I?ve google and searched, and have had very little luck... I have: 1. Installed all the packages. 2. Configured and have running OpenLDAP. 3. Migrated my passwd/shadow/group/hosts files into the directory 4. Tested the directory using ldapsearch 5. Installed LAM (web interface to LDAP authentication) 6. Added a user using LAM. 7. Confirmed user is in directory. 8. Confirmed user is not in /etc/passwd 9. Confirmed using ?getent passwd | grep username? that the user is listed. 10. Confirmed using ?getent passwd? shows two records for each user except ldap-only users (one for /etc/passwd, one for LDAP). However, ?id username? Returns unknown user And trying to log in as username at either the terminal or ssh fails, and upon examining the logs, the error message says unknown user. I configured /etc/pam.d/system-auth using authcongfig-tui, adding only the pam_mkhomedir.so line (and I tried it without that line as well). Everything seems right ? but its not working. Can anyone offer any suggestions as to where I should be looking? If necessary, I?ll post my /etc/openldap/slapd.conf, /etc/openldap/ldap.conf, /etc/pam.d/system-auth, and /etc/nsswitch.conf files ? I just didn?t want to send them if not necessary. Any help or suggestions would be appreciated. Thanks! -- Andy Akins Director of Development NICUSA, Tennessee ? A Partnership with Tennessee.gov Phone: (615) 313-0305 Email: andy at egovtn.org Visit www.tn.gov - the official website of the State of Tennessee ***************************************************************** CONFIDENTIALITY NOTICE: This email and any attachments are confidential. If you are not the intended recipient, you do not have permission to disclose, copy, distribute, or open any attachments. If you have received this email in error, please notify us immediately by returning it to the sender and deleting this copy from your system. Thank you. NIC, Inc., Tennessee ***************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100525/7d5550ff/attachment.html>
On Tue, 25 May 2010, Andy Akins wrote:> 8. Confirmed user is not in /etc/passwd > 9. Confirmed using ?getent passwd | grep username? that the user is listed. > 10. Confirmed using ?getent passwd? shows two records for each user except > ldap-only users (one for /etc/passwd, one for LDAP). > > However, > > ?????id username? > > Returns unknown userBefore the heavy troubleshooting starts, double-check that nscd is installed, configured, and working. You might want to restart it to make sure. Second -- and I personally hate this, though I can attest it sometimes works -- rebooting the machine will sometimes fix this. In particular, I've see the nss_ldap stuff have trouble in TLS environments when the server cert (or the CA that signed it) wasn't present at boot time. The next step would be to run something like strace -o /tmp/getent.trace getent passwd username strace -o /tmp/id.trace id username I'd identify where id is trying to locate user info and make sure it looks like the same place getent is using. On my CentOS systems, I note that id uses read() to access nscd while getent uses recvmsg(). I'm unsure if that difference would cause the problem, but it might be a place to look if you've got SELinux logs auditing things. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
On 5/25/2010 5:16 PM, Andy Akins wrote:> I've google and searched, and have had very little luck... > > I have: > > 1. Installed all the packages. > 2. Configured and have running OpenLDAP. > 3. Migrated my passwd/shadow/group/hosts files into the directory > 4. Tested the directory using ldapsearch > 5. Installed LAM (web interface to LDAP authentication) > 6. Added a user using LAM. > 7. Confirmed user is in directory. > 8. Confirmed user is not in /etc/passwd > 9. Confirmed using "getent passwd | grep username" that the user is > listed. > 10. Confirmed using "getent passwd" shows two records for each user > /except/ ldap-only users (one for /etc/passwd, one for LDAP). > > > However, > > "id username" > > Returns unknown user > > And trying to log in as username at either the terminal or ssh fails, > and upon examining the logs, the error message says unknown user. > > I configured /etc/pam.d/system-auth using authcongfig-tui, adding only > the pam_mkhomedir.so line (and I tried it without that line as well). > > Everything /seems/ right -- but its not working. Can anyone offer any > suggestions as to where I should be looking? If necessary, I'll post > my /etc/openldap/slapd.conf, /etc/openldap/ldap.conf, > /etc/pam.d/system-auth, and /etc/nsswitch.conf files -- I just didn't > want to send them if not necessary. > > Any help or suggestions would be appreciated. Thanks! > > -- > Andy Akins > Director of Development > > NICUSA, Tennessee -- A Partnership with Tennessee.gov > Phone: (615) 313-0305 > Email: andy at egovtn.org > > Visit www.tn.gov - the official website of the State of Tennessee > > ***************************************************************** > CONFIDENTIALITY NOTICE: > This email and any attachments are confidential. If you are not > the intended recipient, you do not have permission to disclose, > copy, distribute, or open any attachments. If you have received > this email in error, please notify us immediately by returning > it to the sender and deleting this copy from your system. > Thank you. NIC, Inc., Tennessee > ***************************************************************** > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >We'll assume you've properly configured your OpenLDAP server and can query the directory and whatever user/group accounts you have created are valid. Now, you make no statements regarding the system that you are attempting to authenticate from. Run 'authconfig-tui' from the console/terminal and ensure the ldap server is specified. See this page (http://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-client) and concern yourself with the 2 screenshots for now. You can tweak the manual settings to your hearts content but ONLY need to set the options contained in the screenshots to at least get LDAP auth working. Make sure you leave an '*' next to 'Local authentication is sufficient' as well so the system continues to auth local accounts. Placing a '*' next to 'Cache Information' will enable nscd. Ryan Manikowski -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100525/b2622e40/attachment.html>