Hi Moti, I have had better success today using FreeIPA packages on CentOS server and joining a CentOS desktop. FreeIPA consists of "389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag" My links: freeipa.org http://blogatharva.blogspot.com/2013/05/free-yourself-with-freeipa.html Vin. On Fri, Jun 6, 2014 at 9:04 AM, <mordech3 at post.tau.ac.il> wrote: > Hi, > > We are experiencing a problem to use LDAP user accounts to login into > a CentOS system. > > A fresh 6.5 system was installed recently to become a central server. > Both OpenLDAP and 389 Directory Server were installed and configured > (not at the same time) with groups and normal user accounts. > The server was configured to use LDAP authentication (through > authconfig and system-config-authentication). > > First, the LDAP user wasn't identified by running the 'id' command. > The same with SSH. Although ldapsearch listed all objects correctly. > Observing /var/log/secure had shown that the user is not identified at > all (no uid etc.). Following another article, POSIX details (uid + > gid, and set gid to some LDAP group) were set for that user and the > 'id' command was successful. > > However, still, SSH connections are refused and the log states: > "Authentication service cannot retrieve authentication info" (for pam_sss). > The secure log shows that user details are unavailable > (uid=0,gid=0...) to sshd. > Locally, when a root performs "su user", the login is successful, home > is created and the secure log state authentication is performed by > pam_unix, contrast to pam_sss. > > Need to mention that we've tried to follow most of the literature > online (RedHat directory server, CentOS OpenLDAP client setup and many > other resources). None were found to be complete enough to bring a > system to a working state where users are able to login and > authenticate. > > In addition, system-config-authentication requires the use of LDAPS or > LDAP with TLS. Only command line tools are able to configure simple > LDAP (no TLS or SSL). > However, even being a security measure, we'd like to avoid all the > (serious) burden of working with certificates at first for simple > experimentation. > > Any comment or insight will be helpful. > In addition, any link to where we can find a step-by-step guide to > install an (working) LDAP server with a client, will be more than > appreciated. > > Many thanks, > Moti. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >