Re: [CentOS] Having trouble with LDAP Authentication...

2010-05-27 Thread Andy Akins
Ryan and Paul...

Thank you for your suggestions and help ­ I was able to track it down to
three separate things: an improper ACL, nscd, and iptables. Everything is
working fine now. Again, thanks for your insight!
-- 
Andy Akins
Director of Development

NICUSA, Tennessee ­ A Partnership with Tennessee.gov
Phone: (615) 313-0305
Email: a...@egovtn.org

Visit www.tn.gov - the official website of the State of Tennessee

*
CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not
the intended recipient, you do not have permission to disclose,
copy, distribute, or open any attachments. If you have received
this email in error, please notify us immediately by returning
it to the sender and deleting this copy from your system.
  Thank you. NIC, Inc., Tennessee
*




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Having trouble with LDAP Authentication.

2010-05-27 Thread Steve Glasser
Message: 11
Date: Tue, 25 May 2010 16:16:45 -0500
From: Andy Akins a...@egovtn.org
Subject: [CentOS] Having trouble with LDAP Authentication...
To: CentOS mailing list centos@centos.org
Message-ID: c821a86d.754b%a...@egovtn.org
Content-Type: text/plain; charset=iso-8859-1

I?ve google and searched, and have had very little luck...

I have:

1. Installed all the packages.
2. Configured and have running OpenLDAP.
3. Migrated my passwd/shadow/group/hosts files into the directory
4. Tested the directory using ldapsearch
5. Installed LAM (web interface to LDAP authentication)
6. Added a user using LAM.
7. Confirmed user is in directory.
8. Confirmed user is not in /etc/passwd
9. Confirmed using ?getent passwd | grep username? that the user is listed.
10. Confirmed using ?getent passwd? shows two records for each user except
ldap-only users (one for /etc/passwd, one for LDAP).

However,

   ?id username?

Returns unknown user
snip

Assuming you have set up both server and client, I would try the following:
1) Don't use nscd until you can confirm basic auth to the Ldap server
is working.

2) Enable logging on the Ldap server.  Afair, CentOS defaults to
loglevel 0, which is no logs.  Try something like loglevel 256.

3) Try to authenticate from a client while tailing the server logs.
That should give you an idea of whether the client is even reaching
the server, and if so what sort of error is occurring.

Btw you didn't mention if you were doing Ldap over tls, but that adds
another point of failure.  See here for a step-by-step test procedure
for ssl/tls:  http://aput.net/~jheiss/krbldap/howto.html

Cheers,
-- 
Steve Glasser
sgla9...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] Having trouble with LDAP Authentication...

2010-05-25 Thread Andy Akins
I¹ve google and searched, and have had very little luck...

I have:

1. Installed all the packages.
2. Configured and have running OpenLDAP.
3. Migrated my passwd/shadow/group/hosts files into the directory
4. Tested the directory using ldapsearch
5. Installed LAM (web interface to LDAP authentication)
6. Added a user using LAM.
7. Confirmed user is in directory.
8. Confirmed user is not in /etc/passwd
9. Confirmed using ³getent passwd | grep username² that the user is listed.
10. Confirmed using ³getent passwd² shows two records for each user except
ldap-only users (one for /etc/passwd, one for LDAP).

However,

³id username²

Returns unknown user

And trying to log in as username at either the terminal or ssh fails, and
upon examining the logs, the error message says unknown user.

I configured /etc/pam.d/system-auth using authcongfig-tui, adding only the
pam_mkhomedir.so line (and I tried it without that line as well).

Everything seems right ­ but its not working. Can anyone offer any
suggestions as to where I should be looking? If necessary, I¹ll post my
/etc/openldap/slapd.conf, /etc/openldap/ldap.conf, /etc/pam.d/system-auth,
and /etc/nsswitch.conf files ­ I just didn¹t want to send them if not
necessary.

Any help or suggestions would be appreciated. Thanks!

-- 
Andy Akins
Director of Development

NICUSA, Tennessee ­ A Partnership with Tennessee.gov
Phone: (615) 313-0305
Email: a...@egovtn.org

Visit www.tn.gov - the official website of the State of Tennessee

*
CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not
the intended recipient, you do not have permission to disclose,
copy, distribute, or open any attachments. If you have received
this email in error, please notify us immediately by returning
it to the sender and deleting this copy from your system.
  Thank you. NIC, Inc., Tennessee
*




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Having trouble with LDAP Authentication...

2010-05-25 Thread Paul Heinlein

On Tue, 25 May 2010, Andy Akins wrote:


 8. Confirmed user is not in /etc/passwd
 9. Confirmed using “getent passwd | grep username” that the user is listed.
10. Confirmed using “getent passwd” shows two records for each user except
ldap-only users (one for /etc/passwd, one for LDAP).

However,

“id username”

Returns unknown user


Before the heavy troubleshooting starts, double-check that nscd is 
installed, configured, and working. You might want to restart it to 
make sure.


Second -- and I personally hate this, though I can attest it sometimes 
works -- rebooting the machine will sometimes fix this. In particular, 
I've see the nss_ldap stuff have trouble in TLS environments when the 
server cert (or the CA that signed it) wasn't present at boot time.


The next step would be to run something like

  strace -o /tmp/getent.trace getent passwd username
  strace -o /tmp/id.trace id username

I'd identify where id is trying to locate user info and make sure it 
looks like the same place getent is using.


On my CentOS systems, I note that id uses read() to access nscd while 
getent uses recvmsg(). I'm unsure if that difference would cause the 
problem, but it might be a place to look if you've got SELinux logs 
auditing things.


--
Paul Heinlein  heinl...@madboa.com  http://www.madboa.com/___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Having trouble with LDAP Authentication...

2010-05-25 Thread Ryan Manikowski

On 5/25/2010 5:16 PM, Andy Akins wrote:

I've google and searched, and have had very little luck...

I have:

   1. Installed all the packages.
   2. Configured and have running OpenLDAP.
   3. Migrated my passwd/shadow/group/hosts files into the directory
   4. Tested the directory using ldapsearch
   5. Installed LAM (web interface to LDAP authentication)
   6. Added a user using LAM.
   7. Confirmed user is in directory.
   8. Confirmed user is not in /etc/passwd
   9. Confirmed using getent passwd | grep username that the user is
  listed.
  10. Confirmed using getent passwd shows two records for each user
  /except/ ldap-only users (one for /etc/passwd, one for LDAP).


However,

id username

Returns unknown user

And trying to log in as username at either the terminal or ssh fails, 
and upon examining the logs, the error message says unknown user.


I configured /etc/pam.d/system-auth using authcongfig-tui, adding only 
the pam_mkhomedir.so line (and I tried it without that line as well).


Everything /seems/ right -- but its not working. Can anyone offer any 
suggestions as to where I should be looking? If necessary, I'll post 
my /etc/openldap/slapd.conf, /etc/openldap/ldap.conf, 
/etc/pam.d/system-auth, and /etc/nsswitch.conf files -- I just didn't 
want to send them if not necessary.


Any help or suggestions would be appreciated. Thanks!

--
Andy Akins
Director of Development

NICUSA, Tennessee -- A Partnership with Tennessee.gov
Phone: (615) 313-0305
Email: a...@egovtn.org

Visit www.tn.gov - the official website of the State of Tennessee

*
CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not
the intended recipient, you do not have permission to disclose,
copy, distribute, or open any attachments. If you have received
this email in error, please notify us immediately by returning
it to the sender and deleting this copy from your system.
  Thank you. NIC, Inc., Tennessee
*




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   


We'll assume you've properly configured your OpenLDAP server and can 
query the directory and whatever user/group accounts you have created 
are valid.


Now, you make no statements regarding the system that you are attempting 
to authenticate from. Run 'authconfig-tui' from the console/terminal and 
ensure the ldap server is specified.


See this page 
(http://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-client) 
and concern yourself with the 2 screenshots for now. You can tweak the 
manual settings to your hearts content but ONLY need to set the options 
contained in the screenshots to at least get LDAP auth working.


Make sure you leave an '*' next to 'Local authentication is sufficient' 
as well so the system continues to auth local accounts. Placing a '*' 
next to 'Cache Information' will enable nscd.




Ryan Manikowski
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos