Single sign-on help requested

Matthew Gillen me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org
Thu Aug 23 11:16:34 EDT 2007


Scott Ehrlich wrote:
> I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and
> have the clients looking to the RH box for authentication.
> 
> I also have the firewall enabled, but am letting kerberos and ldap ports
> through as tcp.
> 
> During a login test, /var/log/messages on the client showed:
> 
> lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server
> ldap://192.168.1.100: Can't contact LDAP server
> 
> lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32
> seconds)...
> 
> lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server
> ldap://192.168.1.100: Can't contact LDAP server
> 
> lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...

I'd log into the client box as root or some local user, and use some
ldap-browsing utilities (RHEL5 docs suggest this tool:
http://www-unix.mcs.anl.gov/~gawor/ldap/ ) to see if it's your local
configuration, or if the server is misconfigured.

(it's also worthwhile to check /var/log/messages on the server box to see if
there are any "unauthorized client" types of messages).

If you're able to connect and browse via a stand-alone tool, that eliminates a
lot of possibilities.

> Anyway, what am I missing?   Anything special RH 5 is doing compared to
> the openldap docs?

According to the docs
(https://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/ch-ldap.html
), it doesn't appear so.

> The goal is a to permit my test user, created on the server, to sit at a
> workstation, boot into either Linux or XP, and get their home directory.
> 
> Ideally, the server only needs to consist of one account for them, which
> they get upon login on the workstation.

That's definitely do-able. (although you might need XP-Pro, since XP-Home has
some useful networking features broken).

> I want to highly restrict _any_ third-party tools/apps/etc.   I will be
> happy to take suggestions and leads, but I want to try and rely on what
> RH has provided.
> 
> Thanks for any insight/help.
> 
> Scott
> 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.






More information about the Discuss mailing list