Re: LDAP users/groups not showing up with nis, pam, & ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: LDAP users/groups not showing up with nis, pam, & ldap
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: LDAP users/groups not showing up with nis, pam, & ldap
- Date: Thu, 21 Feb 2013 11:48:01 +0100
On Wed, 2013-02-20 at 16:01 -0800, Wes Modes wrote:
> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
> previously installed a similar configuration on RHEL4, but CentOS now
> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
> configurations are a little different.
Yes, if you are using the NSS and PAM modules from nss-pam-ldapd all
configuration is in /etc/nslcd.conf (restart nslcd after any changes).
> Currently, local users and groups are showing up but not LDAP users.
> When I do a getent passwd and getent group I don't get LDAP users.
This means that the username lookups via /etc/nsswitch.conf are somehow
not working.
> Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23
Which version of nss-pam-ldapd could perhaps be helpful.
> Relevant parts of /etc/nsswitch:
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> protocols: files ldap
> services: files ldap
> netgroup: nisplus ldap
> automount: files nisplus ldap
> aliases: files nisplus
Looks reasonable, although it is perhaps a bit weird to use both NIS and
LDAP (but shouldn't make a difference).
> Relevant parts of /etc/pam_ldap.conf (everything else is commented
> out):
>
> host dir1.ourdomain.com
> base dc=.ourdomain,dc=com
> uri ldap://dir1.ourdomain.com
>
> # basic auth config
> binddn cn=admin,dc=ourdomain,dc=com
> rootbinddn cn=admin,dc=ourdomain,dc=com
>
> # random stuff
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> nss_initgroups_ignoreusers root,ldap
>
> # pam config
> pam_password md5
>
> # config for nss
> nss_base_passwd ou=people,dc=ourdomain,dc=com?one
> nss_base_shadow ou=people,dc=ourdomain,dc=com?one
> nss_base_group ou=group,dc=ourdomain,dc=com?one
Something similar should be in /etc/nslcd.conf except that the options
are not identical. For nslcd, don't use the host option and this:
nss_base_passwd ou=people,dc=ourdomain,dc=com?one
translates into this:
base passwd ou=people,dc=ourdomain,dc=com
scope passwd one
and bind_policy and pam_password are not supported (the bind policy can
be tuned with the timing/reconnect options as described in the manual
page if needed and password change mechanism is always EXOP).
I don't know if CentOS uses the nss-pam-ldapd PAM module or the PADL PAM
module but it if uses the former /etc/pam_ldap.conf will not be used for
anything.
I did spot one more issue in the configuration; it lists:
base dc=.ourdomain,dc=com
while I think the dot in .ordomain shouldn't be there.
> Relevant parts of /etc/pam.d/system-auth:
>
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
You could also use the minimum_uid option to pam_ldap (if using the
nss-pam-ldapd PAM module).
If the above suggested changes don't fix the problem it is best to stop
nslcd and run it in debug mode (nslcd -d from the command line) and do a
getent passwd to see whether any LDAP lookups are attempted and what
fails.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
