NSCD and LDAP
Hi
I'm having a tough time trying to find an explanation for the following behaviour, maybe someone here can point me in the right direction. I have configured a system (centos5 2.6.18-53.el5 x64) to authenticate against AD using kerberos and use LDAP for user/group info. If NSCD is running, I can login as any user in my LDAP tree, if it isn't, I can't. My /etc/ldap.conf: host 192.168.201.62 base dc=PCITest2,dc=com uri ldap://192.168.201.62/ uri ldaps://pcitestdc2.pcitest2.com/ binddn cn=Access Account,ou=Staff,dc=pcitest2,dc=com bindpw SomePass scope sub timelimit 30 bind_timelimit 30 idle_timelimit 3600 referrals no nss_base_passwd ou=Staff,dc=PCITest2,dc=com?sub nss_base_shadow ou=Staff,dc=PCITest2,dc=com?sub nss_base_group ou=Staff,dc=PCITest2,dc=com?sub nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad pam_groupdn ou=Staff,dc=PCITest2,dc=com?sub ssl yes tls_certdir /etc/openldap/cacerts It's very likely i've mis-configured and or mis-understood something, but I so would love to understand! Man pages and google haven't really come up with anything...help would be much appreciated. |
The program nscd is just a cache daemon to speedy up queries/searches for user name, host lookup, etc.
My be without this cache the authentication program timesout and the login is denied. Take a look at /etc/nsswitch.conf. This configuration file tells to resolver which is the order for searches in several sources. Try to put ldap as first source in passwd entry (I assume ldap already is there, just put it as first entry) Now, if you can log in without nscd them is because ldap was answering first and no time outs are occurring. ...but I am just guessing :) |
Thanks for replying. I realise what NSCD is used for, the problem I'm having is that I can't figure out why it has to be running to perform certain functions.
For example, without it running I *can* log in using kerberos and ldap but I cannot su to another user, I get: Jul 7 08:37:21 localhost su: pam_unix(su-l:session): session opened for user paul.mccartney by john.lennon(uid=10003) Jul 7 08:37:22 localhost su: pam_keyinit(su-l:session): Unable to change UID back to 0 Jul 7 08:37:22 localhost su: pam_unix(su-l:session): session closed for user john.lennon If NSCD is running, I can su...I am having trouble spotting config errors. There is probably something wrong with my PAM config: auth required pam_env.so auth sufficient pam_krb5.so use_first_pass use_shmem=sshd auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 100 quiet account required pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so retry=3 password sufficient pam_krb5.so use_authtok password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 session required pam_limits.so session required pam_unix.so session optional pam_krb5.so external use_shmem=sshd ... ... :-( |
I don't think is a PAM related issue.
I already had a similar problem a long time ago and it was related to the authentication timeout. At that time I solved using nscd; the time to get a valid answer was smaller and then the authentication completes on time. Did you try to put ldap in front of list of /etc/nsswitch.conf, just to test ? |
Quote:
Jul 8 08:08:32 localhost su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf' Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session opened for user root by paul.mccartney(uid=10001) Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session closed for user root Nothing else of consequence is logged in messages. What could be timing out? LDAP queries? Whether I query files first and ldap afterwards or vice-versa, it makes no difference. In the log excerpt above, I'm trying to su to root. Authentication is successful as if I try to su - and type a wrong password I get: Jul 8 08:26:12 localhost su: pam_unix(su-l:auth): authentication failure; logname=paul.mccartney uid=10001 euid=0 tty=pts/3 ruser=paul.mccartney rhost= user=root Thanks for the suggestions though... |
For reference, got a little further with this. It has something to do with "ssl yes" in ldap.conf. Set it to "ssl no" and we can su to our hearts content...
|
Good to know !
But how is it related to nscd running or not ? :scratch: Anyway, I 'm glad you figure out how to login in. This thread could be a reference for someone in the future, for sure. thanks for closing the thread. |
Quote:
|
Quote:
If you are a RHEL or CentOS user, there was a bug in nss_ldap that was causing this behavior. The package nss_ldap-253-13.el5_2.1.i386.rpm fixed it for me and a bugfix advisory was put out two days ago (RHBA-2008:0611-3). Hope that helps you! |
Sir, I take my hat off to you. I upgraded the package as directed and everything works like a charm. I can finally put this one to bed!
/hugs pluto01 /hugs internet |
All times are GMT -5. The time now is 08:16 AM. |