Wes Modes
2013-Feb-20 23:50 UTC
[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've previously installed a similar configuration on RHEL4, but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations are a little different. Currently, local users and groups are showing up but not LDAP users. When I do a /getent passwd/ and/getent group/ I don't get LDAP users. When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs. [root at edgar2 openldap]# ls -l /data/home | tail drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1 drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2 drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3 drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4 drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5 drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5 Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off. I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient. Relevant parts of /etc/nsswitch: passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: nisplus ldap #netgroup: ldap publickey: nisplus automount: files nisplus ldap #automount: files ldap aliases: files nisplus Relevant parts of /etc/pam_ldap.conf (everything else is commented out): host dir1.ourdomain.com base dc=.ourdomain,dc=com #uri ldaps://dir1.ourdomain.com uri ldap://dir1.ourdomain.com # basic auth config binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no # OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 And the only line in /etc/sysconfig/authconfig I changed was: USELDAP=yes Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this. Wes -- Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz
Cliff Pratt
2013-Feb-21 01:56 UTC
[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
Do you have nscd running? If so, try stopping and starting that. Cheers, Cliff On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes <wmodes at ucsc.edu> wrote:> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different. > > Currently, local users and groups are showing up but not LDAP users. > When I do a /getent passwd/ and/getent group/ I don't get LDAP users. > > When I do a listing of a share directory that should have user and group > ownership determined by LDAP, I get the uidNumbers and gidNumbers rather > than the UIDs and GIDs. > > [root at edgar2 openldap]# ls -l /data/home | tail > drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1 > drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2 > drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3 > drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4 > drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5 > drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5 > > Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 > > I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, > /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. > And selinux is off. > > I know the machine is successfully connecting to LDAP. An ldapsearch > works from this machine, and I can even connect to a samba share with an > ldap login through smbclient. > > Relevant parts of /etc/nsswitch: > > passwd: files ldap > shadow: files ldap > group: files ldap > > #hosts: db files nisplus nis dns > hosts: files dns > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > > netgroup: nisplus ldap > #netgroup: ldap > > publickey: nisplus > > automount: files nisplus ldap > #automount: files ldap > aliases: files nisplus > > Relevant parts of /etc/pam_ldap.conf (everything else is commented out): > > host dir1.ourdomain.com > base dc=.ourdomain,dc=com > #uri ldaps://dir1.ourdomain.com > uri ldap://dir1.ourdomain.com > > # basic auth config > binddn cn=admin,dc=ourdomain,dc=com > rootbinddn cn=admin,dc=ourdomain,dc=com > > # random stuff > #timelimit 120 > #bind_timelimit 120 > #bind_policy hard > # brought these times down wmodes Aug 11, 2008 > timelimit 30 > bind_timelimit 30 > bind_policy soft > idle_timelimit 3600 > nss_initgroups_ignoreusers root,ldap > > # pam config > #pam_password md5 > pam_password md5 > > # config for nss > nss_base_passwd ou=people,dc=ourdomain,dc=com?one > nss_base_shadow ou=people,dc=ourdomain,dc=com?one > nss_base_group ou=group,dc=ourdomain,dc=com?one > > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > ssl no > > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > #tls_checkpeer yes > > # CA certificates for server certificate verification > tls_cacertfile /etc/openldap/cacerts/cacert.pem > tls_cacertdir /etc/openldap/cacerts > > # Client certificate and key > tls_cert /etc/openldap/cacerts/servercert.pem > tls_key /etc/openldap/cacerts/serverkey.pem > > Relevant parts of /etc/pam.d/system-auth: > > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > session optional pam_mkhomedir.so skel=/etc/skel umask=077 > > And the only line in /etc/sysconfig/authconfig I changed was: > > USELDAP=yes > > Any thoughts? For those who are experienced with nis and pam, I'm sure > this is a no brainer, but I could sure use the little bit of your brain > that knows how to fix this. > > Wes > > -- > Wes Modes > Systems Designer, Developer, and Administrator > University Library ITS > University of California, Santa Cruz > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Craig White
2013-Feb-21 15:16 UTC
[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
On Feb 20, 2013, at 4:50 PM, Wes Modes wrote:> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different. > > Currently, local users and groups are showing up but not LDAP users. > When I do a /getent passwd/ and/getent group/ I don't get LDAP users. > > When I do a listing of a share directory that should have user and group > ownership determined by LDAP, I get the uidNumbers and gidNumbers rather > than the UIDs and GIDs. > > [root at edgar2 openldap]# ls -l /data/home | tail > drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1 > drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2 > drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3 > drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4 > drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5 > drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5 > > Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 > > I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, > /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. > And selinux is off. > > I know the machine is successfully connecting to LDAP. An ldapsearch > works from this machine, and I can even connect to a samba share with an > ldap login through smbclient. > > Relevant parts of /etc/nsswitch: > > passwd: files ldap > shadow: files ldap > group: files ldap > > #hosts: db files nisplus nis dns > hosts: files dns > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > > netgroup: nisplus ldap > #netgroup: ldap > > publickey: nisplus > > automount: files nisplus ldap > #automount: files ldap > aliases: files nisplus > > Relevant parts of /etc/pam_ldap.conf (everything else is commented out): > > host dir1.ourdomain.com > base dc=.ourdomain,dc=com > #uri ldaps://dir1.ourdomain.com > uri ldap://dir1.ourdomain.com > > # basic auth config > binddn cn=admin,dc=ourdomain,dc=com > rootbinddn cn=admin,dc=ourdomain,dc=com > > # random stuff > #timelimit 120 > #bind_timelimit 120 > #bind_policy hard > # brought these times down wmodes Aug 11, 2008 > timelimit 30 > bind_timelimit 30 > bind_policy soft > idle_timelimit 3600 > nss_initgroups_ignoreusers root,ldap > > # pam config > #pam_password md5 > pam_password md5 > > # config for nss > nss_base_passwd ou=people,dc=ourdomain,dc=com?one > nss_base_shadow ou=people,dc=ourdomain,dc=com?one > nss_base_group ou=group,dc=ourdomain,dc=com?one > > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > ssl no > > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > #tls_checkpeer yes > > # CA certificates for server certificate verification > tls_cacertfile /etc/openldap/cacerts/cacert.pem > tls_cacertdir /etc/openldap/cacerts > > # Client certificate and key > tls_cert /etc/openldap/cacerts/servercert.pem > tls_key /etc/openldap/cacerts/serverkey.pem > > Relevant parts of /etc/pam.d/system-auth: > > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > session optional pam_mkhomedir.so skel=/etc/skel umask=077 > > And the only line in /etc/sysconfig/authconfig I changed was: > > USELDAP=yes > > Any thoughts? For those who are experienced with nis and pam, I'm sure > this is a no brainer, but I could sure use the little bit of your brain > that knows how to fix this. > > Wes---- binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com don't do both? comment out the first and the 'rootbinddn' requires /etc/ldap.secret (0600) to function. also in ldap.conf? should be: base dc=ourdomain,dc=com but thinking this is an aspect from your attempts to sanitize. Also, you probably should be using TLS ssl start_tls but perhaps that can wait until you get it working without If you can't list ldap users & groups, then obviously any type of ls will show numbers instead of names. Craig
Gordon Messmer
2013-Mar-02 20:53 UTC
[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
On 02/20/2013 03:50 PM, Wes Modes wrote:> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different.Actually, the recommended stack is sssd. Remove nss_ldap and nss-pam-ldapd, install sssd, and use authconfig to set up the configuration files.