Hi, I would like to configure my LDAP-Server with the option "TLSVerifyClient demand" so that the authentication is only possible with certificates. I created the certificate for the user that should log in to the LAM. On the commandline everything is working fine. Now I would like to do the authentication over certificats with LAM too. Is this possible? Best regards Stefan
Hi Stefan, Am 01.03.2011 16:42, schrieb Stefan Kania: > I would like to configure my LDAP-Server with the option > "TLSVerifyClient demand" so that the authentication is only possible > with certificates. I created the certificate for the user that should > log in to the LAM. On the commandline everything is working fine. Now I > would like to do the authentication over certificats with LAM too. > Is this possible? I never tried but probably this can be done by changing /etc/ldap.conf or /etc/ldap/ldap.conf. This file is also used to setup the trusted CAs for LDAP+SSL/TLS. -- -- Best regards Roland Gruber LDAP Account Manager http://www.ldap-account-manager.org/ Want more? Get LDAP Account Manager Pro! http://www.ldap-account-manager.org/lamcms/lamPro
Hi, I've got the newest LAM 3.3.0 running on a Ubuntu 10.04. LDAP-authentication is working properly and I can login/ssh with testusers on the machine. I can also ssh with the "manager", which is the administrator for the LAM. However, the lamdaemon test fails: Lamdaemon Server und Pfad: Es wird localhost als Lamdaemon-Server verwendet. Unix-Account: Für die Verbindung zum Remote-Server wird manager verwendet. SSH-Verbindung: Kann keine Verbindung zum Server herstellen! (In English, everything works well until the SSH-connecttion could no be established) What might be the problem? Which other information do you need? Thanks a lot and with kind regards Simon ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
Hello All, I'm running lamPRO 3.3.0 with OpenDJ 2.4 for my LDAP server and I'm running into some problems when creating groups. When I run the schema test I get a message that the attribute 'cn' is not supported by the objectClass posixGroup and when creating a group I get a message that the server is unwilling to perform that action. In OpenDJ when creating a posixGroup, that entry must also have a structural objectClass, either groupOfUniqueNames or groupOfNames, associated with it. I'm assuming this is the reason for the error and not being able to create a group, except via the tree view. Can anyone confirm this? And is there a way I can enable or set this so one of the structural objectClasses is being, I'd prefer groupOfUniqueNames, and if so how? If not how can I hack the code so it is? I've started looking at the source but was hoping some could provide an answer to this more quickly. Thanks! Valid posixGroup entry: dn: cn=users,ou=group,dc=domain,dc=com cn: users gidNumber: 100 objectClass: groupOfUniqueNames objectClass: posixGroup objectClass: top --(Continue reading)
A Dimecres, 2 de març de 2011, Simon Zihlmann va escriure: > Hi, > I've got the newest LAM 3.3.0 running on a Ubuntu 10.04. > LDAP-authentication is working properly and I can login/ssh with > testusers on the machine. I can also ssh with the "manager", which is > the administrator for the LAM. However, the lamdaemon test fails: > > Lamdaemon Server und Pfad: Es wird localhost als Lamdaemon-Server > verwendet. > Unix-Account: Für die Verbindung zum Remote-Server wird manager verwendet. > SSH-Verbindung: Kann keine Verbindung zum Server herstellen! > (In English, everything works well until the SSH-connecttion could no be > established) > > What might be the problem? > Which other information do you need? > Thanks a lot and with kind regards > Simon > I got similar problems in the past. If it's what I think, be sure that ssh manager <at> localhost or ssh manager <at> where_is_running_lam works. In my case was something so stupid as to say yes to accept the key the first time.(Continue reading)
Hi, > I got similar problems in the past. If it's what I think, be sure that > > ssh manager <at> localhost or > ssh manager <at> where_is_running_lam > > works. > > In my case was something so stupid as to say yes to accept the key the first > time. Yes, this works without problem. Even from the manager account (manager <at> host: ssh manager <at> localhost works without any problem). I also accepted the hos-key (as I was running ssh manager <at> localhost from the manager account the first time, so the /home/manager/.ss/known_host includes the host-key from localhost (where lam runs and the homedirs should be created). Simon ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev(Continue reading)
Hi Darin, Am 02.03.2011 22:19, schrieb Darin Perusich: > Can anyone confirm this? And is there a way I can enable or set this so > one of the structural objectClasses is being, I'd prefer > groupOfUniqueNames, and if so how? If not how can I hack the code so it > is? I've started looking at the source but was hoping some could provide > an answer to this more quickly. please edit your LAM server profile. In the modules selection for groups please remove the posixGroup module and add groupOfUniqueNames+rfc2307bisPosixGroup. I guess you are using Suse Linux which uses a special posixGroup object class. -- -- Best regards Roland Gruber LDAP Account Manager http://www.ldap-account-manager.org/ Want more? Get LDAP Account Manager Pro! http://www.ldap-account-manager.org/lamcms/lamPro
Hi Simon, Am 03.03.2011 13:29, schrieb S.Zihlmann@...: > I also accepted the hos-key (as I was running ssh manager <at> localhost > from the manager account the first time, so the > /home/manager/.ss/known_host includes the host-key from localhost > (where lam runs and the homedirs should be created). please try the SSH connection when you are your Apache user (e.g. www-data/www-run). Please also check your logs (/var/log/syslog) if the SSH daemon reports anything if and why the connection is not accepted. If this does not help please check with wireshark/tcpdump if there is really a connection attempt to SSH. -- -- Best regards Roland Gruber LDAP Account Manager http://www.ldap-account-manager.org/ Want more? Get LDAP Account Manager Pro! http://www.ldap-account-manager.org/lamcms/lamPro
Hi Roland, > > please edit your LAM server profile. In the modules selection for > groups > please remove the posixGroup module and add > groupOfUniqueNames+rfc2307bisPosixGroup. > I guess you are using Suse Linux which uses a special posixGroup object > class. While my clients are OpenSUSE I am using the OpenDJ LDAP server, http://www.forgerock.com/opendj.html. It's the continuation of OpenDS after Oracle affectively killed the project by abandoning it. I've set "types: modules_group: groupOfUniqueNames,rfc2307bisPosixGroup" in my server profile but when I attempt to create a posixGroup I'm getting a message that I need to add at least one member to the group. Technically this is not required by the schema, see the objectClass definition below. The OpenLDAP schema is based on RFC2256 where a uniqueMember is required. Is this hardcoded into LAM or is it determining referencing the schema from the server? objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL MUST cn MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN 'RFC 4519' ) The information transmitted is intended only for the person or entity to which(Continue reading)
Hi, > please try the SSH connection when you are your Apache user (e.g. > www-data/www-run). I've tried this and I had to accept the host-key, but it worked. > Please also check your logs (/var/log/syslog) if the > SSH daemon reports anything if and why the connection is not accepted. Here are the messages (first ssh from apache-user (www-data), second LAM test): 1) syslog: Mar 3 21:22:14 ARGLOS nslcd[863]: [2dba31] connected to LDAP server ldap://127.0.0.1/ auth.log: Mar 3 21:22:14 ARGLOS sshd[2153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=manager Mar 3 21:22:14 ARGLOS sshd[2153]: Accepted password for manager from ::1 port 48108 ssh2 Mar 3 21:22:14 ARGLOS sshd[2153]: pam_unix(sshd:session): session opened for user manager by (uid=0) 2) syslog: Mar 3 21:24:55 ARGLOS nslcd[863]: [7130a3] failed to bind to LDAP server ldap://127.0.0.1/: Invalid credentials: Success auth.log: Mar 3 21:24:55 ARGLOS sshd[2248]: pam_unix(sshd:auth): authentication(Continue reading)
RSS Feed9 | |
|---|---|
14 | |
11 | |
11 | |
31 | |
21 | |
8 | |
12 | |
10 | |
12 | |
16 | |
33 | |
44 | |
15 | |
18 | |
30 | |
30 | |
15 | |
24 | |
5 | |
26 | |
6 | |
27 | |
2 | |
36 | |
14 | |
20 | |
22 | |
31 | |
7 | |
8 | |
9 | |
29 | |
22 | |
22 | |
14 | |
18 | |
5 | |
20 | |
25 | |
10 | |
26 | |
22 | |
12 |
