[CentOS] Howto for LDAP authentication with replication

Craig White craigwhite at azapple.com
Sat Jan 12 17:00:12 UTC 2008 

On Sat, 2008-01-12 at 10:44 -0600, Sean Carolan wrote:
> > not really, have you run system-config-authentication ? That also
> > configures pam & nss which are necessary items.
> 
> Yes, I have and unfortunately when the 'ldap' tags are added to 
> /etc/nsswitch.conf the system won't allow me to authenticate, su or sudo 
> at all!
> 
> > 
> > If each user shows only once AND they are in /etc/passwd and LDAP, then
> > it would be a clear indication that the underlying system isn't
> > configured to find users/groups/passwords in LDAP at all. If each user
> > has been removed from /etc/passwd, then it may very well be working.
> 
> I'm hesitant to remove users from /etc/passwd and rely on LDAP for 
> authentication before I'm sure it is working.  Can you not have the 
> system attempt first to authenticate users via LDAP, then fall back to 
> pam_unix if that doesn't work?
> 
> > Configuring Webmin's LDAP Users and Groups is only possible when you
> > have configured the underlying system first, can actually do command
> > line add/remove/delete ldap users and can authenticate as an LDAP user
> > to various systems such as ssh. At that point, Webmin's configuration
> > becomes obvious. It is not reasonable to expect Webmin to supply the
> > understanding of LDAP that the administrator cannot accomplish without
> > Webmin.
> 
> This is where I'm stuck.  As soon as I try to turn on the system 
> authentication by editing /etc/pam.d/system_auth and /etc/nsswitch.conf 
> the system becomes unusable.   Try to run "su -" and it just sits there 
> and hangs.  I know it's my own fault for not configuring it right, I 
> just wish the available documentation gave some detailed examples. 
> There is so much incorrect and incomplete information out there on the 
> web that I'm not sure what to try.
----
#1 - Don't hand edit system-auth and nsswitch.conf by hand and also run
system-config-authentication...the processes are mutually defeating.
Just use system-config-authentication as it is designed to make the
changes to both of those files and also /etc/ldap.conf as it sees fit.
It works.

#2 - You probably need to add the following lines to /etc/ldap.conf to
smooth things...

timelimit 30
bind_timelimit 30
bind_policy soft
nss_initgroups_ignoreusers root,ldap

This will solve your issues with 'su -' and the length of time it takes.

I previously gave you links to CentOS documentation (which was lifted
from RHEL) which discusses Red Hat's integration for using LDAP to
authenticate. I also gave you the link to openldap.org administrator
guide for using LDAP and I think I directed you to Gerald Carter's book
which simplifies it. There also is information on TLDP web site.

If you are dismayed by the lack of detailed information on the web, it's
only because:
- LDAP wasn't designed to do authentication in the first place
- There is no one way to do authentication via LDAP, but rather a lot of
methodologies.
- LDAP is a tool that merely seeks to provide responsive usage to an
ever increasing set of RFC's. Authentication is but one of thing that
LDAP provides. The expectation that the usage of LDAP to accomplish a
task should be apparent is like expecting GIMP to make you an artist.

Start with 'test' users that don't exist in /etc/passwd until you get
confidence.

Craig

More information about the CentOS mailing list