[CentOS] {Disarmed} Re: Problems with nss_ldap - where to start?

Wed Dec 16 20:44:30 UTC 2009

On Wed, 2009-12-16 at 12:39 -0800, Peter Serwe wrote:
> I think not as well.  The tactest user has been blown back out.  I can
> re-add it from ldif again.
> 
> [root at ldap home]# getent passwd | grep example
> [root at ldap home]# 
> 
> [root at ldap home]# cat /etc/nsswitch.conf | grep -v \#
> 
> 
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> 
> hosts:      files dns
> 
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> 
> netgroup:   nisplus
> 
> publickey:  nisplus
> 
> automount:  files nisplus
> aliases:    files nisplus
> 
> [root at ldap home]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> 
> [root at ldap home]# cat /etc/ldap.conf | grep -v \#
> 
> 
> BASE dc=tncionline, dc=net
> URI ldap://MailScanner warning: numerical links are often malicious:
> 127.0.0.1
> port 389
> 
> SIZELIMIT    12
> TIMELIMIT    15
> DEREF        never
> timelimit 600
> bind_timelimit 600
> bind_policy soft
> idle_timelimit 3600
> 
> nss_initgroups_ignoreusers
> pserwe,dgates,root,ldap,named,avahi,haldaemon,dbus
> base dc=tncionline, dc=net
> pam_password md5
----
here's a big problem... /etc/ldap.conf

you need to add...(assuming this is where you have People/Groups)

nss_base_passwd         ou=People,tncionline,dc=net?one
nss_base_shadow         ou=People,tncionline,dc=net?one                
nss_base_group          ou=Groups,tncionline,dc=net?one                

take the space out of base...
base dc=tncionline,dc=net

I'd also add (until you can deal)...
ssl no

Craig

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.