Linux – authenticate to ldap in centos

active-directoryauthenticationcentosldaplinux

I'm trying to set centos to authenticate to a server 2003 AD. I run authconfig-gtk and select ldap for "User Information" and "Authentication" and configure it as such

base dn: dc=test,dc=com

ldap server: 192.168.0.1 and no TLS encryption (need to get it running first)

on the options page

Cache user information, use shadow
passwords, password hashing algorithm
md5, local authorization is sufficient
for local users, create home
directories on the first login

But it wont let me ssh into the box with an AD account. Even when i log onto a local account there is a HUGE delay. 1-5 mins.

I keep getting these errors in /var/log/secure but googling them doesn't help.

nss_ldap: Reconnecting to LDAP server (sleeping 4 seconds)

nss_ldap: Reconnecting to LDAP server (sleeping 8 seconds)

I have installed SFU3.5 on the AD and filled out the unix tab for the testing users.

Best Answer

Before beginning, make sure you tail both /var/log/secure AND /var/log/messages; secure will give you errors from pam, but messages will give you errors from ssh (i.e., errors from querying LDAP):

tail -f -n0 /var/log/{messages,secure}

So, we have the same setup at work (Using AD server 2003). Since it sounds like you already have pam hitting LDAP (because its failing when you try to login), lets check some values in /etc/ldap.conf.

First off, set the bind_policy from hard to soft; hard will try connecting repeatedly, exponentially increasing the sleep time between attempts (these are the errors you saw in /var/log/secure). Setting it to soft will get rid of your delays when using a local account.

bind_policy soft

Next, verify that you're using the correct settings for connecting (ssl, tls, etc.); you can use ldapsearch to test with a bit more verbosity as well. Unfortunately, without more debugging output (what server is setup, what error messages are being returned from the LDAP query, config files), I'm afraid nobody will be able to help much.

Hope this helps you get on the right track!

Andrew

Related Solutions

Linux – OpenLDAP SSL error

It seems you're trying to use client-side SSL instead of server-side; the client identifies itself using a certificate rather than a password.

Do note that the OpenLDAP SSL implementation is rather tricky - it took me quite a while to figure out that it reads it's SSL certs AFTER it drops privileges, so the SSL-certs need to have read-permissions for the OpenLDAP-user...

Ldap – How to set up Redmine => Active Directory authentication

Okay, so here are the specific settings that I needed in order to make this work:

Host: ims.example.com
Port: 389
User: MYDOMAIN\accountName
Password: *******
Base DN: dc=mydomain,dc=example,dc=com

On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail

The trick was removing cn=Users from the Base DN, after which it all sort of came together.

The other notable thing was the inclusion of a user to read the directory.

Lastly, the user that logs in uses their user name without domain qualification, and their domain password as usual. Our domain does not require an email address, so there is an additional step where the email address has to be set during user creation, but that's pretty straightforward.

Best Answer

Related Solutions

Linux – OpenLDAP SSL error

Ldap – How to set up Redmine => Active Directory authentication

Related Topic