LDAP users/groups not showing up with nis, pam, & ldap
[Date Prev][Date Next] [Thread Prev][Thread Next]LDAP users/groups not showing up with nis, pam, & ldap
- From: Wes Modes <wmodes [at] ucsc.edu>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: LDAP users/groups not showing up with nis, pam, & ldap
- Date: Wed, 20 Feb 2013 16:01:13 -0800
I am trying to
configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
previously installed a similar configuration on RHEL4, but CentOS
now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations are a little different.
Currently, local users and groups are showing up but not LDAP users. When I do a getent passwd and getent group I don't get LDAP users. When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs. [root@edgar2 openldap]# ls -l /data/home | tail drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1 drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2 drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3 drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4 drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5 drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5 Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off. I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient. Relevant parts of /etc/nsswitch: passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: nisplus ldap #netgroup: ldap publickey: nisplus automount: files nisplus ldap #automount: files ldap aliases: files nisplus Relevant parts of /etc/pam_ldap.conf (everything else is commented out): host dir1.ourdomain.com base dc=.ourdomain,dc=com #uri ldaps://dir1.ourdomain.com uri ldap://dir1.ourdomain.com # basic auth config binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no # OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 And the only line in /etc/sysconfig/authconfig I changed was: USELDAP=yes Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this. Wes -- Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz |
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- LDAP users/groups not showing up with nis, pam, & ldap, Wes Modes
- Re: LDAP users/groups not showing up with nis, pam, & ldap,
Arthur de Jong
- Re: LDAP users/groups not showing up with nis, pam, & ldap, Nalin Dahyabhai
- Prev by Date: Re: best practices for deploying nss-pam-ldapd
- Next by Date: Re: LDAP users/groups not showing up with nis, pam, & ldap
- Previous by thread: Re: best practices for deploying nss-pam-ldapd
- Next by thread: Re: LDAP users/groups not showing up with nis, pam, & ldap