Hi,
We are experiencing a problem to use LDAP user accounts to login into a CentOS system.
A fresh 6.5 system was installed recently to become a central server. Both OpenLDAP and 389 Directory Server were installed and configured (not at the same time) with groups and normal user accounts. The server was configured to use LDAP authentication (through authconfig and system-config-authentication).
First, the LDAP user wasn't identified by running the 'id' command. The same with SSH. Although ldapsearch listed all objects correctly. Observing /var/log/secure had shown that the user is not identified at all (no uid etc.). Following another article, POSIX details (uid + gid, and set gid to some LDAP group) were set for that user and the 'id' command was successful.
However, still, SSH connections are refused and the log states: "Authentication service cannot retrieve authentication info" (for pam_sss). The secure log shows that user details are unavailable (uid=0,gid=0...) to sshd. Locally, when a root performs "su user", the login is successful, home is created and the secure log state authentication is performed by pam_unix, contrast to pam_sss.
Need to mention that we've tried to follow most of the literature online (RedHat directory server, CentOS OpenLDAP client setup and many other resources). None were found to be complete enough to bring a system to a working state where users are able to login and authenticate.
In addition, system-config-authentication requires the use of LDAPS or LDAP with TLS. Only command line tools are able to configure simple LDAP (no TLS or SSL). However, even being a security measure, we'd like to avoid all the (serious) burden of working with certificates at first for simple experimentation.
Any comment or insight will be helpful. In addition, any link to where we can find a step-by-step guide to install an (working) LDAP server with a client, will be more than appreciated.
Many thanks, Moti.
Hi Moti,
I have had better success today using FreeIPA packages on CentOS server and joining a CentOS desktop. FreeIPA consists of "389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag"
My links:
freeipa.org http://blogatharva.blogspot.com/2013/05/free-yourself-with-freeipa.html
Vin.
On Fri, Jun 6, 2014 at 9:04 AM, mordech3@post.tau.ac.il wrote:
Hi,
We are experiencing a problem to use LDAP user accounts to login into a CentOS system.
A fresh 6.5 system was installed recently to become a central server. Both OpenLDAP and 389 Directory Server were installed and configured (not at the same time) with groups and normal user accounts. The server was configured to use LDAP authentication (through authconfig and system-config-authentication).
First, the LDAP user wasn't identified by running the 'id' command. The same with SSH. Although ldapsearch listed all objects correctly. Observing /var/log/secure had shown that the user is not identified at all (no uid etc.). Following another article, POSIX details (uid + gid, and set gid to some LDAP group) were set for that user and the 'id' command was successful.
However, still, SSH connections are refused and the log states: "Authentication service cannot retrieve authentication info" (for pam_sss). The secure log shows that user details are unavailable (uid=0,gid=0...) to sshd. Locally, when a root performs "su user", the login is successful, home is created and the secure log state authentication is performed by pam_unix, contrast to pam_sss.
Need to mention that we've tried to follow most of the literature online (RedHat directory server, CentOS OpenLDAP client setup and many other resources). None were found to be complete enough to bring a system to a working state where users are able to login and authenticate.
In addition, system-config-authentication requires the use of LDAPS or LDAP with TLS. Only command line tools are able to configure simple LDAP (no TLS or SSL). However, even being a security measure, we'd like to avoid all the (serious) burden of working with certificates at first for simple experimentation.
Any comment or insight will be helpful. In addition, any link to where we can find a step-by-step guide to install an (working) LDAP server with a client, will be more than appreciated.
Many thanks, Moti.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 2014-06-06, mordech3@post.tau.ac.il mordech3@post.tau.ac.il wrote:
In addition, system-config-authentication requires the use of LDAPS or LDAP with TLS. Only command line tools are able to configure simple LDAP (no TLS or SSL). However, even being a security measure, we'd like to avoid all the (serious) burden of working with certificates at first for simple experimentation.
Here are some guides that I referenced to configure CentOS LDAP auth without certificates:
https://www.centos.org/forums/viewtopic.php?t=7679 http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-...
That being said, if you are starting from the ground up, I think it's probably better to start moving towards using SSL certs. It is likely to get harder and harder to configure plain LDAP auth in CentOS, especially with RHEL 7 coming out.
--keith
On 2014-06-10, Keith Keller kkeller@wombat.san-francisco.ca.us wrote:
That being said, if you are starting from the ground up, I think it's probably better to start moving towards using SSL certs. It is likely to get harder and harder to configure plain LDAP auth in CentOS, especially with RHEL 7 coming out.
FWIW, here's the official RHEL guide on identity management, which includes 389, Kerberos, NFSv4, and a lot more:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
--keith
On Fri, Jun 6, 2014 at 12:34 PM, mordech3@post.tau.ac.il wrote:
A fresh 6.5 system was installed recently to become a central server. Both OpenLDAP and 389 Directory Server were installed and configured (not at the same time) with groups and normal user accounts. The server was configured to use LDAP authentication (through authconfig and system-config-authentication).
First, the LDAP user wasn't identified by running the 'id' command. The same with SSH.
How have you configured your 'client' node to connect to the openLDAP server?
Although ldapsearch listed all objects correctly. Observing /var/log/secure had shown that the user is not identified at all (no uid etc.). Following another article, POSIX details (uid + gid, and set gid to some LDAP group) were set for that user and the 'id' command was successful.
Your ldapquery command must be connecting to the LDAP server directly. Please share the full ldapsearch command line.
However, still, SSH connections are refused and the log states: "Authentication service cannot retrieve authentication info" (for pam_sss). The secure log shows that user details are unavailable (uid=0,gid=0...) to sshd.
uid/gid=0 is super user (root). Let this user be 'local' and not from LDAP. Define a non root user 'John/Jane Doe' and work through the setup.
Locally, when a root performs "su user", the login is successful, home is created and the secure log state authentication is performed by pam_unix, contrast to pam_sss.
I use the 'sssd' package to be the backend which queries users from both 'local' and the 'LDAP' server, in conjunction with the tool 'authconfig' which makes the necessary changes to the PAM config files. Read through the refs. [a] below.
Need to mention that we've tried to follow most of the literature online (RedHat directory server, CentOS OpenLDAP client setup and many other resources). None were found to be complete enough to bring a system to a working state where users are able to login and authenticate.
In addition, system-config-authentication requires the use of LDAPS or LDAP with TLS. Only command line tools are able to configure simple LDAP (no TLS or SSL). However, even being a security measure, we'd like to avoid all the (serious) burden of working with certificates at first for simple experimentation.
It is OK to get started with plain text LDAP auth. but for production use must use TLS to encrypt the packets for user auth.
Any comment or insight will be helpful. In addition, any link to where we can find a step-by-step guide to install an (working) LDAP server with a client, will be more than appreciated.
[a] Refs https://fedorahosted.org/sssd/ https://fedorahosted.org/sssd/wiki/FAQ https://help.ubuntu.com/12.04/serverguide/openldap-server.html https://sites.google.com/site/guenterbartsch/blog/usesssdinsteadofnslcdinldapsetuponcentosrhel6
It is also useful to share the contents of the relevant entries in the log files. The conf files like /etc/ldap.conf and /etc/sssd/sssd.conf in case you are still facing problems.
Eventually, you will have to deal with authenticating Windows clients/users through Samba (smb.conf) but that is another thread.
**Suggestion** - if you have Windows nodes in your network that require network authentication then consider Samba4; I migrating one setup from openLDAP+Samba (NT4 PDC) to a Samba4 AD/DC. For Linux clients, SSSD can also use back end MS AD/DC.
-- Arun Khan
-
Andrew Holway -
Arun Khan -
Keith Keller -
mordech3@post.tau.ac.il -
Vincent Swart