks for the bunnies!