LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 05-16-2011, 02:40 PM   #1
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Rep: Reputation: 0
login via ldap not working in FC15


Have LDAP server running on FC14. Works OK for local logins, etc.

Installed FC15 (beta) and cannot login using LDAP.

ldapsearch works from the new machine and returns exactly what is expected, so we are getting through to the LDAP database. Login to any user in LDAP does not work, 'id' command says 'No such user', 'su' to any user says user does not exist, and NFS mount shows 'nobody' as owner & group.

ldap.conf file is here (used from several places via symlinks):

#
# LDAP.CONF file used by LDAP Clients. This exists in these places:
# /etc/openldap/ldap.conf <--- used by the OpenLDAP utilities
# /etc/ldap.conf <--- used by everyone else
# /etc/nss_ldap.conf <--- showed up in Fedora 14
# /etc/pam_ldap.conf <--- ditto
#

# Client closes connection if idle for N seconds
idle_timelimit 15

# /etc/hosts was setup by earlier script to define standard host-names
uri ldap://spcldapprivate/
base dc=screenpc,dc=com

tls_cacertdir /etc/openldap/cacerts
pam_password md5

# Next line is to solve a hang at reboot
# NSS (or someone) is trying to access LDAP before slapd has been started
# See https://bugzilla.redhat.com/show_bug.cgi?id=186527 for details

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

/etc/nsswitch.conf file is:

# NSSWITCH.CONF file for Screen PC installations
#
# The aaaINSTALL_...LDAP_SETUP script will insert a SYMLINK to this
# file in /etc/nsswitch.conf
#
# Once created, then LDAP will be used for authentication of logins.
#
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: files ldap

publickey: nisplus

automount: files ldap
aliases: files nisplus

/etc/pam.d/password-auth file is:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

/etc/pam.d/system-auth is the same as passwd-auth


Must be missing some piece of configuration on the new client machine -- but what????

Thanks for any assistance.
 
Old 05-16-2011, 08:59 PM   #2
John VV
Guru
 
Registered: Aug 2005
Posts: 13,060

Rep: Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741Reputation: 1741
did the bug report help ?

if not post a new bur report at bugzilla

so that rc2 can get a fix

this is what BUG TESTING a rc1 if for

reporting the bugs and the fixes.
 
Old 05-17-2011, 06:42 AM   #3
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Understand. Am initially going under the assumption that it is not a bug but some screwup in setting up the config on the client, but so far cannot find anything.

On the LDAP server we're tracing all inquiries, so we can see any access in the log (ldapsearch shows up as expected). When a login to the client occurs, there is nothing in the server log. Also nothing in either dmesg or /var/log/messages on the client side. At this point it does seem that the nsswitch.conf and various pam.d config files are not directing the authentication process to ldap at all.

Is there any sort of "debug trace" flag that you can turn on to log all of the steps of a login?
 
Old 05-17-2011, 07:06 AM   #4
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
May have found it -- install scripts did not install the pam_ldap and nss_ldap libraries.

nss_ldap will not install on FC15 because of a dependency -- will enter bug report.

Question: Why no log messages anywhere if PAM config said to use LDAP but these libraries were not installed?
 
Old 05-27-2011, 07:55 AM   #5
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Similar problem after installing released version of FC15. nss_ldap and pam_ldap libraries are installed correctly.

Complete hang on boot. Server will not even respond to a 'ping'.

If /etc/nsswitch.conf, /etc/pam.d/system_auth, /etc/pam.d/password_auth, /etc/nss_ldap.conf, and /etc/pam_ldap.conf are all switched back to default values (not using LDAP) then the system boots as expected.

Current suspicion is that the order of startup of system services during boot is leading to hang. Will be investigated next.

Has anyone else seen similar problems w FC15 using LDAP for authentication? This seems like a pretty common configuration.
 
Old 05-27-2011, 02:33 PM   #6
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
This is nuts! If nssswitch.conf is the original (not using LDAP), the system boots fine. If nsswitch.conf uses LDAP, it hangs during boot. Ctrl-alt-F2 gets a command prompt, but cannot login as root.

We're about to abandon Fedora completely!
 
Old 05-30-2011, 06:41 PM   #7
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
OK, complete re-install and setup from the install DVD.

Get to exactly the same point as before -- if nsswitch.conf is setup as above, the system will hang on boot.
 
Old 08-24-2011, 11:54 AM   #8
jcrowley
LQ Newbie
 
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Found that there is something missing for groups.

In nsswitch.conf has the line:

group: file ldap

then the boot hangs -- for probably 30+ minutes, then finally clears.

If this is changed to drop the 'ldap':

group: file

then the boot is normal.

Tried to find out what 'group' was missing from the files, but no luck.
 
Old 08-24-2011, 01:37 PM   #9
scottro11
Member
 
Registered: Jun 2009
Location: NYC
Posts: 257

Rep: Reputation: 58
This might be the result of a rather old bug that was never fixed, to my knowledge. In many cases, that hang can be fixed by changing /etc/nss_ldap.conf's entry of bind_policy from hard to soft.
 
Old 12-05-2011, 07:28 PM   #10
linux4guru
LQ Newbie
 
Registered: Dec 2011
Posts: 2

Rep: Reputation: Disabled
Had similar issue here with fc15 - I got ldap to authenticate but I can seem to login with an ldap user account to GDM.

If I login as root user and then su - ldap user, this works.
 
Old 12-06-2011, 12:42 AM   #11
linux4guru
LQ Newbie
 
Registered: Dec 2011
Posts: 2

Rep: Reputation: Disabled
Just in case - I got my FC15 client working...

Do this... assuming you have the openldap-clients installed already.

1. yum install nss-pam-ldapd
2. vi /etc/sysconfig/authconfig file and change the "no" to "yes" on FORCELEGACY
3. run authconfig-tui and then...
4. uncheck kerberos and only select the LDAP authentication on the right side of the screen...
5. I also assume you already configured your LDAP server by using the system-config-authentication

Good luck...!
 
  


Reply

Tags
ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is gnome-desktop3-3.0.1-2.fc15.x86_64? akakwangkyu Fedora 3 05-05-2011 08:01 AM
LDAP login weirdness fantasygoat Linux - Security 10 11-05-2009 11:29 AM
LDAP login failure boxyzzy Red Hat 1 04-09-2008 04:13 PM
ldap+ftp same login?? venki Linux - Newbie 3 03-13-2007 03:23 AM
Ldap login problem matarodi Debian 0 09-11-2005 04:22 AM


All times are GMT -5. The time now is 03:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration