[BBLISA] Single sign-on help requested

Scott Ehrlich scott at MIT.EDU
Thu Aug 23 08:54:37 EDT 2007


I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux systems all 
64-bit).   All Linux is out-of-box, with all packages, minus international 
languages, installed.  No patching has been done.

On the server, I selected system-config-authentication and enabled LDAP for 
User Information, Kerberos, LDAP, and SMB for Authentication, and Shadow and 
MD5 Passwords, along with Authenticate system accounts by network services for 
Options.

All machines are on an isolated LAN, with no DNS server (I could always enable 
and configure DNS on the server if it helps the cause).

I also don't know if it matters, but the server is running the virtualization 
kernel (xen), but the clients are not.

I only have LDAP service enabled on the server.   Kerberos services are enabled 
on both client and server.

I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and have the 
clients looking to the RH box for authentication.

I also have the firewall enabled, but am letting kerberos and ldap ports 
through as tcp.

During a login test, /var/log/messages on the client showed:

lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100: 
Can't contact LDAP server

lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...

lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100: 
Can't contact LDAP server

lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...

lin1 xfs: ...


During boot time, Starting system message bus: [long pause] then error messages 
about DB_CONFIG and /var/lib/ldap, the usual cannot find DB_CONFIG in 
/var/lib/ldap, showing the example.com instead of my customized ldap settings, 
etc.

I've checked openldap.org, but I figured if the configuration appears to be 
simplified via an included GUI, I shouldn't have much trouble gettigns things 
going.

Anyway, what am I missing?   Anything special RH 5 is doing compared to the 
openldap docs?

Both servers have been rebooted since adding the respective ports in the 
firewall.

The goal is a to permit my test user, created on the server, to sit at a 
workstation, boot into either Linux or XP, and get their home directory.

Ideally, the server only needs to consist of one account for them, which they 
get upon login on the workstation.

I want to highly restrict _any_ third-party tools/apps/etc.   I will be happy 
to take suggestions and leads, but I want to try and rely on what RH has 
provided.

Thanks for any insight/help.

Scott




More information about the bblisa mailing list