[CentOS] Problems with nss_ldap - where to start?

Devin Reade gdr at gno.org
Thu Dec 17 18:26:29 UTC 2009 

If you're going to be doing LDAP-based authentication on the server
that is running the LDAP server, watch out for this bug, which has been
around since at least FC5.  It's still a problem as of FC10:

	<https://bugzilla.redhat.com/show_bug.cgi?id=182464>

The best way to avoid it so far is to have LDAP served by a machine that
doesn't use LDAP.  If that's not feasible for you, then you can use the
soft bind described at <https://bugzilla.redhat.com/show_bug.cgi?id=182464#c10>
however that has some undesirable side effects (like user's mail might
bounce with "no such user" if the LDAP server is down, instead of giving
a transient lookup failure).

You don't have to worry about the above bug until after you've got a working
config, though.

On other fronts, I prefer to edit configs manually too, but if you're
just starting out you might want to start with the system-config-authentication
GUI, and then edit /etc/ldap.conf for the "ou=People" and "ou=Group"
stuff after that.  Look at the before & after configs.

Turning on various debugging options in slapd.conf can work wonders
if you understand (at least in principle) what LDAP does. It can be
very verbose but also very helpful.  Don't forget to turn the verbose
stuff off again once you solve your problem.

Remember that while most LDAP clients use /etc/openldap/ldap.conf, PAM
uses /etc/ldap.conf.  If they're not both suitably configured, then
what ldapseach is telling you has no correspondence to what PAM is seeing.

As someone else mentioned, turn off the SSL stuff and just use localhost
until you've got it working.

In /etc/ldap.conf when you set rootbinddn, don't forget to configure
/etc/ldap.secret, mode 0600.

Here's an example of a full working /etc/ldap.conf from CentOS 5.4,
domain changed, comments stripped, using SSL:

base dc=EXAMPLE,dc=ca
rootbinddn cn=manager,dc=EXAMPLE,dc=ca
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_base_passwd ou=People,dc=EXAMPLE,dc=ca?one
nss_base_shadow ou=People,dc=EXAMPLE,dc=ca?one
nss_base_group          ou=Group,dc=EXAMPLE,dc=ca?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldaps://ldap1.EXAMPLE.ca ldaps://ldap2.EXAMPLE.ca/
ssl on
tls_cacertfile /etc/pki/tls/certs/ca-bundle-EXAMPLE.crt
pam_password md5


Devin
-- 
One should forgive one's enemies,
but not before they are hanged.				- Heinrich Heine

More information about the CentOS mailing list