[CentOS] LDAP users/groups not showing up with nis, pam, & ldap

Thu Feb 21 15:16:25 UTC 2013
Craig White <craig.white at ttiltd.com>

On Feb 20, 2013, at 4:50 PM, Wes Modes wrote:

> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host.  I've
> previously installed a similar configuration on RHEL4, but CentOS now
> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
> are a little different.
> 
> Currently, local users and groups are showing up but not LDAP users. 
> When I do a /getent passwd/ and/getent group/ I don't get LDAP users.
> 
> When I do a listing of a share directory that should have user and group
> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
> than the UIDs and GIDs.
> 
>    [root at edgar2 openldap]# ls -l /data/home | tail
>    drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
>    drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
>    drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
>    drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
>    drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
>    drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5
> 
> Other details:  centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
> 
> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. 
> And selinux is off.
> 
> I know the machine is successfully connecting to LDAP.  An ldapsearch
> works from this machine, and I can even connect to a samba share with an
> ldap login through smbclient.
> 
> Relevant parts of /etc/nsswitch:
> 
>    passwd:     files ldap
>    shadow:     files ldap
>    group:      files ldap
> 
>    #hosts:     db files nisplus nis dns
>    hosts:      files dns
> 
>    bootparams: nisplus [NOTFOUND=return] files
> 
>    ethers:     files
>    netmasks:   files
>    networks:   files
>    protocols:  files ldap
>    rpc:        files
>    services:   files ldap
> 
>    netgroup:   nisplus ldap
>    #netgroup:   ldap
> 
>    publickey:  nisplus
> 
>    automount:  files nisplus ldap
>    #automount:  files ldap
>    aliases:    files nisplus
> 
> Relevant parts of /etc/pam_ldap.conf (everything else is commented out):
> 
>    host dir1.ourdomain.com
>    base dc=.ourdomain,dc=com
>    #uri ldaps://dir1.ourdomain.com
>    uri ldap://dir1.ourdomain.com
> 
>    # basic auth config
>    binddn cn=admin,dc=ourdomain,dc=com
>    rootbinddn cn=admin,dc=ourdomain,dc=com
> 
>    # random stuff
>    #timelimit 120
>    #bind_timelimit 120
>    #bind_policy hard
>    # brought these times down wmodes Aug 11, 2008
>    timelimit 30
>    bind_timelimit 30
>    bind_policy soft
>    idle_timelimit 3600
>    nss_initgroups_ignoreusers root,ldap
> 
>    # pam config
>    #pam_password md5
>    pam_password md5
> 
>    # config for nss
>    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
>    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
>    nss_base_group  ou=group,dc=ourdomain,dc=com?one
> 
>    # OpenLDAP SSL mechanism
>    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>    ssl no
> 
>    # OpenLDAP SSL options
>    # Require and verify server certificate (yes/no)
>    #tls_checkpeer yes
> 
>    # CA certificates for server certificate verification
>    tls_cacertfile /etc/openldap/cacerts/cacert.pem
>    tls_cacertdir /etc/openldap/cacerts
> 
>    # Client certificate and key
>    tls_cert /etc/openldap/cacerts/servercert.pem
>    tls_key /etc/openldap/cacerts/serverkey.pem
> 
> Relevant parts of /etc/pam.d/system-auth:
> 
>    auth        required      pam_env.so
>    auth        sufficient    pam_fprintd.so
>    auth        sufficient    pam_unix.so nullok try_first_pass
>    auth        requisite     pam_succeed_if.so uid >= 500 quiet
>    auth        sufficient    pam_ldap.so use_first_pass
>    auth        required      pam_deny.so
> 
>    account     required      pam_unix.so
>    account     sufficient    pam_localuser.so
>    account     sufficient    pam_succeed_if.so uid < 500 quiet
>    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>    account     required      pam_permit.so
> 
>    password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>    password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
>    password    sufficient    pam_ldap.so use_authtok
>    password    required      pam_deny.so
> 
>    session     optional      pam_keyinit.so revoke
>    session     required      pam_limits.so
>    session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
>    session     required      pam_unix.so
>    session     optional      pam_ldap.so
>    session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
> 
> And the only line in /etc/sysconfig/authconfig I changed was:
> 
>    USELDAP=yes
> 
> Any thoughts?  For those who are experienced with nis and pam, I'm sure
> this is a no brainer, but I could sure use the little bit of your brain
> that knows how to fix this.
> 
> Wes
----
   binddn cn=admin,dc=ourdomain,dc=com
   rootbinddn cn=admin,dc=ourdomain,dc=com

don't do both… comment out the first and the 'rootbinddn' requires /etc/ldap.secret (0600) to function.

also in ldap.conf… 

should be: base dc=ourdomain,dc=com
but thinking this is an aspect from your attempts to sanitize.

Also, you probably should be using TLS 
ssl start_tls
but perhaps that can wait until you get it working without

If you can't list ldap users & groups, then obviously any type of ls will show numbers instead of names.

Craig