I'm trying to set up LDAP on a Gentoo workstation to authenticate against a central server. However, I encountered some issues and I really hope you guys can help me out here 🙂
First off, the LDAP server is running fine because the other machines can connect to it. Second, I followed this guide on Gentoo wiki to set up the client.
Third, I even tried using the ldap/nss/pam config files from the other workstations but still can't login…
What works is the ldapsearch:
ldapsearch -Z '(objectclass=*)'
I used the -Z for TSL (That's what I read it is for) but -x also works.
From what I researched/googled/tried it seems that the error is not with ldap but with nss configuration? Any help would be greatly appreciated 🙂
Here is ldap.conf (slightly redacted)
timelimit 120
bind_timelimit 120
idle_timelimit 3600
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://<sub>.<domain>.edu/
BASE dc=<sub>,dc=<domain>,dc=edu
# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser, rtkit,pulse
ssl start_tls
TLS_CHECKPEER no
TLS_CRLCHECK none
TLS_REQCERT never
pam_password md5
Current nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: files ldap
shadow: files ldap
group: files ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: files sss
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
bootparams: nisplus [NOTFOUND=return]files
publickey: nisplus
automount: files ldap
aliases: files nisplus
system-auth
auth sufficient pam_ldap.so
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
password sufficeint pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so
Let me know if any other configuration files/information would be helpful.
Best Answer
Figured it out, and I hope this will help someone in the future :)
The workstations that can login to ldap were using SSSD to authenticate against the ldap server. After installing and configuring it all I had to do was switch the lines in nsswitch.conf like so:
to:
I hope this will help someone out there :)