ldap authentication broken after switch to nss-pam-ldapd

[Holger Foersterling <holger [at] uwm.edu>]

With pam_ldap I was using a combination of NIS and LDAP for user authentication and authorization:

User information like group, numerical user id, group, home dir etc coming from a local NIS server but passwords being checked against the main LDAP server of my instuitution.  

I pretty only had to check in authconfig-tui ldap  and Local authorization is sufficient in authentication and NIS in User information, define NIS servers and ldap servers in the next two steps, put a certificate into /etc/openldap/cacerts and was running.

All it requires was a /etc/passwd entry on the NIS master server like this:

username:+:1234:111:Full User Name:/home/directory:/usr/bin/bash

After an upgrade of Fedora pam_ldap was replaced by nss-pam-ldap and login into accounts with password on the ldap server no longer was functioning. 

NIS is still running as I am able to log into accounts with local password in the NIS master, but attempts to log into accounts with ldap passwords fail.

Attempting to log into an account with passwordd on the LDAP server gives me the following output:

/var/log/messages
Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username"> ldap_result() failed: Can't contact LDAP server

/var/log/secure
Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure; logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication; user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled by nslcd

I reran authconfig-tui and turned ldap authentication off and on to redo the configuration, but no effect.

I know ldap is working because ldapsearch -x -ZZ "(uid=username)" gives me the desired response. Also  ldap authentication is still worning on my two CentOS computers still using pam_ldap.

Configuration files:
/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.uwm.edu
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON onURI ldap://ldap.uwm.edu
BASE ou=people,o=uwm.edu


/etc/nslcd.conf:
uid nslcd
gid ldap
uri ldap://ldap.uwm.edu
base ou=people,o=uwm.edu
ssl start_tls
tls_cacertdir /etc/openldap/cacerts


/etc/pam.d/password-auth-ac:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass debug
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass debug
auth required pam_deny.so

account required pam_unix.so broken_shadow debug
account sufficient pam_localuser.so debug
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so sha512 nis nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so debug
session optional pam_ldap.so debug

Any suggestions ?  

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/