[CentOS] LDAP users/groups not showing up with nis, pam, & ldap

Thu Feb 21 01:56:12 UTC 2013
Cliff Pratt <enkiduonthenet at gmail.com>

Do you have nscd running? If so, try stopping and starting that.

Cheers,

Cliff

On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes <wmodes at ucsc.edu> wrote:
> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host.  I've
> previously installed a similar configuration on RHEL4, but CentOS now
> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
> are a little different.
>
> Currently, local users and groups are showing up but not LDAP users.
> When I do a /getent passwd/ and/getent group/ I don't get LDAP users.
>
> When I do a listing of a share directory that should have user and group
> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
> than the UIDs and GIDs.
>
>     [root at edgar2 openldap]# ls -l /data/home | tail
>     drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
>     drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
>     drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
>     drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
>     drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
>     drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5
>
> Other details:  centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
>
> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
> And selinux is off.
>
> I know the machine is successfully connecting to LDAP.  An ldapsearch
> works from this machine, and I can even connect to a samba share with an
> ldap login through smbclient.
>
> Relevant parts of /etc/nsswitch:
>
>     passwd:     files ldap
>     shadow:     files ldap
>     group:      files ldap
>
>     #hosts:     db files nisplus nis dns
>     hosts:      files dns
>
>     bootparams: nisplus [NOTFOUND=return] files
>
>     ethers:     files
>     netmasks:   files
>     networks:   files
>     protocols:  files ldap
>     rpc:        files
>     services:   files ldap
>
>     netgroup:   nisplus ldap
>     #netgroup:   ldap
>
>     publickey:  nisplus
>
>     automount:  files nisplus ldap
>     #automount:  files ldap
>     aliases:    files nisplus
>
> Relevant parts of /etc/pam_ldap.conf (everything else is commented out):
>
>     host dir1.ourdomain.com
>     base dc=.ourdomain,dc=com
>     #uri ldaps://dir1.ourdomain.com
>     uri ldap://dir1.ourdomain.com
>
>     # basic auth config
>     binddn cn=admin,dc=ourdomain,dc=com
>     rootbinddn cn=admin,dc=ourdomain,dc=com
>
>     # random stuff
>     #timelimit 120
>     #bind_timelimit 120
>     #bind_policy hard
>     # brought these times down wmodes Aug 11, 2008
>     timelimit 30
>     bind_timelimit 30
>     bind_policy soft
>     idle_timelimit 3600
>     nss_initgroups_ignoreusers root,ldap
>
>     # pam config
>     #pam_password md5
>     pam_password md5
>
>     # config for nss
>     nss_base_passwd ou=people,dc=ourdomain,dc=com?one
>     nss_base_shadow ou=people,dc=ourdomain,dc=com?one
>     nss_base_group  ou=group,dc=ourdomain,dc=com?one
>
>     # OpenLDAP SSL mechanism
>     # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>     ssl no
>
>     # OpenLDAP SSL options
>     # Require and verify server certificate (yes/no)
>     #tls_checkpeer yes
>
>     # CA certificates for server certificate verification
>     tls_cacertfile /etc/openldap/cacerts/cacert.pem
>     tls_cacertdir /etc/openldap/cacerts
>
>     # Client certificate and key
>     tls_cert /etc/openldap/cacerts/servercert.pem
>     tls_key /etc/openldap/cacerts/serverkey.pem
>
> Relevant parts of /etc/pam.d/system-auth:
>
>     auth        required      pam_env.so
>     auth        sufficient    pam_fprintd.so
>     auth        sufficient    pam_unix.so nullok try_first_pass
>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>     auth        sufficient    pam_ldap.so use_first_pass
>     auth        required      pam_deny.so
>
>     account     required      pam_unix.so
>     account     sufficient    pam_localuser.so
>     account     sufficient    pam_succeed_if.so uid < 500 quiet
>     account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>     account     required      pam_permit.so
>
>     password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>     password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
>     password    sufficient    pam_ldap.so use_authtok
>     password    required      pam_deny.so
>
>     session     optional      pam_keyinit.so revoke
>     session     required      pam_limits.so
>     session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
>     session     required      pam_unix.so
>     session     optional      pam_ldap.so
>     session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
>
> And the only line in /etc/sysconfig/authconfig I changed was:
>
>     USELDAP=yes
>
> Any thoughts?  For those who are experienced with nis and pam, I'm sure
> this is a no brainer, but I could sure use the little bit of your brain
> that knows how to fix this.
>
> Wes
>
> --
> Wes Modes
> Systems Designer, Developer, and Administrator
> University Library ITS
> University of California, Santa Cruz
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos