Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Fedora This forum is for the discussion of the Fedora Project.


  Search this Thread
Old 05-16-2011, 02:40 PM   #1
LQ Newbie
Registered: Mar 2006
Posts: 17

Rep: Reputation: 0
login via ldap not working in FC15

Have LDAP server running on FC14. Works OK for local logins, etc.

Installed FC15 (beta) and cannot login using LDAP.

ldapsearch works from the new machine and returns exactly what is expected, so we are getting through to the LDAP database. Login to any user in LDAP does not work, 'id' command says 'No such user', 'su' to any user says user does not exist, and NFS mount shows 'nobody' as owner & group.

ldap.conf file is here (used from several places via symlinks):

# LDAP.CONF file used by LDAP Clients. This exists in these places:
# /etc/openldap/ldap.conf <--- used by the OpenLDAP utilities
# /etc/ldap.conf <--- used by everyone else
# /etc/nss_ldap.conf <--- showed up in Fedora 14
# /etc/pam_ldap.conf <--- ditto

# Client closes connection if idle for N seconds
idle_timelimit 15

# /etc/hosts was setup by earlier script to define standard host-names
uri ldap://spcldapprivate/
base dc=screenpc,dc=com

tls_cacertdir /etc/openldap/cacerts
pam_password md5

# Next line is to solve a hang at reboot
# NSS (or someone) is trying to access LDAP before slapd has been started
# See for details

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

/etc/nsswitch.conf file is:

# NSSWITCH.CONF file for Screen PC installations
# The aaaINSTALL_...LDAP_SETUP script will insert a SYMLINK to this
# file in /etc/nsswitch.conf
# Once created, then LDAP will be used for authentication of logins.
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: files ldap

publickey: nisplus

automount: files ldap
aliases: files nisplus

/etc/pam.d/password-auth file is:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required

account required broken_shadow
account sufficient
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional

/etc/pam.d/system-auth is the same as passwd-auth

Must be missing some piece of configuration on the new client machine -- but what????

Thanks for any assistance.
Old 05-16-2011, 08:59 PM   #2
John VV
LQ Muse
Registered: Aug 2005
Posts: 15,298

Rep: Reputation: Disabled
did the bug report help ?

if not post a new bur report at bugzilla

so that rc2 can get a fix

this is what BUG TESTING a rc1 if for

reporting the bugs and the fixes.
Old 05-17-2011, 06:42 AM   #3
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Understand. Am initially going under the assumption that it is not a bug but some screwup in setting up the config on the client, but so far cannot find anything.

On the LDAP server we're tracing all inquiries, so we can see any access in the log (ldapsearch shows up as expected). When a login to the client occurs, there is nothing in the server log. Also nothing in either dmesg or /var/log/messages on the client side. At this point it does seem that the nsswitch.conf and various pam.d config files are not directing the authentication process to ldap at all.

Is there any sort of "debug trace" flag that you can turn on to log all of the steps of a login?
Old 05-17-2011, 07:06 AM   #4
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
May have found it -- install scripts did not install the pam_ldap and nss_ldap libraries.

nss_ldap will not install on FC15 because of a dependency -- will enter bug report.

Question: Why no log messages anywhere if PAM config said to use LDAP but these libraries were not installed?
Old 05-27-2011, 07:55 AM   #5
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Similar problem after installing released version of FC15. nss_ldap and pam_ldap libraries are installed correctly.

Complete hang on boot. Server will not even respond to a 'ping'.

If /etc/nsswitch.conf, /etc/pam.d/system_auth, /etc/pam.d/password_auth, /etc/nss_ldap.conf, and /etc/pam_ldap.conf are all switched back to default values (not using LDAP) then the system boots as expected.

Current suspicion is that the order of startup of system services during boot is leading to hang. Will be investigated next.

Has anyone else seen similar problems w FC15 using LDAP for authentication? This seems like a pretty common configuration.
Old 05-27-2011, 02:33 PM   #6
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
This is nuts! If nssswitch.conf is the original (not using LDAP), the system boots fine. If nsswitch.conf uses LDAP, it hangs during boot. Ctrl-alt-F2 gets a command prompt, but cannot login as root.

We're about to abandon Fedora completely!
Old 05-30-2011, 06:41 PM   #7
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
OK, complete re-install and setup from the install DVD.

Get to exactly the same point as before -- if nsswitch.conf is setup as above, the system will hang on boot.
Old 08-24-2011, 11:54 AM   #8
LQ Newbie
Registered: Mar 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Found that there is something missing for groups.

In nsswitch.conf has the line:

group: file ldap

then the boot hangs -- for probably 30+ minutes, then finally clears.

If this is changed to drop the 'ldap':

group: file

then the boot is normal.

Tried to find out what 'group' was missing from the files, but no luck.
Old 08-24-2011, 01:37 PM   #9
Registered: Jun 2009
Location: NYC
Posts: 259

Rep: Reputation: 58
This might be the result of a rather old bug that was never fixed, to my knowledge. In many cases, that hang can be fixed by changing /etc/nss_ldap.conf's entry of bind_policy from hard to soft.
Old 12-05-2011, 07:28 PM   #10
LQ Newbie
Registered: Dec 2011
Posts: 2

Rep: Reputation: Disabled
Had similar issue here with fc15 - I got ldap to authenticate but I can seem to login with an ldap user account to GDM.

If I login as root user and then su - ldap user, this works.
Old 12-06-2011, 12:42 AM   #11
LQ Newbie
Registered: Dec 2011
Posts: 2

Rep: Reputation: Disabled
Just in case - I got my FC15 client working...

Do this... assuming you have the openldap-clients installed already.

1. yum install nss-pam-ldapd
2. vi /etc/sysconfig/authconfig file and change the "no" to "yes" on FORCELEGACY
3. run authconfig-tui and then...
4. uncheck kerberos and only select the LDAP authentication on the right side of the screen...
5. I also assume you already configured your LDAP server by using the system-config-authentication

Good luck...!



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is gnome-desktop3-3.0.1-2.fc15.x86_64? akakwangkyu Fedora 3 05-05-2011 08:01 AM
LDAP login weirdness fantasygoat Linux - Security 10 11-05-2009 11:29 AM
LDAP login failure boxyzzy Red Hat 1 04-09-2008 04:13 PM
ldap+ftp same login?? venki Linux - Newbie 3 03-13-2007 03:23 AM
Ldap login problem matarodi Debian 0 09-11-2005 04:22 AM

All times are GMT -5. The time now is 05:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration