[CentOS] LDAP login problem for CentOS 6.5

Wed Jun 11 06:56:06 UTC 2014
Arun Khan <knura9 at gmail.com>

On Fri, Jun 6, 2014 at 12:34 PM,  <mordech3 at post.tau.ac.il> wrote:
> A fresh 6.5 system was installed recently to become a central server.
> Both OpenLDAP and 389 Directory Server were installed and configured
> (not at the same time) with groups and normal user accounts.
> The server was configured to use LDAP authentication (through
> authconfig and system-config-authentication).
> First, the LDAP user wasn't identified by running the 'id' command.
> The same with SSH.

How have you configured your 'client' node to connect to the openLDAP server?

> Although ldapsearch listed all objects correctly.
> Observing /var/log/secure had shown that the user is not identified at
> all (no uid etc.). Following another article, POSIX details (uid +
> gid, and set gid to some LDAP group) were set for that user and the
> 'id' command was successful.

Your ldapquery command must be connecting to the LDAP server directly.
  Please share the full ldapsearch command line.

> However, still, SSH connections are refused and the log states:
> "Authentication service cannot retrieve authentication info" (for pam_sss).
> The secure log shows that user details are unavailable
> (uid=0,gid=0...) to sshd.

uid/gid=0 is super user (root).   Let this user be 'local' and not from LDAP.
Define a non root user 'John/Jane Doe' and work through the setup.

> Locally, when a root performs "su user", the login is successful, home
> is created and the secure log state authentication is performed by
> pam_unix, contrast to pam_sss.

I use the 'sssd' package to be the backend which queries users from
both 'local' and the 'LDAP' server, in conjunction with the tool
'authconfig' which makes the necessary changes to the PAM config
files.  Read through the refs. [a] below.

> Need to mention that we've tried to follow most of the literature
> online (RedHat directory server, CentOS OpenLDAP client setup and many
> other resources). None were found to be complete enough to bring a
> system to a working state where users are able to login and
> authenticate.
> In addition, system-config-authentication requires the use of LDAPS or
> LDAP with TLS. Only command line tools are able to configure simple
> LDAP (no TLS or SSL).
> However, even being a security measure, we'd like to avoid all the
> (serious) burden of working with certificates at first for simple
> experimentation.

It is OK to get started with plain text LDAP auth. but for production
use must use TLS to encrypt the packets for user auth.

> Any comment or insight will be helpful.
> In addition, any link to where we can find a step-by-step guide to
> install an  (working) LDAP server with a client, will be more than
> appreciated.

[a] Refs

It is also useful to share the contents of the relevant entries in the
log files.  The conf files like /etc/ldap.conf and /etc/sssd/sssd.conf
in case you are still facing problems.

Eventually, you will have to deal with authenticating Windows
clients/users through Samba (smb.conf) but that is another thread.

**Suggestion** - if you have Windows nodes in your network that
require network authentication then consider Samba4; I migrating one
setup from openLDAP+Samba (NT4 PDC)  to a Samba4 AD/DC.  For Linux
clients, SSSD can also use back end MS AD/DC.

-- Arun Khan