SSS/SSSD LDAP pain RHEL6

-
So I'm trying out RHEL6 to install on my new NFS server.

All is going well, until it comes to getting LDAP user information. The new setup on RHEL6 is to use the SSS daemon. It is configured using authconfig.

My LDAP database requires TLS, and simple binding to get any user information, including just NSS related stuff.

So, I thought that would mean just running this command:

authconfig --enableshadow --enablesssd --disablesssdauth --enablecache --enablelocauthorize --update

This results in:


[domain/LDAP]
id_provider = ldap
#auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://*****
ldap_search_base = *****
ldap_default_bind_dn = *****
ldap_default_authtok_type = password
ldap_default_authtok = ******
ldap_tls_reqcert = demand
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

But, doing a /etc/init.d/sssd restart doesn't make user information work.

id username

yields an error.

I found that you have to include the line in sssd.conf

ldap_id_use_start_tls = True

Grrrrr!

Comments

Post a Comment

Popular posts from this blog

Renewing Puppet CA and puppet master certificates

-
My two Puppet deployments are just about to turn 5 years old, and as such, the CA and puppet master certificates are just about to expire. The documentation online seem to suggest the only way to renew these certs is by deleting the /var/lib/puppet/ssl directory and getting Puppet to renew them. This would mean renewing all the certificates of all the nodes at the same time. Even the official Puppet docs suggest this is the way too.( https://docs.puppet.com/puppet/3.7/ssl_regenerate_certificates.html ) The way I will describe renews the CA certificate and puppetmaster certificate in a way which is still trusted by every existing host. First, copy the important files to a new directory # mkdir /root/puppet_renewal # cd /root/puppet_renewal # mkdir /root/puppet_renewal/ca # mkdir /root/puppet_renewal/puppetmaster # mkdir /root/puppet_renewal/puppetmaster/private_keys # mkdir /root/puppet_renewal/puppetmaster/certs # cp /var/lib/puppet/ssl/ca/ca_key.pem /root/puppet_renewal/ca #
Read more

Compiling tun.ko for Android - OpenVPN

-
I have a Xoom, and a Galaxy S, and need to be able to compile my own tun.ko for the kernel version I have. As you all know, if the kernel version of the module you are trying to insert isn't the same, it won't insert, and will give you errors like: <3>[95175.874872] tun: version magic '2.6.36.4-athm1-OV-launchpad-1.2.2+ SMP preempt mod_unload ARMv7 ' should be '2.6.36.3-gc2bee64 SMP preempt mod_unload ARMv7 ' in dmesg. We need to compile the module for the right version of the kernel Download the Kernel source - normally from  http://android.git.kernel.org/ . The Xoom can be found at  http://android.git.kernel.org/kernel/tegra.git , and the Galaxy S can be found at  http://android.git.kernel.org/kernel/samsung.git . Use $ pwd    /scratch/xoom $ git clone  http://android.git.kernel.org/kernel/tegra.git  to clone the Xoom kernel source Copy your old kernel config from your device $ pwd    /scratch/xoom $ adb pull /proc/config.gz $ gunzip co
Read more

Preseeding Ubuntu Natty 11.04

-
I decided to start this blog because of the never ending battles I have with remembering what I have conquered before, and thinking that other people have the same problems. The specific problem I was working on when I came to this conclusion was preseeding a Natty netboot install. EVERY version of Ubuntu brings more preseeding problems - something always changes, causing you to get prompted for something new, when the previous release worked without a hitch. This time (going from Lucid to Natty) was the keyboard layout preseed. I got the dreaded keyboard layout screen. Turns out the preseed file is only looked at once the locale is set (makes sense), so you have to pass the keyboard config in the kernel line of your PXE boot: LABEL stuff_natty64 kernel linux.natty64 append vga=normal initrd=initrd.gz.natty64 locale=en_AU preseed/locale=en_AU keyboard-configuration/layoutcode=us console-setup/ask_detect=false netcfg/wireless_wep= netcfg/choose_interface=auto netcfg/get_hostname= n
Read more