Ldap – OpenLDAP client configuration. Can search but cannot login

gentooldapnssopenldappam

I'm trying to set up LDAP on a Gentoo workstation to authenticate against a central server. However, I encountered some issues and I really hope you guys can help me out here 🙂

First off, the LDAP server is running fine because the other machines can connect to it. Second, I followed this guide on Gentoo wiki to set up the client.
Third, I even tried using the ldap/nss/pam config files from the other workstations but still can't login…

What works is the ldapsearch:

ldapsearch -Z '(objectclass=*)'

I used the -Z for TSL (That's what I read it is for) but -x also works.

From what I researched/googled/tried it seems that the error is not with ldap but with nss configuration? Any help would be greatly appreciated 🙂

Here is ldap.conf (slightly redacted)

timelimit 120
bind_timelimit 120
idle_timelimit 3600

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://<sub>.<domain>.edu/
BASE dc=<sub>,dc=<domain>,dc=edu

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,    rtkit,pulse

ssl start_tls
TLS_CHECKPEER no
TLS_CRLCHECK none
TLS_REQCERT never
pam_password md5

Current nsswitch.conf

# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      files ldap
shadow:      files ldap
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    files sss
protocols:   files
rpc:         files
ethers:      files
netmasks:    files
netgroup:    files
bootparams:  nisplus [NOTFOUND=return]files
publickey:   nisplus
automount:   files ldap
aliases:     files nisplus

system-auth

auth            sufficient      pam_ldap.so
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         optional        pam_permit.so

password        sufficeint      pam_ldap.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so


session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_ldap.so
session         optional        pam_permit.so

Let me know if any other configuration files/information would be helpful.

Best Answer

Figured it out, and I hope this will help someone in the future :)

The workstations that can login to ldap were using SSSD to authenticate against the ldap server. After installing and configuring it all I had to do was switch the lines in nsswitch.conf like so:

passwd:      files ldap
shadow:      files ldap
group:       files ldap

to:

passwd:      files sss
shadow:      files sss
group:       files sss

I hope this will help someone out there :)

Related Solutions

Ubuntu LDAP Make Home Directory

The way we solved this is to add another attribute to LDAP, something like linuxHomeDirectory . Then you can create a mapping in ldap.conf:

nss_map_attribute homeDirectory linuxHomeDirectory

The for each user you set the attribute in LDAP to the path you want for their Linux home dir, such as /home/$username or whatnot.

If you have your home directories served from OS X server, you can mount those with an automounter in the /Volumes/$servername/$path hierarchy on Linux and then you don't need to do any LDAP attribute mangling.

More info: Here's an article how to extend the LDAP schema in OpenDirectory: http://www.afp548.com/article.php?story=20060228230005854

To populate the user attributes you can use the ldapadd and ldapmodify tools.

Ldap – OpenLDAP client configuration headache in FreeBSD

For really good OpenLDAP support under FreeBSD you need:

nss_ldap
pam_ldap - PAM ldap module
pam_mkhomedir - to automatically create users' homedir from skel after first login
sudo - with LDAP support
openssh-portable - with LPK patch (for users ssh keys in LDAP)

add following to /etc/pam.d/sshd

auth    sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
account required   /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
session required   /usr/local/lib/pam_mkhomedir.so debug mode=0755 skel=/usr/local/share/skel

to /etc/pam.d/system add

auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
account         required        /usr/local/lib/pam_ldap.so      ignore_authinfo_unavail ignore_unknown_user
session         required        /usr/local/lib/pam_mkhomedir.so  debug umask=0077 skel=/usr/local/share/skel
password        sufficient      /usr/local/lib/pam_ldap.so      use_authok

replace group passwd and sudoers in /etc/nsswitch.conf by following:

group: files cache ldap
passwd: files cache ldap
sudoers: files cache ldap

You also need to modify

/usr/local/etc/nss_ldap.conf
/usr/local/etc/ldap.conf
/usr/local/etc/ssh/sshd_config (For LDAP keys support)
/etc/nscd.conf (For caching)

Best Answer

Related Solutions

Ubuntu LDAP Make Home Directory

Ldap – OpenLDAP client configuration headache in FreeBSD

Related Topic