[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
Cliff Pratt
enkiduonthenet at gmail.com
Thu Feb 21 01:56:12 UTC 2013
Do you have nscd running? If so, try stopping and starting that.
Cheers,
Cliff
On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes <wmodes at ucsc.edu> wrote:
> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
> previously installed a similar configuration on RHEL4, but CentOS now
> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
> are a little different.
>
> Currently, local users and groups are showing up but not LDAP users.
> When I do a /getent passwd/ and/getent group/ I don't get LDAP users.
>
> When I do a listing of a share directory that should have user and group
> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
> than the UIDs and GIDs.
>
> [root at edgar2 openldap]# ls -l /data/home | tail
> drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
> drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
> drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
> drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
> drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
> drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5
>
> Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
>
> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
> And selinux is off.
>
> I know the machine is successfully connecting to LDAP. An ldapsearch
> works from this machine, and I can even connect to a samba share with an
> ldap login through smbclient.
>
> Relevant parts of /etc/nsswitch:
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files ldap
> rpc: files
> services: files ldap
>
> netgroup: nisplus ldap
> #netgroup: ldap
>
> publickey: nisplus
>
> automount: files nisplus ldap
> #automount: files ldap
> aliases: files nisplus
>
> Relevant parts of /etc/pam_ldap.conf (everything else is commented out):
>
> host dir1.ourdomain.com
> base dc=.ourdomain,dc=com
> #uri ldaps://dir1.ourdomain.com
> uri ldap://dir1.ourdomain.com
>
> # basic auth config
> binddn cn=admin,dc=ourdomain,dc=com
> rootbinddn cn=admin,dc=ourdomain,dc=com
>
> # random stuff
> #timelimit 120
> #bind_timelimit 120
> #bind_policy hard
> # brought these times down wmodes Aug 11, 2008
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> nss_initgroups_ignoreusers root,ldap
>
> # pam config
> #pam_password md5
> pam_password md5
>
> # config for nss
> nss_base_passwd ou=people,dc=ourdomain,dc=com?one
> nss_base_shadow ou=people,dc=ourdomain,dc=com?one
> nss_base_group ou=group,dc=ourdomain,dc=com?one
>
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl no
>
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> #tls_checkpeer yes
>
> # CA certificates for server certificate verification
> tls_cacertfile /etc/openldap/cacerts/cacert.pem
> tls_cacertdir /etc/openldap/cacerts
>
> # Client certificate and key
> tls_cert /etc/openldap/cacerts/servercert.pem
> tls_key /etc/openldap/cacerts/serverkey.pem
>
> Relevant parts of /etc/pam.d/system-auth:
>
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> session optional pam_mkhomedir.so skel=/etc/skel umask=077
>
> And the only line in /etc/sysconfig/authconfig I changed was:
>
> USELDAP=yes
>
> Any thoughts? For those who are experienced with nis and pam, I'm sure
> this is a no brainer, but I could sure use the little bit of your brain
> that knows how to fix this.
>
> Wes
>
> --
> Wes Modes
> Systems Designer, Developer, and Administrator
> University Library ITS
> University of California, Santa Cruz
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list