I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora)
directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to
authenicate.
I've run authconfig with the appropriate flags, ldapsearch properly finds
the data, but I can't log in. /var/log/secure shows that it doesn't
find the user, and as a test I came up with the following perl snippet:
perl -e 'print join("
",getpwnam("testuser")),"\n";'
And it properly finds the test user on the 5.4 box, but not the 6.0 box.
I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about
right.
Here are the ldap related packaged installed on the 6.0 box:
[root at vburntest02 ~]# rpm -qa | grep ldap
openldap-2.4.19-15.el6_0.2.x86_64
pam_ldap-185-5.el6.x86_64
nss-pam-ldapd-0.7.5-3.el6.x86_64
openldap-clients-2.4.19-15.el6_0.2.x86_64
apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
Thanks,
-- Mitch
On Oct 31, 2011, at 3:10 PM, Mitch Patenaude wrote:> I'm having trouble setting up ldap based authenication. > > I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine. > > However, I set up a virtual box running CentOS 6, and I can't get it to authenicate. > > I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet: > > perl -e 'print join(" ",getpwnam("testuser")),"\n";' > > And it properly finds the test user on the 5.4 box, but not the 6.0 box. > > I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right. > > Here are the ldap related packaged installed on the 6.0 box: > [root at vburntest02 ~]# rpm -qa | grep ldap > openldap-2.4.19-15.el6_0.2.x86_64 > pam_ldap-185-5.el6.x86_64 > nss-pam-ldapd-0.7.5-3.el6.x86_64 > openldap-clients-2.4.19-15.el6_0.2.x86_64 > apr-util-ldap-1.3.9-3.el6.x86_64 > > Any idea what to check next?---- I'm not a perl person so I just check from shell with: getent passwd getent group to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do. The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x You might want to show us the contents of these files... /etc/nsswitch.conf /etc/pam.d/system-auth I also have a 'one-liner' that I use for setting up ldap authentication in a pinch (be sure to substitute for $YOUR_LDAP_SERVER and $YOUR_LDAP_BASE, don't enable ldap tls if you don't have that function working and I'm not so certain about --enablemkhomedir on CentOS 5.x - haven't tried)... authconfig --enableshadow --enableldap --enableldapauth \ --ldapserver=$YOUR_LDAP_SERVER --ldapbasedn=?$YOUR_LDAP_BASE? \ --enableldaptls --enablelocauthorize --enablemkhomedir \ --nostart --updateall YMMV Craig
On Mon, 31 Oct 2011, Mitch Patenaude wrote:> I'm having trouble setting up ldap based authenication. > > I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a > 389 (fedora) directory server, and that works fine. > > However, I set up a virtual box running CentOS 6, and I can't get it > to authenicate.Others have mentioned some good ideas, so consider these additions to the pile. :-) Is SSL configured correctly? Do you have a copy of the CA certificate in the right place? Is the CentOS 6 box querying the correct port (389 or 636) in your environment? Is the CentOS 6 box running sssd? If so, take a look at /etc/sssd/sssd.conf to see if its configuration looks correct for your environment. I assume there are no firewalls in place blocking LDAP traffic, but it never hurts to ask. :-/ Can you run ldapsearch on the CentOS 6 box and connect to the LDAP server? Are there any SELinux warnings in your audit log? (Unlikely, but possible.) If you run tcpdump on the LDAP server, can you see any traffic whatsoever from the CentOS 6 box? -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Thanks to everybody for their suggestions, and for the pointer to getent, which
was a gap in my sysadmin toolchest.
I figured out the problem. The problem was that nslcd wasn't starting
properly because the nslcd user didn't exist. We're using the same base
passwd file for both centos5 and centos6, and that extra user didn't get
added. Switching /etc/nslcd.conf to use an extant uid/gid allowed nslcd to
start, and that allowed the query to work, and the test user can log in.
I had never heard of nslcd--and it doesn't appear to have any man pages :-/,
but inspection of the config file yields the impression of nscd for ldap, and
it's config either supersedes or replaces /etc/ldap.conf.
Thanks for all the good ideas,
-- Mitch Patenaude mpatenaude at shutterfly.com
From: Mitch Patenaude <mpatenaude at shutterfly.com<mailto:mpatenaude at
shutterfly.com>>
Date: Mon, 31 Oct 2011 15:10:31 -0700
To: CentOS mailing list <centos at centos.org<mailto:centos at
centos.org>>
Subject: NSS ldap problems
I'm having trouble setting up ldap based authenication.
I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora)
directory server, and that works fine.
However, I set up a virtual box running CentOS 6, and I can't get it to
authenicate.
I've run authconfig with the appropriate flags, ldapsearch properly finds
the data, but I can't log in. /var/log/secure shows that it doesn't
find the user, and as a test I came up with the following perl snippet:
perl -e 'print join("
",getpwnam("testuser")),"\n";'
And it properly finds the test user on the 5.4 box, but not the 6.0 box.
I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about
right.
Here are the ldap related packaged installed on the 6.0 box:
[root at vburntest02 ~]# rpm -qa | grep ldap
openldap-2.4.19-15.el6_0.2.x86_64
pam_ldap-185-5.el6.x86_64
nss-pam-ldapd-0.7.5-3.el6.x86_64
openldap-clients-2.4.19-15.el6_0.2.x86_64
apr-util-ldap-1.3.9-3.el6.x86_64
Any idea what to check next?
Thanks,
-- Mitch