FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-31-2011, 09:10 PM
Mitch Patenaude
 
Default NSS ldap problems

I'm having trouble setting up ldap based authenication.

I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.

However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.

I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:

perl -e 'print join(" ",getpwnam("testuser")),"
";'

And it properly finds the test user on the 5.4 box, but not the 6.0 box.

I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.

Here are the ldap related packaged installed on the 6.0 box:
[root@vburntest02 ~]# rpm -qa | grep ldap
openldap-2.4.19-15.el6_0.2.x86_64
pam_ldap-185-5.el6.x86_64
nss-pam-ldapd-0.7.5-3.el6.x86_64
openldap-clients-2.4.19-15.el6_0.2.x86_64
apr-util-ldap-1.3.9-3.el6.x86_64

Any idea what to check next?

Thanks,
-- Mitch
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-31-2011, 10:46 PM
Craig White
 
Default NSS ldap problems

On Oct 31, 2011, at 3:10 PM, Mitch Patenaude wrote:

> I'm having trouble setting up ldap based authenication.
>
> I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a 389 (fedora) directory server, and that works fine.
>
> However, I set up a virtual box running CentOS 6, and I can't get it to authenicate.
>
> I've run authconfig with the appropriate flags, ldapsearch properly finds the data, but I can't log in. /var/log/secure shows that it doesn't find the user, and as a test I came up with the following perl snippet:
>
> perl -e 'print join(" ",getpwnam("testuser")),"
";'
>
> And it properly finds the test user on the 5.4 box, but not the 6.0 box.
>
> I've checked /etc/ldap.conf and /etc/openldap/ldap.conf and both seem about right.
>
> Here are the ldap related packaged installed on the 6.0 box:
> [root@vburntest02 ~]# rpm -qa | grep ldap
> openldap-2.4.19-15.el6_0.2.x86_64
> pam_ldap-185-5.el6.x86_64
> nss-pam-ldapd-0.7.5-3.el6.x86_64
> openldap-clients-2.4.19-15.el6_0.2.x86_64
> apr-util-ldap-1.3.9-3.el6.x86_64
>
> Any idea what to check next?
----
I'm not a perl person so I just check from shell with:
getent passwd
getent group

to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do.

The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x

You might want to show us the contents of these files...

/etc/nsswitch.conf
/etc/pam.d/system-auth

I also have a 'one-liner' that I use for setting up ldap authentication in a pinch (be sure to substitute for $YOUR_LDAP_SERVER and $YOUR_LDAP_BASE, don't enable ldap tls if you don't have that function working and I'm not so certain about --enablemkhomedir on CentOS 5.x - haven't tried)...

authconfig --enableshadow --enableldap --enableldapauth
--ldapserver=$YOUR_LDAP_SERVER --ldapbasedn=”$YOUR_LDAP_BASE”
--enableldaptls --enablelocauthorize --enablemkhomedir
--nostart --updateall

YMMV

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 12:16 AM
Jack Bailey
 
Default NSS ldap problems

On 10/31/2011 4:46 PM, Craig White wrote:
>> Here are the ldap related packaged installed on the 6.0 box:
>> > [root@vburntest02 ~]# rpm -qa | grep ldap
>> > openldap-2.4.19-15.el6_0.2.x86_64
>> > pam_ldap-185-5.el6.x86_64
>> > nss-pam-ldapd-0.7.5-3.el6.x86_64
>> > openldap-clients-2.4.19-15.el6_0.2.x86_64
>> > apr-util-ldap-1.3.9-3.el6.x86_64
>> >
>> > Any idea what to check next?
> ----
> I'm not a perl person so I just check from shell with:
> getent passwd
> getent group
>
> to make sure that the LDAP Users/Groups are indeed listed... authentication clearly won't work until they do.
>
> The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x

On CentOS 6 getent passwd does not return a list of users, presumably
because the list can be quite large. Try

$ getent passwd <username>

If your system is set up correctly you will see the entry.

Jack

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 03:25 AM
Trey Dockendorf
 
Default NSS ldap problems

One difference I ran into with samba authentication is in cent 5
/etc/pam.d/system-auth-ac is the file to change but in cent 6 its
/etc/pam.d/password-auth-ac. I found that changes I made only to
system-auth-ac in 5 had to be made to both system-auth-ac and
password-auth-ac in 6. This was to have authentication work for things
like ssh and sudo in centos 6.

- Trey
On Oct 31, 2011 8:16 PM, "Jack Bailey" <jack@internetguy.net> wrote:

> On 10/31/2011 4:46 PM, Craig White wrote:
> >> Here are the ldap related packaged installed on the 6.0 box:
> >> > [root@vburntest02 ~]# rpm -qa | grep ldap
> >> > openldap-2.4.19-15.el6_0.2.x86_64
> >> > pam_ldap-185-5.el6.x86_64
> >> > nss-pam-ldapd-0.7.5-3.el6.x86_64
> >> > openldap-clients-2.4.19-15.el6_0.2.x86_64
> >> > apr-util-ldap-1.3.9-3.el6.x86_64
> >> >
> >> > Any idea what to check next?
> > ----
> > I'm not a perl person so I just check from shell with:
> > getent passwd
> > getent group
> >
> > to make sure that the LDAP Users/Groups are indeed listed...
> authentication clearly won't work until they do.
> >
> > The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x
>
> On CentOS 6 getent passwd does not return a list of users, presumably
> because the list can be quite large. Try
>
> $ getent passwd <username>
>
> If your system is set up correctly you will see the entry.
>
> Jack
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 08:57 AM
John Hodrien
 
Default NSS ldap problems

On Tue, 1 Nov 2011, Trey Dockendorf wrote:

> One difference I ran into with samba authentication is in cent 5
> /etc/pam.d/system-auth-ac is the file to change but in cent 6 its
> /etc/pam.d/password-auth-ac. I found that changes I made only to
> system-auth-ac in 5 had to be made to both system-auth-ac and
> password-auth-ac in 6. This was to have authentication work for things
> like ssh and sudo in centos 6.

It is worth noting that those files should only be edited as a last resort.
You should go through authconfig if possible.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-01-2011, 02:33 PM
Paul Heinlein
 
Default NSS ldap problems

On Mon, 31 Oct 2011, Mitch Patenaude wrote:

> I'm having trouble setting up ldap based authenication.
>
> I have a virtual (KVM) CentOS 5.4 box set up to authenticate to a
> 389 (fedora) directory server, and that works fine.
>
> However, I set up a virtual box running CentOS 6, and I can't get it
> to authenicate.

Others have mentioned some good ideas, so consider these additions to
the pile. :-)

Is SSL configured correctly? Do you have a copy of the CA certificate
in the right place? Is the CentOS 6 box querying the correct port (389
or 636) in your environment?

Is the CentOS 6 box running sssd? If so, take a look at
/etc/sssd/sssd.conf to see if its configuration looks correct for your
environment.

I assume there are no firewalls in place blocking LDAP traffic, but it
never hurts to ask. :-/

Can you run ldapsearch on the CentOS 6 box and connect to the LDAP
server?

Are there any SELinux warnings in your audit log? (Unlikely, but
possible.)

If you run tcpdump on the LDAP server, can you see any traffic
whatsoever from the CentOS 6 box?

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-11-2012, 05:34 PM
Kristen Eisenberg
 
Default NSS ldap problems

One difference I ran into with samba authentication is in cent 5
/etc/pam.d/system-auth-ac is the file to change but in cent 6 its
/etc/pam.d/password-auth-ac. I found that changes I made only to
system-auth-ac in 5 had to be made to both system-auth-ac and
password-auth-ac in 6. This was to have authentication work for things
like ssh and sudo in centos 6.


Kristen Eisenberg
Billige Flge
Marketing GmbH
Emanuelstr. 3,
10317 Berlin
Deutschland
Telefon: +49 (33)
5310967
Email:
utebachmeier at
gmail.com
Site:
http://flug.airego.de
- Billige Flge vergleichen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-11-2012, 08:02 PM
Mark LaPierre
 
Default NSS ldap problems

On 03/11/2012 02:34 PM, Kristen Eisenberg wrote:
> One difference I ran into with samba authentication is in cent 5
> /etc/pam.d/system-auth-ac is the file to change but in cent 6 its
> /etc/pam.d/password-auth-ac. I found that changes I made only to
> system-auth-ac in 5 had to be made to both system-auth-ac and
> password-auth-ac in 6. This was to have authentication work for things
> like ssh and sudo in centos 6.
>
>
> Kristen Eisenberg
> Billige Flge
> Marketing GmbH
> Emanuelstr. 3,
> 10317 Berlin
> Deutschland
> Telefon: +49 (33)
> 5310967
> Email:
> utebachmeier at
> gmail.com
> Site:
> http://flug.airego.de
> - Billige Flge vergleichen
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Interesting.

[root@mushroom pam.d]# diff password-auth-ac system-auth-ac
[root@mushroom pam.d]#

--
_
v
/(_)
^ ^ Mark LaPierre
Registerd Linux user No #267004
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org