I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 99999).
The last time I did this seriously for authentication was using Apple iMacs authentication against a SuSE Linux machine so it's entirely possible I'm not doing the right thing today. Most of the sites where we're using ldap and nss are not authentication, but simply going to user's $HOME directories to deliver e-mail to Maildir stores which doesn't require authentication. FWIW, I just checked an old SLES9 system authenticating against another SuSE system by telnet'ing to its POP3 server and that works as expected so it's something different in the way SuSE's PAM and CentOS' works (using MD5 passwords).
I have done a fair amount of google/RTFM as well as reading the pam documentation on the CentOS client machine, and don't find anything that helps me figure out is causing it to think the account has expired.
The LDAP attributes that I think are relevant on a test account are below. I don't see anything here that looks hinky, but then I am fairly ignorant on PAM authentication.
shadowExpire 0 shadowFlag 0 shadowInactive 0 shadowLastChange 14816 shadowMax 99999 shadowMin 0 shadowWarning 7
Bill
On Mon, Jul 26, 2010 at 03:44:48PM -0700, Bill Campbell wrote:
I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 99999).
Well, I'm just going to spam my own page. Give it a gander, and see if following it from the get go works.
Note the link to the forum thread in it--it's possible, though not proven, that CentOS (probably RH) *might* have broken ldap.
http://home.roadrunner.com/~computertaijutsu/ldap.html
All I can say is that it works for me, but--and it's probably an important but--I haven't set it up from scratch on CentOS 5.5 yet.
On Mon, Jul 26, 2010, Scott Robbins wrote:
On Mon, Jul 26, 2010 at 03:44:48PM -0700, Bill Campbell wrote:
I am trying to set up LDAP authentication for CentOS workstations, but can't get it to authenticate properly. Authentication fails saying the account has expired when I know for certain that it has not (e.g. ldapsearch authenticated with the appropriate uid and password returns shadowLastChange 14816 and shadowMax 99999).
Well, I'm just going to spam my own page. Give it a gander, and see if following it from the get go works.
Note the link to the forum thread in it--it's possible, though not proven, that CentOS (probably RH) *might* have broken ldap.
http://home.roadrunner.com/~computertaijutsu/ldap.html
All I can say is that it works for me, but--and it's probably an important but--I haven't set it up from scratch on CentOS 5.5 yet.
Thanks. I have to go to a client site this afternoon to do some fire-stomping, and will take a look at this when I get back. A quick scan, and looks like it covers all the bases.
Bill
-
Bill Campbell -
Scott Robbins