RSS feed

ldap authentication broken after switch to nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

ldap authentication broken after switch to nss-pam-ldapd

With pam_ldap I was using a combination of NIS and LDAP for user authentication and authorization:
User information like group, numerical user id, group, home dir etc coming from a local NIS server but passwords being checked against the main LDAP server of my instuitution.  
I pretty only had to check in authconfig-tui ldap  and Local authorization is sufficient in authentication and NIS in User information, define NIS servers and ldap servers in the next two steps, put a certificate into /etc/openldap/cacerts and was running.
All it requires was a /etc/passwd entry on the NIS master server like this:
username:+:1234:111:Full User Name:/home/directory:/usr/bin/bash

After an upgrade of Fedora pam_ldap was replaced by nss-pam-ldap and login into accounts with password on the ldap server no longer was functioning. 

NIS is still running as I am able to log into accounts with local password in the NIS master, but attempts to log into accounts with ldap passwords fail.

Attempting to log into an account with passwordd on the LDAP server gives me the following output:
Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username"> ldap_result() failed: Can't contact LDAP server

Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure; logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication; user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled by nslcd

I reran authconfig-tui and turned ldap authentication off and on to redo the configuration, but no effect.

I know ldap is working because ldapsearch -x -ZZ "(uid=username)" gives me the desired response. Also  ldap authentication is still worning on my two CentOS computers still using pam_ldap.

Configuration files:
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://
# Turning this off breaks GSSAPI used with krb5 when rdns = false
BASE ou=people,

uid nslcd
gid ldap
uri ldap://
base ou=people,
ssl start_tls
tls_cacertdir /etc/openldap/cacerts

auth required
auth sufficient nullok try_first_pass debug
auth requisite uid >= 1000 quiet_success
auth sufficient use_first_pass debug
auth required

account required broken_shadow debug
account sufficient debug
account sufficient uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] debug
account required

password requisite try_first_pass retry=3 authtok_type=
password sufficient sha512 nis nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
-session optional
session [success=1 default=ignore] service in crond quiet use_uid
session required debug
session optional debug

Any suggestions ?  
To unsubscribe send an email to or see