[CentOS] LDAP users/groups not showing up with nis, pam, & ldap

Thu Feb 21 01:56:25 UTC 2013
Cliff Pratt <enkiduonthenet at gmail.com>

Or just stopping it.....

On Thu, Feb 21, 2013 at 2:56 PM, Cliff Pratt <enkiduonthenet at gmail.com> wrote:
> Do you have nscd running? If so, try stopping and starting that.
>
> Cheers,
>
> Cliff
>
> On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes <wmodes at ucsc.edu> wrote:
>> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host.  I've
>> previously installed a similar configuration on RHEL4, but CentOS now
>> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
>> are a little different.
>>
>> Currently, local users and groups are showing up but not LDAP users.
>> When I do a /getent passwd/ and/getent group/ I don't get LDAP users.
>>
>> When I do a listing of a share directory that should have user and group
>> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
>> than the UIDs and GIDs.
>>
>>     [root at edgar2 openldap]# ls -l /data/home | tail
>>     drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
>>     drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
>>     drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
>>     drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
>>     drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
>>     drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5
>>
>> Other details:  centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
>>
>> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
>> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
>> And selinux is off.
>>
>> I know the machine is successfully connecting to LDAP.  An ldapsearch
>> works from this machine, and I can even connect to a samba share with an
>> ldap login through smbclient.
>>
>> Relevant parts of /etc/nsswitch:
>>
>>     passwd:     files ldap
>>     shadow:     files ldap
>>     group:      files ldap
>>
>>     #hosts:     db files nisplus nis dns
>>     hosts:      files dns
>>
>>     bootparams: nisplus [NOTFOUND=return] files
>>
>>     ethers:     files
>>     netmasks:   files
>>     networks:   files
>>     protocols:  files ldap
>>     rpc:        files
>>     services:   files ldap
>>
>>     netgroup:   nisplus ldap
>>     #netgroup:   ldap
>>
>>     publickey:  nisplus
>>
>>     automount:  files nisplus ldap
>>     #automount:  files ldap
>>     aliases:    files nisplus
>>
>> Relevant parts of /etc/pam_ldap.conf (everything else is commented out):
>>
>>     host dir1.ourdomain.com
>>     base dc=.ourdomain,dc=com
>>     #uri ldaps://dir1.ourdomain.com
>>     uri ldap://dir1.ourdomain.com
>>
>>     # basic auth config
>>     binddn cn=admin,dc=ourdomain,dc=com
>>     rootbinddn cn=admin,dc=ourdomain,dc=com
>>
>>     # random stuff
>>     #timelimit 120
>>     #bind_timelimit 120
>>     #bind_policy hard
>>     # brought these times down wmodes Aug 11, 2008
>>     timelimit 30
>>     bind_timelimit 30
>>     bind_policy soft
>>     idle_timelimit 3600
>>     nss_initgroups_ignoreusers root,ldap
>>
>>     # pam config
>>     #pam_password md5
>>     pam_password md5
>>
>>     # config for nss
>>     nss_base_passwd ou=people,dc=ourdomain,dc=com?one
>>     nss_base_shadow ou=people,dc=ourdomain,dc=com?one
>>     nss_base_group  ou=group,dc=ourdomain,dc=com?one
>>
>>     # OpenLDAP SSL mechanism
>>     # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
>>     ssl no
>>
>>     # OpenLDAP SSL options
>>     # Require and verify server certificate (yes/no)
>>     #tls_checkpeer yes
>>
>>     # CA certificates for server certificate verification
>>     tls_cacertfile /etc/openldap/cacerts/cacert.pem
>>     tls_cacertdir /etc/openldap/cacerts
>>
>>     # Client certificate and key
>>     tls_cert /etc/openldap/cacerts/servercert.pem
>>     tls_key /etc/openldap/cacerts/serverkey.pem
>>
>> Relevant parts of /etc/pam.d/system-auth:
>>
>>     auth        required      pam_env.so
>>     auth        sufficient    pam_fprintd.so
>>     auth        sufficient    pam_unix.so nullok try_first_pass
>>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>     auth        sufficient    pam_ldap.so use_first_pass
>>     auth        required      pam_deny.so
>>
>>     account     required      pam_unix.so
>>     account     sufficient    pam_localuser.so
>>     account     sufficient    pam_succeed_if.so uid < 500 quiet
>>     account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>     account     required      pam_permit.so
>>
>>     password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>>     password    sufficient    pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>>     password    sufficient    pam_ldap.so use_authtok
>>     password    required      pam_deny.so
>>
>>     session     optional      pam_keyinit.so revoke
>>     session     required      pam_limits.so
>>     session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>>     session     required      pam_unix.so
>>     session     optional      pam_ldap.so
>>     session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
>>
>> And the only line in /etc/sysconfig/authconfig I changed was:
>>
>>     USELDAP=yes
>>
>> Any thoughts?  For those who are experienced with nis and pam, I'm sure
>> this is a no brainer, but I could sure use the little bit of your brain
>> that knows how to fix this.
>>
>> Wes
>>
>> --
>> Wes Modes
>> Systems Designer, Developer, and Administrator
>> University Library ITS
>> University of California, Santa Cruz
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos