Setting up LDAP on 13.2

I’ve just installed 13.2. I had my system running with various LDAP configurations under 13.1 before. Now, I seem completely unable to get anything to talk to the LDAP server or find anything. I had used the yast2-ldap-server package to allow me to set up the server and client configurations. But this seems to have been removed. Is there any guide to what to do?

Did you check in the repos? Many Yast modules are not shipped by default.

Did you check in the repos? Many Yast modules are not shipped by default.

Yes, I’ve also searched software.opensuse.org without any luck. There’s a yast2-ldap-server for 13.1 but nothing that seems to fit for 13.2. The only yast2 ldap module for 13.2 is yast2-ldap which appears to be used to other modules to integrate ldap services.

You have to install yast2-auth-server and yast2-auth-client if they are not there already.****

I’m having the same problem. I configured sssd, which I actually don’t want to use - this is a desktop machine, it will never not be able to communicate with the LDAP server.

This was a new install, though the machine was already running 12.3 it couldn’t upgrade as the /boot filesystem was too small. Cue re-partitioning the entire HD.

The old yast plugin for configuring the LDAP client was simple and intuitive. That is no longer the case.

Having messed around in yast2-authentication-client, I know this machine can communicate with the LDAP server as (user id pseudo-randomized to protect the semi-innocent) “id john” returns “uid=1001(john) gid=100(users) groups=100(users)”, however, the list of groups is far from complete and attempting to login as john fails. A “su john” as a local non-privileged user returns “su: Authentication service cannot retrieve authentication info”.

Should also mention, there seems to be know way to specify the location of the certificate, so it only works in the limited way it does if a ldap:// URI is entered. If there is only a ldaps:// URI, it doesn’t work at all.

Until this is resolved, this client machine is a rather expensive brick. Looking to revert to 13.1 at the weekend - that’ll be the end of openSUSE on the desktop for me and the end of SLES on the servers.

/jona.

Initially I was also surprised by this sudden change from Open SuSE 13.2, but after bit experiment I could do it without any problem.

You should use the yast module “Authentication Client” and follow steps as given below

Click on Authentication client

  1. Under Basic Settings click on sssd. A new dialogue box will appear, in that write LDAP under domain section. Click OK & Close the dialogue box.

  2. Under Configured Authentication Domains list, you can see domain/LDAP. Click Edit
    2.1 id_provider = ldap
    2.2 auth_provider = ldap
    2.3 chpass_provider = ldap
    2.4 ldap_uri = LDAP server full name : ex : ldap://ldapserver.mycompany.in
    2.5 ldap_search base = search base ex: dc=example, dc=com
    2.6 tls_reqcert : demand
    2.7 ldap_tls_cacert = certificate in pem format that you got it from LDAP server. ( Hope you know how to do this as you have already done for 13.1 client)

    <if any of these fields are not found in dialogue box, just click button “New” and selct from the list.
    click Ok.

Your client is configured to get authenticated with your LDAP server. :wink:

Thanks! I now have authentication working, however, group membership is still missing. All users are showing only their primary groups:

john@colin:~> id
uid=1001(john) gid=100(users) groups=100(users)

I checked nsswitch.conf and it seems to be correctly configured:

…]

passwd: files nis

shadow: files nis

group: files nis

passwd: compat sss
group: compat sss

hosts: files mdns_minimal [NOTFOUND=return] dns
…]

Sorted. The OpenSUSE LDAP server uses the RFC2307bis schema. (I hate reading RFCs). Changing ldap_schema from rfc2307 to rfc2307bis fixed the group membership issue.

Hi,

I tried to follow your steps, but cannot get a connection to the ldap-Server.
Have you tried that with a fresh install?
Did you configure anything else?

thanks a bunch
Hecke

finally got it. The Yast-module for the authentication client seems buggy, somehow it did not include the start_tls directive.
When I entered it by hand into the sssd.conf file, it worked.

thanks anyway
Hecke

You should report this in bugzilla so it gets fixed

hi all,

any clues on how to set up hostname resolution via ldap?

i am unsuccessful up until now… changing /etc/nsswitch.conf host line did not work.

I just got done fighting with getting openSUSE 13.2 to communicate with our LDAP server that ties our linux machines to our organization’s AD system.

This thread was super helpful in getting at least LDAP authentication working with our setup. The one last piece that took quite a bit of trouble-shooting was that the 13.2 LDAP / openldap stack does not seem to read the “port” setting from the LDAP configuration file. Previously, I had:
uri ldap://orgldap.org.domain
port 6389

This worked on 11.1, 11.2 12.3, but not on 13.2. On the latest OS, one needs to have
uri ldap://orgldap.org.domain:6389

The custom port does not seem to be honored from the configuration file, and only from the “uri” value. The command line options to ldapsearch work fine with both integrating the port into the uri:
-h ldap://orgldap.org.domain:6389

or breaking it out separately:
-h ldap://orgldap.org.domain -p 6389 .

But trying to specify it separately in the config file does not seem to work.

I just wanted to mention that all as I really had to do was a basic default set up on YaSTs “Authentication server” and then on YaSTs “Authentication client” changed the schema from rfc2307 to rfc2307bis because I saw that was the default setting on the “Authentication server” set up and it worked.

I only did this in the last few days however so it might be that they’ve fixed a few things since this thread started.

I haven’t tested outside my local machine yet, that’s today’s job.

Once those two are done you just go to users set up in YaST and change the filter to “LDAP users” and start adding your users and groups.

What I did for the ldap_uri field in the Authentication client was ldap://ldap.mydomain.com and then put ldap.mydomain.com in /etc/hosts to the server’s outward facing ip address (i.e. not localhost or 127.0.0.1 although it would probably work locally, just not across the network).

not wanting to hijack your thread, but this didn´t work for me;
checked the LDAP-server: schema there is rfc2307bis, so i changed the client on opensuse13.2 also to rfc2307bis
i can authenticate but my secondary groups are not there; only the main group…
any further ideas??

Joschka77:

Did you ever resolve your secondary group issues? I’m seeing the same problem and have already changed ldap_schema to rfc2307bis.

My one oddity is that the ldap server is opensuse 13.1 and my client is opensuse 13.2.

thanks

I was able to fix this issue by turning off group caching in the /etc/nscd.conf file.

sorry for my late replay;
yes: i have resolved this issue: my solution was :
in /etc/sssd/sssd.conf

comment out the lines

ldap_user_uuid = entryuuid

ldap_group_uuid = entryuuid