CentOS 7 LDAP Authentication – Fix ‘Permission Denied’ Error

active-directorycentos7ldappam-ldap

I'm running a CentOS 7 VirtualBox instance. I am trying to set up LDAP authentication through our company Active Directory server.

Note: The AD server DOES NOT have Unix extensions installed.

Setup:

  • I have nss-pam-ldapd installed
  • The nslcd and nscd services are set to run at startup

  • /etc/nsswitch.conf has been edited to add ldap:

    passwd:     files ldap
group:      files ldap
shadow:     files ldap 
hosts:      files ldap dns myhostname
ethers:     files ldap
networks:   files ldap
protocols:  files ldap
rpc:        files ldap
services:   files ldap sss
aliases:    files ldap nisplus

  • /etc/pam.d/password-auth and /etc/pam.d/system-auth edited to add:

    auth     sufficient    pam_ldap.so use_first_pas
account  [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient    pam_ldap.so use_authok
session  optional      pam_ldap
session  required      pam_mkhomedir.so skel=/etc/skel umask=0077

  • /etc/nslcd.conf edited:

    uid nslcd
gid nslcd

uri ldap://myserver.com/

base dc=myserver,dc=com

binddn CN=My Name,OU=Users,OU=DV,DC=myserver,DC=com

bindpw PASSWORDHERE

# Alternative mappings for Active Directory
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid           userPrincipalName
map    passwd uidNumber     objectSid:CorrectSID
map    passwd gidNumber     objectSid:CorrectSID
map    passwd homeDirectory "/home/$cn"
map    passwd gecos         displayName
map    passwd loginShell    "/bin/bash"
filter group (objectClass=group)
map    group gidNumber      objectSid:CorrectSID
ssl no

On rebooting the VM, and remoting in with the default user, I can list all the AD users (user@myserver.com), and the groups, using

    $ getent passwd
    and
    $ getent group

However, if I attempt to either login to the GUI or remote in with my AD user:

    $ ssh my.name@myserver.com@linuxboxip
    my.name@myserver.com@linuxboxip's password:
    Permission denied, please try again.

I've been over the related questions on this site, through the debug, and reconfigured fresh from scratch. No luck.

Any thoughts?

Best Answer

OK, I found the problem.

See link

When editing the PAM files: /etc/pam.d/password-auth and /etc/pam.d/system-auth

The edits must be done to the appropriate sections, not just added to the bottom of the file. In particular, the password required pam_deny.so lines MUST be the LAST entry in the section.

I can now log in with LDAP user/password via SSH and the GUI.

Related Topic