[CentOS] LDAP login problem for CentOS 6.5

Mon Jun 9 15:40:57 UTC 2014
Vincent Swart <vinceswart at gmail.com>

Hi Moti,

I have had better success today using FreeIPA packages on CentOS server and
joining a CentOS desktop. FreeIPA consists of "389 Directory Server, MIT
Kerberos, NTP, DNS, Dogtag"

My links:

freeipa.org
http://blogatharva.blogspot.com/2013/05/free-yourself-with-freeipa.html

Vin.




On Fri, Jun 6, 2014 at 9:04 AM, <mordech3 at post.tau.ac.il> wrote:

> Hi,
>
> We are experiencing a problem to use LDAP user accounts to login into
> a CentOS system.
>
> A fresh 6.5 system was installed recently to become a central server.
> Both OpenLDAP and 389 Directory Server were installed and configured
> (not at the same time) with groups and normal user accounts.
> The server was configured to use LDAP authentication (through
> authconfig and system-config-authentication).
>
> First, the LDAP user wasn't identified by running the 'id' command.
> The same with SSH. Although ldapsearch listed all objects correctly.
> Observing /var/log/secure had shown that the user is not identified at
> all (no uid etc.). Following another article, POSIX details (uid +
> gid, and set gid to some LDAP group) were set for that user and the
> 'id' command was successful.
>
> However, still, SSH connections are refused and the log states:
> "Authentication service cannot retrieve authentication info" (for pam_sss).
> The secure log shows that user details are unavailable
> (uid=0,gid=0...) to sshd.
> Locally, when a root performs "su user", the login is successful, home
> is created and the secure log state authentication is performed by
> pam_unix, contrast to pam_sss.
>
> Need to mention that we've tried to follow most of the literature
> online (RedHat directory server, CentOS OpenLDAP client setup and many
> other resources). None were found to be complete enough to bring a
> system to a working state where users are able to login and
> authenticate.
>
> In addition, system-config-authentication requires the use of LDAPS or
> LDAP with TLS. Only command line tools are able to configure simple
> LDAP (no TLS or SSL).
> However, even being a security measure, we'd like to avoid all the
> (serious) burden of working with certificates at first for simple
> experimentation.
>
> Any comment or insight will be helpful.
> In addition, any link to where we can find a step-by-step guide to
> install an  (working) LDAP server with a client, will be more than
> appreciated.
>
> Many thanks,
> Moti.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>