HPE Community
Operating System - Linux
1833767 Members
1977 Online
110063 Solutions
New Discussion

LDAP Single sign on server RH 4 update 2 or 3

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

‎03-20-2006 11:15 PM

‎03-20-2006 11:15 PM

LDAP Single sign on server RH 4 update 2 or 3

Following guides like this:
http://www.faqs.org/docs/Linux-HOWTO/LDAP-Implementation-HOWTO.html

I get errors like this.

ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database

The daemon is running fine.

I would like to create a single sign on server to serve three or four other Linux servers. It would be nice to be able to sign on Windows users as well to share the enormous amount of storage I have in the Linux cluster.

I think LDAP is the ticket. I've installed all the open LDAP software but can't get past the error.

Questions:
1) Has anybody done this, if so, which doc did you use?
2) Has anybody encountered the error above and if so, defeated the error above?
3) Do I need a directory server like Netscape's LDAP product?
4) Does by any chance RH 4 update 3 solve this issue?
4) Do I need to to a more complete domain controller style setup including Samba integration.

My goal for the Linux cluster is for one machine to the the LDAP master and handle authentication. If the LDAP master is down, I want one other machine to be a slave that will handle authentication.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
10 REPLIES 10
Ivan Ferreira
Honored Contributor

‎03-21-2006 12:09 AM

‎03-21-2006 12:09 AM

Solution

Re: LDAP Single sign on server RH 4 update 2 or 3

I implemented LDAP but there is no one document that describes the full procedure, documentation is dispersed and outdated. You must use several documents and create one that matchs your needs. Instead of using openldap, you can use Red Hat / Fedora Directory server, installation and configuration is easy. Directory server can be multi-master, or you can configure it as master/slave for fault tolerance.

Single sing-on for windows can be achieved if you create a SAMBA+LDAP domain controller.

To test and openldap server I use:

ldapsearch -x -H ldaps://dns.name.on.certificate 'dc=data,dc=net,dc=py' \
-D 'cn=root,dc=domain,dc=com' '(objectclass=*)'

Specify the username that you want to use for the connection.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Steven E. Protter
Exalted Contributor

‎03-21-2006 12:46 AM

‎03-21-2006 12:46 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

Red Hat/Fedora open directory server?

What's that? Where do I get it?

If you provide me your doc, I'll 10 point your prior post and the post that includes the doc.

Bribery is a wonderful thing.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-21-2006 12:59 AM

‎03-21-2006 12:59 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

The web site is:

http://directory.fedora.redhat.com/wiki/Main_Page

For documentation, use http://www.redhat.com/docs/manuals/dir-server/
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Steven E. Protter
Exalted Contributor

‎03-21-2006 01:24 AM

‎03-21-2006 01:24 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

Not totally resolved.

I don't understand why I need a directory server, but I guess I do.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-21-2006 01:31 AM

‎03-21-2006 01:31 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

A directory server is just an LDAP server, in this case, the red hat/fedora directory servers are ldap server, but with a GUI for administration. This is a replacement for openldap. You will do with the directory server the same things that you would do with openldap, store user accounts, machine accounts for samba, etc.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Stuart Browne
Honored Contributor

‎03-21-2006 09:35 AM

‎03-21-2006 09:35 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

You don't *need* Open Directory Server, but it makes life a hell-of-alot easier (and as Ivan said, it has multi-master, which OpenLDAP does NOT).
One long-haired git at your service...
Reply
Steven E. Protter
Exalted Contributor

‎03-21-2006 02:45 PM

‎03-21-2006 02:45 PM

Re: LDAP Single sign on server RH 4 update 2 or 3

My extensive research seems to show to openldap as are many other features are broken in redhat's openldap implementation.

Guess I will have to try the installation.

I don't hate gui's but wonder why I have to use them so often.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-03-2006 05:51 AM

‎04-03-2006 05:51 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

Shalom all,

More questions:
What have you worked with the Fedora DS that says it works with RH ES 4 or the RedHat product they want money for?

How hard is the integration with sendmail work?

Hard or easy?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-03-2006 05:52 AM

‎04-03-2006 05:52 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

Shalom all,

More questions:
What have you worked with the Fedora DS that says it works with RH ES 4 or the RedHat product they want money for?

How hard is the integration with sendmail work?

Hard or easy?

Notice the shiney new bunnies next to your last posts?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎04-03-2006 06:42 AM

‎04-03-2006 06:42 AM

Re: LDAP Single sign on server RH 4 update 2 or 3

Your first question I didn't understand.

Sendmail integration is not hard, just ensure that sendmail has been compiled with ldap support (sendmail -d 0.1 -v) search for LDAPMAP in compiled with, it should be and use FEATURE(ldap_routing). But this is only needed if you will have multiple servers and you want to use a single repository for map configuration.

If this is not the case, then you don't have to worry about, because sendmail doesn't handle the actual delivery into the mailbox part.

That's left to the MDA (procmail or whatever). You won't have to tell
the MDA to do LDAP lookups either, nss_ldap makes LDAP accounts available to low-level system functions the same way that the other nss modules.


And thanks for the bunnies!
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.