[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
Cliff Pratt
enkiduonthenet at gmail.com
Thu Feb 21 01:56:25 UTC 2013
Or just stopping it.....
On Thu, Feb 21, 2013 at 2:56 PM, Cliff Pratt <enkiduonthenet at gmail.com> wrote:
> Do you have nscd running? If so, try stopping and starting that.
>
> Cheers,
>
> Cliff
>
> On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes <wmodes at ucsc.edu> wrote:
>> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
>> previously installed a similar configuration on RHEL4, but CentOS now
>> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
>> are a little different.
>>
>> Currently, local users and groups are showing up but not LDAP users.
>> When I do a /getent passwd/ and/getent group/ I don't get LDAP users.
>>
>> When I do a listing of a share directory that should have user and group
>> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
>> than the UIDs and GIDs.
>>
>> [root at edgar2 openldap]# ls -l /data/home | tail
>> drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
>> drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
>> drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
>> drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
>> drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
>> drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5
>>
>> Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
>>
>> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
>> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
>> And selinux is off.
>>
>> I know the machine is successfully connecting to LDAP. An ldapsearch
>> works from this machine, and I can even connect to a samba share with an
>> ldap login through smbclient.
>>
>> Relevant parts of /etc/nsswitch:
>>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>>
>> #hosts: db files nisplus nis dns
>> hosts: files dns
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files ldap
>> rpc: files
>> services: files ldap
>>
>> netgroup: nisplus ldap
>> #netgroup: ldap
>>
>> publickey: nisplus
>>
>> automount: files nisplus ldap
>> #automount: files ldap
>> aliases: files nisplus
>>
>> Relevant parts of /etc/pam_ldap.conf (everything else is commented out):
>>
>> host dir1.ourdomain.com
>> base dc=.ourdomain,dc=com
>> #uri ldaps://dir1.ourdomain.com
>> uri ldap://dir1.ourdomain.com
>>
>> # basic auth config
>> binddn cn=admin,dc=ourdomain,dc=com
>> rootbinddn cn=admin,dc=ourdomain,dc=com
>>
>> # random stuff
>> #timelimit 120
>> #bind_timelimit 120
>> #bind_policy hard
>> # brought these times down wmodes Aug 11, 2008
>> timelimit 30
>> bind_timelimit 30
>> bind_policy soft
>> idle_timelimit 3600
>> nss_initgroups_ignoreusers root,ldap
>>
>> # pam config
>> #pam_password md5
>> pam_password md5
>>
>> # config for nss
>> nss_base_passwd ou=people,dc=ourdomain,dc=com?one
>> nss_base_shadow ou=people,dc=ourdomain,dc=com?one
>> nss_base_group ou=group,dc=ourdomain,dc=com?one
>>
>> # OpenLDAP SSL mechanism
>> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>> ssl no
>>
>> # OpenLDAP SSL options
>> # Require and verify server certificate (yes/no)
>> #tls_checkpeer yes
>>
>> # CA certificates for server certificate verification
>> tls_cacertfile /etc/openldap/cacerts/cacert.pem
>> tls_cacertdir /etc/openldap/cacerts
>>
>> # Client certificate and key
>> tls_cert /etc/openldap/cacerts/servercert.pem
>> tls_key /etc/openldap/cacerts/serverkey.pem
>>
>> Relevant parts of /etc/pam.d/system-auth:
>>
>> auth required pam_env.so
>> auth sufficient pam_fprintd.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3 type=
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>> session optional pam_mkhomedir.so skel=/etc/skel umask=077
>>
>> And the only line in /etc/sysconfig/authconfig I changed was:
>>
>> USELDAP=yes
>>
>> Any thoughts? For those who are experienced with nis and pam, I'm sure
>> this is a no brainer, but I could sure use the little bit of your brain
>> that knows how to fix this.
>>
>> Wes
>>
>> --
>> Wes Modes
>> Systems Designer, Developer, and Administrator
>> University Library ITS
>> University of California, Santa Cruz
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list