[CentOS] NSS ldap problems

Mon Oct 31 23:46:10 UTC 2011
Craig White <craig.white at ttiltd.com>

On Oct 31, 2011, at 3:10 PM, Mitch Patenaude wrote:

> I'm having trouble setting up ldap based authenication.
> I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
> However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
> I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in.  /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:
> perl -e 'print join(" ",getpwnam("testuser")),"\n";'
> And it properly finds the test user on the 5.4 box, but not the 6.0 box.
> I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.
> Here are the ldap related packaged installed on the 6.0 box:
> [root at vburntest02 ~]# rpm -qa | grep ldap
> openldap-2.4.19-15.el6_0.2.x86_64
> pam_ldap-185-5.el6.x86_64
> nss-pam-ldapd-0.7.5-3.el6.x86_64
> openldap-clients-2.4.19-15.el6_0.2.x86_64
> apr-util-ldap-1.3.9-3.el6.x86_64
> Any idea what to check next?
I'm not a perl person so I just check from shell with:
getent passwd
getent group

to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do.

The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x

You might want to show us the contents of these files...


I also have a 'one-liner' that I use for setting up ldap authentication in a pinch (be sure to substitute for $YOUR_LDAP_SERVER and $YOUR_LDAP_BASE, don't enable ldap tls if you don't have that function working and I'm not so certain about --enablemkhomedir on CentOS 5.x - haven't tried)...

authconfig --enableshadow --enableldap --enableldapauth \
--ldapserver=$YOUR_LDAP_SERVER --ldapbasedn=”$YOUR_LDAP_BASE” \
--enableldaptls --enablelocauthorize --enablemkhomedir \
--nostart --updateall