lists.arthurdejong.org
RSS feed

Re: LDAP users/groups not showing up with nis, pam, & ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: LDAP users/groups not showing up with nis, pam, & ldap



On Wed, 2013-02-20 at 16:01 -0800, Wes Modes wrote:
> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host.  I've
> previously installed a similar configuration on RHEL4, but CentOS now
> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
> configurations are a little different.

Yes, if you are using the NSS and PAM modules from nss-pam-ldapd all
configuration is in /etc/nslcd.conf (restart nslcd after any changes).

> Currently, local users and groups are showing up but not LDAP users.
> When I do a getent passwd and getent group I don't get LDAP users.

This means that the username lookups via /etc/nsswitch.conf are somehow
not working.

> Other details:  centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23

Which version of nss-pam-ldapd could perhaps be helpful.

> Relevant parts of /etc/nsswitch:
> 
>     passwd:     files ldap
>     shadow:     files ldap
>     group:      files ldap
>     protocols:  files ldap
>     services:   files ldap
>     netgroup:   nisplus ldap
>     automount:  files nisplus ldap
>     aliases:    files nisplus

Looks reasonable, although it is perhaps a bit weird to use both NIS and
LDAP (but shouldn't make a difference).

> Relevant parts of /etc/pam_ldap.conf (everything else is commented
> out):
> 
>     host dir1.ourdomain.com
>     base dc=.ourdomain,dc=com
>     uri ldap://dir1.ourdomain.com
>     
>     # basic auth config
>     binddn cn=admin,dc=ourdomain,dc=com
>     rootbinddn cn=admin,dc=ourdomain,dc=com
>     
>     # random stuff
>     timelimit 30
>     bind_timelimit 30
>     bind_policy soft
>     idle_timelimit 3600
>     nss_initgroups_ignoreusers root,ldap
>     
>     # pam config
>     pam_password md5
>     
>     # config for nss
>     nss_base_passwd ou=people,dc=ourdomain,dc=com?one
>     nss_base_shadow ou=people,dc=ourdomain,dc=com?one
>     nss_base_group  ou=group,dc=ourdomain,dc=com?one

Something similar should be in /etc/nslcd.conf except that the options
are not identical. For nslcd, don't use the host option and this:
  nss_base_passwd ou=people,dc=ourdomain,dc=com?one
translates into this:
  base passwd ou=people,dc=ourdomain,dc=com
  scope passwd one
and bind_policy and pam_password are not supported (the bind policy can
be tuned with the timing/reconnect options as described in the manual
page if needed and password change mechanism is always EXOP).

I don't know if CentOS uses the nss-pam-ldapd PAM module or the PADL PAM
module but it if uses the former /etc/pam_ldap.conf will not be used for
anything.

I did spot one more issue in the configuration; it lists:
  base dc=.ourdomain,dc=com
while I think the dot in .ordomain shouldn't be there.


> Relevant parts of /etc/pam.d/system-auth:
> 
>     auth        required      pam_env.so
>     auth        sufficient    pam_fprintd.so
>     auth        sufficient    pam_unix.so nullok try_first_pass
>     auth        requisite     pam_succeed_if.so uid >= 500 quiet
>     auth        sufficient    pam_ldap.so use_first_pass

You could also use the minimum_uid option to pam_ldap (if using the
nss-pam-ldapd PAM module).

If the above suggested changes don't fix the problem it is best to stop
nslcd and run it in debug mode (nslcd -d from the command line) and do a
getent passwd to see whether any LDAP lookups are attempted and what
fails.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/