[CentOS] Problems with nss_ldap - where to start?

Wed Dec 16 20:39:05 UTC 2009
Peter Serwe <peter.serwe at gmail.com>

I think not as well.  The tactest user has been blown back out.  I can
re-add it from ldif again.

[root at ldap home]# getent passwd | grep example
[root at ldap home]#

[root at ldap home]# cat /etc/nsswitch.conf | grep -v \#


passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

[root at ldap home]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

[root at ldap home]# cat /etc/ldap.conf | grep -v \#


BASE dc=tncionline, dc=net
URI ldap://127.0.0.1
port 389

SIZELIMIT    12
TIMELIMIT    15
DEREF        never
timelimit 600
bind_timelimit 600
bind_policy soft
idle_timelimit 3600

nss_initgroups_ignoreusers
pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
base dc=tncionline, dc=net
pam_password md5

Peter
On Wed, Dec 16, 2009 at 12:24 PM, Craig White <craigwhite at azapple.com>wrote:

> On Wed, 2009-12-16 at 12:07 -0800, Peter Serwe wrote:
> > Found an ldif user recipe for CentOS5.2..
> >
> > Added the user "tactest" with the password "tactest".
> >
> > Dec 16 12:05:30 ldap sshd[11705]pam_unix(sshd:auth): check pass; user
> > unknown
> > Dec 16 12:05:30 ldap sshd[11705]: pam_unix(sshd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldap
> > Dec 16 12:05:30 ldap sshd[11705]: pam_succeed_if(sshd:auth): error
> > retrieving information about user tactest
> >
> > auth still fails.
> ----
> before you get into authorizations...
>
> does the user show? I think not...
>
> getent passwd |grep tactest
>
> if that's the case, and you want help from the list...
>
> what is in files...
> /etc/nsswitch.com
> /etc/pam.d/system-auth
> /etc/ldap.conf
>
> Craig
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Peter Serwe
http://truthlightway.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20091216/2b43b0ec/attachment-0005.html>