Ldap – Configure ldap client to not search local system accounts in ldap server

authenticationldaplocalusers

We've an ldap server and clients configured to authenticate users against it. Everything is working fine apart that I saw in the ldap server logs that says that the clients also contact the ldap server to authenticate users as root, apache etc, how to disable that ?

Thanks

Best Answer

For posterity, finally resolved the problem with Centos clients by adding the parameter nss_initgroups_ignoreusers in /etc/nslcd.conf, not in /etc/pam_ldap.conf nor in /etc/openldap/ldap.conf. Not sure why but that was the only case that worked.

Related Solutions

Linux – can’t figure out why apache LDAP auth fails

A packet trace from the httpd server/LDAP client revealed a message about the CA being unknown.

TLSv1 Alert (Level: Fatal, Description: Unknown CA)

I found and added the following option to my httpd.conf:

  LDAPVerifyServerCert          off

That fixed my issue under CentOS 6. The CentOS 5 httpd servers did not require any modification and had worked all along without the option.

Ldap – Authenticating Apache HTTPd against multiple LDAP servers with expired accounts

The AuthzLDAPAuthoritative off directive will let authentication fall through to the next module only if the user cannot be matched to a DN in the query. Currently even though the user is expired, it seems that their account will still be returned as a result when the LDAP query is performed.

I don't know enough about the ActiveDirectory LDAP schema to give a definite answer here, but if you could add a filter to your AuthLDAPURL directive that filters out expired accounts it should result in the username not matching any DN in the query. This should result in the authentication falling through to the next module.

Best Answer

Related Solutions

Linux – can’t figure out why apache LDAP auth fails

Ldap – Authenticating Apache HTTPd against multiple LDAP servers with expired accounts

Related Topic