[CentOS] CentOS5 Desktops authenticating to 389 Directory Server

Thu May 21 23:41:10 UTC 2009
Clint Dilks <clintd at scms.waikato.ac.nz>

Hi Everyone.

I am doing some LDAP testing.  I have setup a 389 Directory Server on 
CentOS 5 and using the default schema I have populated it with a couple 
of users. I then did the configuration on the  client that I thought was 
needed to make it authenticate.

To test this I expected to be able to use id <uidNumber> of a user I had 
defined.
But I get id: 1001: No such user id: 5001: No such user

I then thought perhaps it was an LDAP permissions problem so I tried 
binding to the LDAP server using a user I know has full rights using 
these entries in /etc/openldap/ldap.conf  there was no change.

BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
BINDPW LDAPt3st

I can query these users from a desktop that I want to use the LDAP 
server as an authentication source.

Using

* ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b 
dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks*
# extended LDIF
#
# LDAPv3
# base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
# filter: uid=LDilks
# requesting: ALL
#

# LDilks, People, scms.waikato.ac.nz
dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz
givenName: LDAP-Clint
sn: Dilks
telephoneNumber: 4546
loginShell: /bin/bash
gidNumber: 1001
uidNumber: 1001
mail: clintd at scms.waikato.ac.nz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: LDilks
gecos: A Test LDAP account
cn: LDAP-Clint Dilks
homeDirectory: /home/LDAP-clint

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

*[root at distilled2 ~]# ldapsearch -x -H 
ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz 
uid=BBuilder*
# extended LDIF
#
# LDAPv3
# base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
# filter: uid=BBuilder
# requesting: ALL
#

# BBuilder, scms.waikato.ac.nz
dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz
givenName: Bob
sn: Builder
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: BBuilder
gecos: Got to love Cartoons
cn: Bob Builder
homeDirectory: /home/bob

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The three files config files I am aware of are

cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
URI ldap://distilled.scms.waikato.ac.nz
BASE dc=scms.dc=waikato,dc=ac,dc=nz
#BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
#BINDPW LDAPt3st
TLS_CACERTDIR /etc/openldap/cacerts

cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$'
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

 cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Can anyone give me any pointers as to where I am going wrong ??  And can 
anyone confirm or deny that by default I should be able to bind 
anonymously and get the required authentication information ?

Thank you for any help you can offer.