I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:
perl -e 'print join(" ",getpwnam("testuser")),"\n";'
And it properly finds the test user on the 5.4 box, but not the 6.0 box.
I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.
Here are the ldap related packaged installed on the 6.0 box: [root@vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
Thanks, -- Mitch
On Oct 31, 2011, at 3:10 PM, Mitch Patenaude wrote:
I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:
perl -e 'print join(" ",getpwnam("testuser")),"\n";'
And it properly finds the test user on the 5.4 box, but not the 6.0 box.
I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.
Here are the ldap related packaged installed on the 6.0 box: [root@vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
---- I'm not a perl person so I just check from shell with: getent passwd getent group
to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do.
The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x
You might want to show us the contents of these files...
/etc/nsswitch.conf /etc/pam.d/system-auth
I also have a 'one-liner' that I use for setting up ldap authentication in a pinch (be sure to substitute for $YOUR_LDAP_SERVER and $YOUR_LDAP_BASE, don't enable ldap tls if you don't have that function working and I'm not so certain about --enablemkhomedir on CentOS 5.x - haven't tried)...
authconfig --enableshadow --enableldap --enableldapauth \ --ldapserver=$YOUR_LDAP_SERVER --ldapbasedn=”$YOUR_LDAP_BASE” \ --enableldaptls --enablelocauthorize --enablemkhomedir \ --nostart --updateall
YMMV
Craig
On 10/31/2011 4:46 PM, Craig White wrote:
Here are the ldap related packaged installed on the 6.0 box:
[root@vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
I'm not a perl person so I just check from shell with: getent passwd getent group
to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do.
The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x
On CentOS 6 getent passwd does not return a list of users, presumably because the list can be quite large. Try
$ getent passwd <username>
If your system is set up correctly you will see the entry.
Jack
One difference I ran into with samba authentication is in cent 5 /etc/pam.d/system-auth-ac is the file to change but in cent 6 its /etc/pam.d/password-auth-ac. I found that changes I made only to system-auth-ac in 5 had to be made to both system-auth-ac and password-auth-ac in 6. This was to have authentication work for things like ssh and sudo in centos 6.
- Trey On Oct 31, 2011 8:16 PM, "Jack Bailey" jack@internetguy.net wrote:
On 10/31/2011 4:46 PM, Craig White wrote:
Here are the ldap related packaged installed on the 6.0 box:
[root@vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
I'm not a perl person so I just check from shell with: getent passwd getent group
to make sure that the LDAP Users/Groups are indeed listed...
authentication clearly won't work until they do.
The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x
On CentOS 6 getent passwd does not return a list of users, presumably because the list can be quite large. Try
$ getent passwd <username>
If your system is set up correctly you will see the entry.
Jack
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 1 Nov 2011, Trey Dockendorf wrote:
One difference I ran into with samba authentication is in cent 5 /etc/pam.d/system-auth-ac is the file to change but in cent 6 its /etc/pam.d/password-auth-ac. I found that changes I made only to system-auth-ac in 5 had to be made to both system-auth-ac and password-auth-ac in 6. This was to have authentication work for things like ssh and sudo in centos 6.
It is worth noting that those files should only be edited as a last resort. You should go through authconfig if possible.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run.
jh
On Mon, 31 Oct 2011, Mitch Patenaude wrote:
I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
Others have mentioned some good ideas, so consider these additions to the pile. :-)
Is SSL configured correctly? Do you have a copy of the CA certificate in the right place? Is the CentOS 6 box querying the correct port (389 or 636) in your environment?
Is the CentOS 6 box running sssd? If so, take a look at /etc/sssd/sssd.conf to see if its configuration looks correct for your environment.
I assume there are no firewalls in place blocking LDAP traffic, but it never hurts to ask. :-/
Can you run ldapsearch on the CentOS 6 box and connect to the LDAP server?
Are there any SELinux warnings in your audit log? (Unlikely, but possible.)
If you run tcpdump on the LDAP server, can you see any traffic whatsoever from the CentOS 6 box?
Thanks to everybody for their suggestions, and for the pointer to getent, which was a gap in my sysadmin toolchest.
I figured out the problem. The problem was that nslcd wasn't starting properly because the nslcd user didn't exist. We're using the same base passwd file for both centos5 and centos6, and that extra user didn't get added. Switching /etc/nslcd.conf to use an extant uid/gid allowed nslcd to start, and that allowed the query to work, and the test user can log in.
I had never heard of nslcd--and it doesn't appear to have any man pages :-/, but inspection of the config file yields the impression of nscd for ldap, and it's config either supersedes or replaces /etc/ldap.conf.
Thanks for all the good ideas, -- Mitch Patenaude mpatenaude@shutterfly.com
From: Mitch Patenaude <mpatenaude@shutterfly.commailto:mpatenaude@shutterfly.com> Date: Mon, 31 Oct 2011 15:10:31 -0700 To: CentOS mailing list <centos@centos.orgmailto:centos@centos.org> Subject: NSS ldap problems
I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:
perl -e 'print join(" ",getpwnam("testuser")),"\n";'
And it properly finds the test user on the 5.4 box, but not the 6.0 box.
I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.
Here are the ldap related packaged installed on the 6.0 box: [root@vburntest02 ~]# rpm -qa | grep ldap openldap-2.4.19-15.el6_0.2.x86_64 pam_ldap-185-5.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.x86_64 openldap-clients-2.4.19-15.el6_0.2.x86_64 apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
Thanks, -- Mitch
-
Craig White -
Jack Bailey -
John Hodrien -
Mitch Patenaude -
Paul Heinlein -
Trey Dockendorf