How to configure client machine to connect to LDAP server

decenter · 11-26-2012, 02:45 AM

Hi,

So I have configured LDAP server. Now, I'm using a Cent OS 6.3 box, that needs to be authenticated via LDAP. I have followed all the documents and modified ldap.conf and nssswitch.conf and made the client machine to look for LDAP server when a person logs in to the machine. But it is not working.

It says authentication error. But I tried via ssh and I can login to the LDAP server. But I need to login to the client's desktop via LDAP authentication.

How can I achieve this?

acid_kewpie · 11-26-2012, 03:10 AM

You need to give us more information about this. what do the server logs say? can you do a "getent passwd"? That's usually a great point to demarc things. You need to appreciate some of the stages involved in the end to end process, there's about 5 keys stages to be achieved between having nothing and having the full working solution.

decenter · 11-26-2012, 03:26 AM

Sure. Here is the getent passwd output of LDAP server.

Code:

[root@LDAPserver ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
touchze:x:500:500:touchze:/home/touchze:/bin/bash
amandabackup:x:501:6:Amanda:/var/lib/amanda:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
ldapuser:x:502:100::/home/ldapuser:/bin/bash
jane:*:55891:0:jane:/home/jane:/bin/bash
jimi:*:34761:0:jimi:/home/jimi:/bin/bash

Server logs doesn't say anything. I think the client machine doesn't even trying to contact LDAP server for authentication when in the desktop login prompt.

acid_kewpie · 11-26-2012, 03:36 AM

right, so it looks like the nsswitch.conf stuff is good, those ARE actually LDAP users at the bottom, right? so youre /etc/pam.d/system-auth (something like that) is configured with pam? If you run "tcpdump -vn port 389 or port 636" you shouold see the ldap requests firing across, so see if that happens or not.

decenter · 11-26-2012, 03:44 AM

Yes, they are the LDAP users at the bottom. The client machine's /etc/pam.d/system-auth file content:

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

I run even authconfig-tui and configured properly. After configuring it says, starting sssd and oddjobdaemon.