[CentOS] LDAP users/groups not showing up with nis, pam, & ldap
I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've previously installed a similar configuration on RHEL4, but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations are a little different. Currently, local users and groups are showing up but not LDAP users. When I do a /getent passwd/ and/getent group/ I don't get LDAP users. When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs. [root@edgar2 openldap]# ls -l /data/home | tail drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off. I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient. Relevant parts of /etc/nsswitch: passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc:files services: files ldap netgroup: nisplus ldap #netgroup: ldap publickey: nisplus automount: files nisplus ldap #automount: files ldap aliases:files nisplus Relevant parts of /etc/pam_ldap.conf (everything else is commented out): host dir1.ourdomain.com base dc=.ourdomain,dc=com #uri ldaps://dir1.ourdomain.com uri ldap://dir1.ourdomain.com # basic auth config binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no # OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 And the only line in /etc/sysconfig/authconfig I changed was: USELDAP=yes Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this. Wes -- Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/li
Re: [CentOS] LDAP users/groups not showing up with nis, pam, & ldap
Do you have nscd running? If so, try stopping and starting that. Cheers, Cliff On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes wrote: > I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different. > > Currently, local users and groups are showing up but not LDAP users. > When I do a /getent passwd/ and/getent group/ I don't get LDAP users. > > When I do a listing of a share directory that should have user and group > ownership determined by LDAP, I get the uidNumbers and gidNumbers rather > than the UIDs and GIDs. > > [root@edgar2 openldap]# ls -l /data/home | tail > drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 > drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 > drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 > drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 > drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 > drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 > > Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 > > I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, > /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. > And selinux is off. > > I know the machine is successfully connecting to LDAP. An ldapsearch > works from this machine, and I can even connect to a samba share with an > ldap login through smbclient. > > Relevant parts of /etc/nsswitch: > > passwd: files ldap > shadow: files ldap > group: files ldap > > #hosts: db files nisplus nis dns > hosts: files dns > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc:files > services: files ldap > > netgroup: nisplus ldap > #netgroup: ldap > > publickey: nisplus > > automount: files nisplus ldap > #automount: files ldap > aliases:files nisplus > > Relevant parts of /etc/pam_ldap.conf (everything else is commented out): > > host dir1.ourdomain.com > base dc=.ourdomain,dc=com > #uri ldaps://dir1.ourdomain.com > uri ldap://dir1.ourdomain.com > > # basic auth config > binddn cn=admin,dc=ourdomain,dc=com > rootbinddn cn=admin,dc=ourdomain,dc=com > > # random stuff > #timelimit 120 > #bind_timelimit 120 > #bind_policy hard > # brought these times down wmodes Aug 11, 2008 > timelimit 30 > bind_timelimit 30 > bind_policy soft > idle_timelimit 3600 > nss_initgroups_ignoreusers root,ldap > > # pam config > #pam_password md5 > pam_password md5 > > # config for nss > nss_base_passwd ou=people,dc=ourdomain,dc=com?one > nss_base_shadow ou=people,dc=ourdomain,dc=com?one > nss_base_group ou=group,dc=ourdomain,dc=com?one > > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > ssl no > > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > #tls_checkpeer yes > > # CA certificates for server certificate verification > tls_cacertfile /etc/openldap/cacerts/cacert.pem > tls_cacertdir /etc/openldap/cacerts > > # Client certificate and key > tls_cert /etc/openldap/cacerts/servercert.pem > tls_key /etc/openldap/cacerts/serverkey.pem > > Relevant parts of /etc/pam.d/system-auth: > > authrequired pam_env.so > authsufficientpam_fprintd.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 500 quiet > authsufficientpam_ldap.so use_first_pass > authrequired pam_deny.so > > account required pam_unix.so > account sufficientpam_localuser.so > account sufficientpam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > passwordrequisite pam_cracklib.so try_first_pass retry=3 type= > passwordsufficientpam_unix.so sha512 shadow nullok > try_first_pass use_authtok > passwordsufficientpam_ldap.so use_authtok > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > session optional pam_mkhomedir.so skel=/etc/skel umask=077 > > And the only line in /etc/sysconfig/authconfig I changed was: > > USELDAP=yes > > Any thoughts? For those who are experienced with nis and pam, I'm sure > this is a no brainer,
Re: [CentOS] LDAP users/groups not showing up with nis, pam, & ldap
Or just stopping it. On Thu, Feb 21, 2013 at 2:56 PM, Cliff Pratt wrote: > Do you have nscd running? If so, try stopping and starting that. > > Cheers, > > Cliff > > On Thu, Feb 21, 2013 at 12:50 PM, Wes Modes wrote: >> I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've >> previously installed a similar configuration on RHEL4, but CentOS now >> uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations >> are a little different. >> >> Currently, local users and groups are showing up but not LDAP users. >> When I do a /getent passwd/ and/getent group/ I don't get LDAP users. >> >> When I do a listing of a share directory that should have user and group >> ownership determined by LDAP, I get the uidNumbers and gidNumbers rather >> than the UIDs and GIDs. >> >> [root@edgar2 openldap]# ls -l /data/home | tail >> drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 >> drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 >> drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 >> drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 >> drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 >> drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 >> >> Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 >> >> I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, >> /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. >> And selinux is off. >> >> I know the machine is successfully connecting to LDAP. An ldapsearch >> works from this machine, and I can even connect to a samba share with an >> ldap login through smbclient. >> >> Relevant parts of /etc/nsswitch: >> >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> #hosts: db files nisplus nis dns >> hosts: files dns >> >> bootparams: nisplus [NOTFOUND=return] files >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files ldap >> rpc:files >> services: files ldap >> >> netgroup: nisplus ldap >> #netgroup: ldap >> >> publickey: nisplus >> >> automount: files nisplus ldap >> #automount: files ldap >> aliases:files nisplus >> >> Relevant parts of /etc/pam_ldap.conf (everything else is commented out): >> >> host dir1.ourdomain.com >> base dc=.ourdomain,dc=com >> #uri ldaps://dir1.ourdomain.com >> uri ldap://dir1.ourdomain.com >> >> # basic auth config >> binddn cn=admin,dc=ourdomain,dc=com >> rootbinddn cn=admin,dc=ourdomain,dc=com >> >> # random stuff >> #timelimit 120 >> #bind_timelimit 120 >> #bind_policy hard >> # brought these times down wmodes Aug 11, 2008 >> timelimit 30 >> bind_timelimit 30 >> bind_policy soft >> idle_timelimit 3600 >> nss_initgroups_ignoreusers root,ldap >> >> # pam config >> #pam_password md5 >> pam_password md5 >> >> # config for nss >> nss_base_passwd ou=people,dc=ourdomain,dc=com?one >> nss_base_shadow ou=people,dc=ourdomain,dc=com?one >> nss_base_group ou=group,dc=ourdomain,dc=com?one >> >> # OpenLDAP SSL mechanism >> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 >> ssl no >> >> # OpenLDAP SSL options >> # Require and verify server certificate (yes/no) >> #tls_checkpeer yes >> >> # CA certificates for server certificate verification >> tls_cacertfile /etc/openldap/cacerts/cacert.pem >> tls_cacertdir /etc/openldap/cacerts >> >> # Client certificate and key >> tls_cert /etc/openldap/cacerts/servercert.pem >> tls_key /etc/openldap/cacerts/serverkey.pem >> >> Relevant parts of /etc/pam.d/system-auth: >> >> authrequired pam_env.so >> authsufficientpam_fprintd.so >> authsufficientpam_unix.so nullok try_first_pass >> authrequisite pam_succeed_if.so uid >= 500 quiet >> authsufficientpam_ldap.so use_first_pass >> authrequired pam_deny.so >> >> account required pam_unix.so >> account sufficientpam_localuser.so >> account sufficientpam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= >> passwordsufficientpam_unix.so sha512 shadow nullok >> try_first_pass use_authtok >> passwordsufficientpam_ldap.so use_authtok >> passwordrequired pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> session optional pam_m
Re: [CentOS] LDAP users/groups not showing up with nis, pam, & ldap
On Feb 20, 2013, at 4:50 PM, Wes Modes wrote: > I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different. > > Currently, local users and groups are showing up but not LDAP users. > When I do a /getent passwd/ and/getent group/ I don't get LDAP users. > > When I do a listing of a share directory that should have user and group > ownership determined by LDAP, I get the uidNumbers and gidNumbers rather > than the UIDs and GIDs. > >[root@edgar2 openldap]# ls -l /data/home | tail >drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 >drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 >drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 >drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 >drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 >drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 > > Other details: centos 6.2, smbldap-tools 0.9.6, openldap 2.4.23 > > I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, > /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. > And selinux is off. > > I know the machine is successfully connecting to LDAP. An ldapsearch > works from this machine, and I can even connect to a samba share with an > ldap login through smbclient. > > Relevant parts of /etc/nsswitch: > >passwd: files ldap >shadow: files ldap >group: files ldap > >#hosts: db files nisplus nis dns >hosts: files dns > >bootparams: nisplus [NOTFOUND=return] files > >ethers: files >netmasks: files >networks: files >protocols: files ldap >rpc:files >services: files ldap > >netgroup: nisplus ldap >#netgroup: ldap > >publickey: nisplus > >automount: files nisplus ldap >#automount: files ldap >aliases:files nisplus > > Relevant parts of /etc/pam_ldap.conf (everything else is commented out): > >host dir1.ourdomain.com >base dc=.ourdomain,dc=com >#uri ldaps://dir1.ourdomain.com >uri ldap://dir1.ourdomain.com > ># basic auth config >binddn cn=admin,dc=ourdomain,dc=com >rootbinddn cn=admin,dc=ourdomain,dc=com > ># random stuff >#timelimit 120 >#bind_timelimit 120 >#bind_policy hard ># brought these times down wmodes Aug 11, 2008 >timelimit 30 >bind_timelimit 30 >bind_policy soft >idle_timelimit 3600 >nss_initgroups_ignoreusers root,ldap > ># pam config >#pam_password md5 >pam_password md5 > ># config for nss >nss_base_passwd ou=people,dc=ourdomain,dc=com?one >nss_base_shadow ou=people,dc=ourdomain,dc=com?one >nss_base_group ou=group,dc=ourdomain,dc=com?one > ># OpenLDAP SSL mechanism ># start_tls mechanism uses the normal LDAP port, LDAPS typically 636 >ssl no > ># OpenLDAP SSL options ># Require and verify server certificate (yes/no) >#tls_checkpeer yes > ># CA certificates for server certificate verification >tls_cacertfile /etc/openldap/cacerts/cacert.pem >tls_cacertdir /etc/openldap/cacerts > ># Client certificate and key >tls_cert /etc/openldap/cacerts/servercert.pem >tls_key /etc/openldap/cacerts/serverkey.pem > > Relevant parts of /etc/pam.d/system-auth: > >authrequired pam_env.so >authsufficientpam_fprintd.so >authsufficientpam_unix.so nullok try_first_pass >authrequisite pam_succeed_if.so uid >= 500 quiet >authsufficientpam_ldap.so use_first_pass >authrequired pam_deny.so > >account required pam_unix.so >account sufficientpam_localuser.so >account sufficientpam_succeed_if.so uid < 500 quiet >account [default=bad success=ok user_unknown=ignore] pam_ldap.so >account required pam_permit.so > >passwordrequisite pam_cracklib.so try_first_pass retry=3 type= >passwordsufficientpam_unix.so sha512 shadow nullok > try_first_pass use_authtok >passwordsufficientpam_ldap.so use_authtok >passwordrequired pam_deny.so > >session optional pam_keyinit.so revoke >session required pam_limits.so >session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid >session required pam_unix.so >session optional pam_ldap.so >session optional pam_mkhomedir.so skel=/etc/skel umask=077 > > And the only line in /etc/sysconfig/authconfig I changed was: > >USELDAP=yes > > Any thoughts? For those who are experienced with nis and pam, I'm sure > this is a no brainer, but I could sure use the little bit of your brain > that knows how to fix this. > > Wes binddn cn=admin,dc=ourdomain,dc=com
Re: [CentOS] LDAP users/groups not showing up with nis, pam, & ldap
On 02/20/2013 03:50 PM, Wes Modes wrote: > I am trying to configure NIS, PAM, & LDAP on a CentOS 6.2 host. I've > previously installed a similar configuration on RHEL4, but CentOS now > uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations > are a little different. Actually, the recommended stack is sssd. Remove nss_ldap and nss-pam-ldapd, install sssd, and use authconfig to set up the configuration files. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
