lists.arthurdejong.org
RSS feed

Re: Newbie - user authentication failing.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Newbie - user authentication failing.



Vinay,

I would never use nscd.  Ever.  There are a litany of valid complaints, 
including some reports of problems caching data
when using StartTLS/SSL, its propensity for sending connections to servers even 
after they've gone down, its habit of
exceeding file descriptor thresholds and the tendency to peg the CPU as a 
result, and the list goes on and on.  Just
Google for all the bug reports and complaints on all the various distros 
associated with nscd.  I know some folks say
they have success with it, but given my experience with it and the similar 
experiences of many others, I would stay away
from it.  It's buggy, behaves inconsistently, and creates more headaches than 
it alleviates.

If you want reliable caching without all the detractors associated with nscd, 
it is pretty easy to use nss-pam-ldapd
(libnss-ldapd + libpam-ldapd + nslcd), and a lightweight back-ldap + proxycache 
slapd database to accomplish the goal.
 It works really well for us.

Cheers,
Ryan

Vinay Kalkoti wrote:
> Hi,
> 
> If I stop nscd, then the user authentication works.
> 
> I am not getting what could be the reason.
> 
> Thanks,
> Vinay
> 
> 
> On Thu, Feb 10, 2011 at 1:25 PM, Vinay Kalkoti <kalkoti.vinay@gmail.com> 
> wrote:
>> Hi,
>>
>> I am trying to use nss-pam-ldapd for the following reasons -
>> 1. It gives me flexibity to authenticate users even if unix attributes
>> like gid, homeDirectory, loginShell are not present on the directory
>> server by overriding those attributes.
>>
>> I read that I can override the home directory to /home/$uid. This was
>> my major requirement. I also wanted a confirmation that I can set the
>> home directory path to /home/$uid even if the home directory attribute
>> is set to a different path (like /users/unix) on the directory server.
>>
>> Another question I had was, should I still configure openldap client
>> for nss-pam-ldapd ?. I am using SLES (10, sp2) and my openldap
>> configuration file is /etc/openldap/ldap.conf
>>
>> I followed the documentation to configure nss-pam-ldapd.
>>
>> I need to configure it against both LDAP servers and Active Directory 
>> servers.
>>
>> I have started with LDAP server and I have set the configurations in
>> /etc/nslcd.conf
>>
>> - uri ldap://<ip>
>> - base    dc=example,dc=comp,dc=com
>> - binddn cn=Administrator,dc=example,dc=comp,dc=com
>> - bindpw secret
>> - scope sub
>>
>> I have not enabled any other configurations for LDAP server
>> authentication. I started nslcd daemon and "getent passwd" gives all
>> the LDAP server entries.
>>
>> If I try "su - test_user', it just throws me an error "su: user
>> test_user does not exist, where test_user is from an ldap server and
>> 'getent passwd' lists it.
>>
>> If I try ssh with the user account, I see that nslcd is trying the
>> same user account for binding.
>>
>> nslcd: [b127f8] DEBUG:
>> ldap_simple_bind_s("uid=test_user,dc=example,dc=comp,dc=com","***")
>> (uri="ldap://1<ip>")
>> nslcd: [b127f8] DEBUG: failed to bind to LDAP server ldap://<ip>:
>> Invalid credentials
>> nslcd: [b127f8] DEBUG: ldap_unbind()
>> nslcd: [b127f8] lookup of user uid=test_user,dc=example,dc=comp,dc=com
>> failed: Invalid credentials
>>
>>
>> I am stuck in this and am not able to continue.
>>
>> Thanks,
>> Vinay
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users