FAQ
I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
previously installed a similar configuration on RHEL4, but CentOS now
uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
are a little different.


Currently, local users and groups are showing up but not LDAP users.
When I do a /getent passwd/ and/getent group/ I don't get LDAP users.


When I do a listing of a share directory that should have user and group
ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
than the UIDs and GIDs.


[root at edgar2 openldap]# ls -l /data/home | tail
drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5


Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23


I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
/etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
And selinux is off.


I know the machine is successfully connecting to LDAP. An ldapsearch
works from this machine, and I can even connect to a samba share with an
ldap login through smbclient.


Relevant parts of /etc/nsswitch:


passwd: files ldap
shadow: files ldap
group: files ldap


#hosts: db files nisplus nis dns
hosts: files dns


bootparams: nisplus [NOTFOUND=return] files


ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap


netgroup: nisplus ldap
#netgroup: ldap


publickey: nisplus


automount: files nisplus ldap
#automount: files ldap
aliases: files nisplus


Relevant parts of /etc/pam_ldap.conf (everything else is commented out):


host dir1.ourdomain.com
base dc=.ourdomain,dc=com
#uri ldaps://dir1.ourdomain.com
uri ldap://dir1.ourdomain.com


# basic auth config
binddn cn­min,dc=ourdomain,dc=com
rootbinddn cn­min,dc=ourdomain,dc=com


# random stuff
#timelimit 120
#bind_timelimit 120
#bind_policy hard
# brought these times down wmodes Aug 11, 2008
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap


# pam config
#pam_password md5
pam_password md5


# config for nss
nss_base_passwd ou=people,dc=ourdomain,dc=com?one
nss_base_shadow ou=people,dc=ourdomain,dc=com?one
nss_base_group ou=group,dc=ourdomain,dc=com?one


# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl no


# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
#tls_checkpeer yes


# CA certificates for server certificate verification
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts


# Client certificate and key
tls_cert /etc/openldap/cacerts/servercert.pem
tls_key /etc/openldap/cacerts/serverkey.pem


Relevant parts of /etc/pam.d/system-auth:


auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so


account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [defaultºd success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so


password requisite pam_cracklib.so try_first_pass retry=3 type password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so


session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask7


And the only line in /etc/sysconfig/authconfig I changed was:


USELDAP=yes


Any thoughts? For those who are experienced with nis and pam, I'm sure
this is a no brainer, but I could sure use the little bit of your brain
that knows how to fix this.


Wes


--
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz

Search Discussions

  • Cliff Pratt at Feb 21, 2013 at 1:56 am
    Do you have nscd running? If so, try stopping and starting that.


    Cheers,


    Cliff

    On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes wrote:
    I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
    previously installed a similar configuration on RHEL4, but CentOS now
    uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
    are a little different.

    Currently, local users and groups are showing up but not LDAP users.
    When I do a /getent passwd/ and/getent group/ I don't get LDAP users.

    When I do a listing of a share directory that should have user and group
    ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
    than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
    drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
    drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
    drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
    drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
    drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5

    Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23

    I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
    /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
    And selinux is off.

    I know the machine is successfully connecting to LDAP. An ldapsearch
    works from this machine, and I can even connect to a samba share with an
    ldap login through smbclient.

    Relevant parts of /etc/nsswitch:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    #hosts: db files nisplus nis dns
    hosts: files dns

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files ldap
    rpc: files
    services: files ldap

    netgroup: nisplus ldap
    #netgroup: ldap

    publickey: nisplus

    automount: files nisplus ldap
    #automount: files ldap
    aliases: files nisplus

    Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com

    # basic auth config
    binddn cn­min,dc=ourdomain,dc=com
    rootbinddn cn­min,dc=ourdomain,dc=com

    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap

    # pam config
    #pam_password md5
    pam_password md5

    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group ou=group,dc=ourdomain,dc=com?one

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts

    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

    Relevant parts of /etc/pam.d/system-auth:

    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account [defaultºd success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow nullok
    try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in
    crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pam_mkhomedir.so skel=/etc/skel umask7

    And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

    Any thoughts? For those who are experienced with nis and pam, I'm sure
    this is a no brainer, but I could sure use the little bit of your brain
    that knows how to fix this.

    Wes

    --
    Wes Modes
    Systems Designer, Developer, and Administrator
    University Library ITS
    University of California, Santa Cruz

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Cliff Pratt at Feb 21, 2013 at 1:56 am
    Or just stopping it.....

    On Thu, Feb 21, 2013 at 2:56 PM, Cliff Pratt wrote:
    Do you have nscd running? If so, try stopping and starting that.

    Cheers,

    Cliff
    On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes wrote:
    I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
    previously installed a similar configuration on RHEL4, but CentOS now
    uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
    are a little different.

    Currently, local users and groups are showing up but not LDAP users.
    When I do a /getent passwd/ and/getent group/ I don't get LDAP users.

    When I do a listing of a share directory that should have user and group
    ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
    than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
    drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
    drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
    drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
    drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
    drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5

    Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23

    I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
    /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
    And selinux is off.

    I know the machine is successfully connecting to LDAP. An ldapsearch
    works from this machine, and I can even connect to a samba share with an
    ldap login through smbclient.

    Relevant parts of /etc/nsswitch:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    #hosts: db files nisplus nis dns
    hosts: files dns

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files ldap
    rpc: files
    services: files ldap

    netgroup: nisplus ldap
    #netgroup: ldap

    publickey: nisplus

    automount: files nisplus ldap
    #automount: files ldap
    aliases: files nisplus

    Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com

    # basic auth config
    binddn cn­min,dc=ourdomain,dc=com
    rootbinddn cn­min,dc=ourdomain,dc=com

    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap

    # pam config
    #pam_password md5
    pam_password md5

    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group ou=group,dc=ourdomain,dc=com?one

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts

    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

    Relevant parts of /etc/pam.d/system-auth:

    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account [defaultºd success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 type>> password sufficient pam_unix.so sha512 shadow nullok
    try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in
    crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pam_mkhomedir.so skel=/etc/skel umask7

    And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

    Any thoughts? For those who are experienced with nis and pam, I'm sure
    this is a no brainer, but I could sure use the little bit of your brain
    that knows how to fix this.

    Wes

    --
    Wes Modes
    Systems Designer, Developer, and Administrator
    University Library ITS
    University of California, Santa Cruz

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Craig White at Feb 21, 2013 at 3:16 pm

    On Feb 20, 2013, at 4:50 PM, Wes Modes wrote:


    I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've
    previously installed a similar configuration on RHEL4, but CentOS now
    uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations
    are a little different.

    Currently, local users and groups are showing up but not LDAP users.
    When I do a /getent passwd/ and/getent group/ I don't get LDAP users.

    When I do a listing of a share directory that should have user and group
    ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
    than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
    drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
    drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
    drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
    drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
    drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5

    Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23

    I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
    /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig.
    And selinux is off.

    I know the machine is successfully connecting to LDAP. An ldapsearch
    works from this machine, and I can even connect to a samba share with an
    ldap login through smbclient.

    Relevant parts of /etc/nsswitch:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    #hosts: db files nisplus nis dns
    hosts: files dns

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files ldap
    rpc: files
    services: files ldap

    netgroup: nisplus ldap
    #netgroup: ldap

    publickey: nisplus

    automount: files nisplus ldap
    #automount: files ldap
    aliases: files nisplus

    Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com

    # basic auth config
    binddn cn­min,dc=ourdomain,dc=com
    rootbinddn cn­min,dc=ourdomain,dc=com

    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap

    # pam config
    #pam_password md5
    pam_password md5

    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group ou=group,dc=ourdomain,dc=com?one

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts

    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

    Relevant parts of /etc/pam.d/system-auth:

    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account [defaultºd success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 type> password sufficient pam_unix.so sha512 shadow nullok
    try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in
    crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pam_mkhomedir.so skel=/etc/skel umask7

    And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

    Any thoughts? For those who are experienced with nis and pam, I'm sure
    this is a no brainer, but I could sure use the little bit of your brain
    that knows how to fix this.

    Wes
    ----
    binddn cn­min,dc=ourdomain,dc=com
    rootbinddn cn­min,dc=ourdomain,dc=com


    don't do both? comment out the first and the 'rootbinddn' requires /etc/ldap.secret (0600) to function.


    also in ldap.conf?


    should be: base dc=ourdomain,dc=com
    but thinking this is an aspect from your attempts to sanitize.


    Also, you probably should be using TLS
    ssl start_tls
    but perhaps that can wait until you get it working without


    If you can't list ldap users & groups, then obviously any type of ls will show numbers instead of names.


    Craig

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 20, '13 at 11:50p
activeFeb 21, '13 at 3:16p
posts4
users3
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase