lists.arthurdejong.org
RSS feed

Re: Need help in integration of pam and ldap using nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Need help in integration of pam and ldap using nss-pam-ldapd



Well, the ldapsearch you included shows a base dn of ou=system and your nslcd.conf has a base of dc=example,dc=com. You need to fix that first.

I don't see a user entry in your ldap.  Do you have any in the directory?  I would expect to see entries something like:

$ ldapsearch uid=someuser @posixAccount @inetorgperson @person
dn: uid=someuser,cn=people,dc=somewhere,dc=com
cn: First Last
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
sn: Last
homeDirectory: /home/someuser
mail: someuser [at] somewhere.com
givenName: First
uid: someuser
uidNumber: 18820
gidNumber: 18820

Bill

On Wed, May 24, 2017 at 9:02 AM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

I had tested by turning off NSCD.

ldapsearch is working and sample output is as below

 

[root@AIO-ANDSF ~]# ldapsearch -H ldap://10.24.19.141:10389 -x -D "uid=pam_ldap,ou=system" -W -b "ou=system" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base <ou=system> with scope oneLevel

# filter: (objectClass=*)

# requesting: hasSubordinates objectClass 

#

 

# pam_ldap, system

dn: uid=pam_ldap,ou=system

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

 

# configuration, system

dn: ou=configuration,ou=system

objectClass: top

objectClass: organizationalUnit

 

# consumers, system

dn: ou=consumers,ou=system

objectclass: top

objectclass: organizationalUnit

 

# sysPrefRoot, system

dn: prefNodeName=sysPrefRoot,ou=system

objectClass: top

objectClass: organizationalUnit

objectClass: extensibleObject

 

# search result

search: 2

result: 0 Success

 

# numResponses: 5

# numEntries: 4

[root@AIO-ANDSF ~]# 

 

Please find attached files.

 

Regards,

Kedar.

 

From: William MacAllister <whm [at] dropbox.com>
Date: Wednesday, May 24, 2017 at 11:43 AM
To: "Kedar Sirshikar (ksirshik)" <ksirshik [at] cisco.com>
Cc: "nss-pam-ldapd-users@lists.arthurdejong.org" <nss-pam-ldapd-users@lists.arthurdejong.org>
Subject: Re: Need help in integration of pam and ldap using nss-pam-ldapd

 

First, just simple ldapsearches are working, right?

 

Frequently nscd is also install for you by your package management system when nss-pam-ldapd is installed.  While you are testing it is best to turn it off because a stale cache can cause an assortment of problems.  Turn of nscd if it is installed and try again.

 

If that doesn't work post your nslcd.conf and the ldif for a user, i.e. the output from 'ldapsearch uid=someuser'.

 

Bill

 

On Tue, May 23, 2017 at 4:44 PM, Kedar Sirshikar (ksirshik) <ksirshik [at] cisco.com> wrote:

Hi team,

I am trying to do a POC to integrate PAM with LDAP. After exploring on google, I came to know that I can use ‘nss-pam-ldapd’ package.

 

For LDAP server, I am using ApacheDS plug-in from Eclipse.

 

For client, I installed ‘nss-pam-ldapd’ on CentOS 6.8. I followed ‘https://arthurdejong.org/nss-pam-ldapd/setup’ wiki to update PAM and NSLCD configurations.

I can see that ldapsearch is working fine but I am not able to connect to LDAP through PAM and NSLCD.

I am testing based on below two approaches:

1.       I am using ‘pwauth’ which is expected to authenticate user based on PAM-LDAP integration.

2.       I tried ‘getent passwd’ command but I do not get any user from LDAP

I do not even see any logs getting generated. May I know how to activate logs for PAM, NSS, NSLCD?

 

I am very novice to all these concepts so please help me in understanding/fixing above issue.

Also, kindly let me know if you need more details from my side.

Thank you!

 

Regards,

Kedar.

 


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/



 

--

Bill MacAllister

Corp SRE, Dropbox




--
Bill MacAllister
Corp SRE, Dropbox
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/