NSCD and LDAP
 

Hi

I'm having a tough time trying to find an explanation for the following behaviour, maybe someone here can point me in the right direction.

I have configured a system (centos5 2.6.18-53.el5 x64) to authenticate against AD using kerberos and use LDAP for user/group info. If NSCD is running, I can login as any user in my LDAP tree, if it isn't, I can't.

My /etc/ldap.conf:

host 192.168.201.62
base dc=PCITest2,dc=com
uri ldap://192.168.201.62/
uri ldaps://pcitestdc2.pcitest2.com/

binddn cn=Access Account,ou=Staff,dc=pcitest2,dc=com
bindpw SomePass
scope sub

timelimit 30
bind_timelimit 30
idle_timelimit 3600
referrals no

nss_base_passwd ou=Staff,dc=PCITest2,dc=com?sub
nss_base_shadow ou=Staff,dc=PCITest2,dc=com?sub
nss_base_group ou=Staff,dc=PCITest2,dc=com?sub

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member

pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
pam_groupdn ou=Staff,dc=PCITest2,dc=com?sub

ssl yes
tls_certdir /etc/openldap/cacerts


It's very likely i've mis-configured and or mis-understood something, but I so would love to understand! Man pages and google haven't really come up with anything...help would be much appreciated.

The program nscd is just a cache daemon to speedy up queries/searches for user name, host lookup, etc.
My be without this cache the authentication program timesout and the login is denied.

Take a look at /etc/nsswitch.conf.
This configuration file tells to resolver which is the order for searches in several sources.
Try to put ldap as first source in passwd entry (I assume ldap already is there, just put it as first entry)

Now, if you can log in without nscd them is because ldap was answering first and no time outs are occurring.

...but I am just guessing :)

Thanks for replying. I realise what NSCD is used for, the problem I'm having is that I can't figure out why it has to be running to perform certain functions.

For example, without it running I *can* log in using kerberos and ldap but I cannot su to another user, I get:

Jul 7 08:37:21 localhost su: pam_unix(su-l:session): session opened for user paul.mccartney by john.lennon(uid=10003)
Jul 7 08:37:22 localhost su: pam_keyinit(su-l:session): Unable to change UID back to 0
Jul 7 08:37:22 localhost su: pam_unix(su-l:session): session closed for user john.lennon


If NSCD is running, I can su...I am having trouble spotting config errors.
There is probably something wrong with my PAM config:

auth required pam_env.so
auth sufficient pam_krb5.so use_first_pass use_shmem=sshd
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so retry=3
password sufficient pam_krb5.so use_authtok
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so external use_shmem=sshd


...

...

:-(

I don't think is a PAM related issue.
I already had a similar problem a long time ago and it was related to the authentication timeout. At that time I solved using nscd; the time to get a valid answer was smaller and then the authentication completes on time.

Did you try to put ldap in front of list of /etc/nsswitch.conf, just to test ?

Yep, sorry. Should have mentioned that I tried that yesterday. From /var/log/secure:

Jul 8 08:08:32 localhost su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf'
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session opened for user root by paul.mccartney(uid=10001)
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session closed for user root


Nothing else of consequence is logged in messages. What could be timing out? LDAP queries? Whether I query files first and ldap afterwards or vice-versa, it makes no difference. In the log excerpt above, I'm trying to su to root. Authentication is successful as if I try to su - and type a wrong password I get:

Jul 8 08:26:12 localhost su: pam_unix(su-l:auth): authentication failure; logname=paul.mccartney uid=10001 euid=0 tty=pts/3 ruser=paul.mccartney rhost= user=root


Thanks for the suggestions though...

For reference, got a little further with this. It has something to do with "ssl yes" in ldap.conf. Set it to "ssl no" and we can su to our hearts content...

Good to know !
But how is it related to nscd running or not ? :scratch:

Anyway, I 'm glad you figure out how to login in.
This thread could be a reference for someone in the future, for sure.

thanks for closing the thread.

Absolutely no idea. Get my ssl ldap config sorted and I'll be happy, although i'd love to understand how having nscd running helps. Maybe one day it will all become clear...who knows? Until then, if anyone would like a crack at this one, please have a go. I'll be watching this space.

Thank you for pointing at ldap! I was having a very similar problem and your post gave me a eureka moment.

If you are a RHEL or CentOS user, there was a bug in nss_ldap that was causing this behavior. The package nss_ldap-253-13.el5_2.1.i386.rpm fixed it for me and a bugfix advisory was put out two days ago (RHBA-2008:0611-3).

Hope that helps you!

Sir, I take my hat off to you. I upgraded the package as directed and everything works like a charm. I can finally put this one to bed!

/hugs pluto01
/hugs internet