LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (https://www.linuxquestions.org/questions/red-hat-31/)
-   -   openLDAP authentication in RH 6.5 without sssd (https://www.linuxquestions.org/questions/red-hat-31/openldap-authentication-in-rh-6-5-without-sssd-4175573013/)

Learning_Quinn 02-23-2016 08:44 AM
openLDAP authentication in RH 6.5 without sssd
 
Problem: Inherited an environment and trying to back engineer how they setup the servers. I have a working system that authenticates via LDAP but does not have sssd installed. Brand new server following online documentation does not work. Copying files from working server to new server also does not work. What am I missing?

Hello kids,

I have a problem. I have a Red Hat 6.5 environment that isn't that big but it's growing. I'm part of essentially a brand new team taking care of these servers. We're adding new systems but I've run into problems with the authentication process. I'll put the whole process that we want to see at the end of this but for right now I'm focused on the LDAP piece. We are authenticating against an existing openLDAP server and the current machines are working. The server build documentation (where it exists) is spotty or badly written. It consists of someone's dump of a history file doing several things at once. Not to mention the entries of 'vi $file' but never tells you what to change. So at first I followed various RH articles and other postings on how to get the system to authenticate against openLDAP. Nothing is working. I have also pulled the config files from an existing server and still no love. One thing I notice is when setting up LDAP via authconfig-tui it places sssd in the files. The working server does not have sssd installed. Running ldapsearch -d 5 -L "(objectlass=*)" connects but a getent passwd shows only local users and no one in LDAP. I know I'm missing some small thing and I'm documenting all of this for a new server image but I'm running in circles. It might be a certificate issue but I'm not sure. I think this is strictly a client issue as everyone else is working. Any help would be greatly appreciated.

Peace

========================================
Files I have edited (I can post scrubbed files on request)
etc/openldap/ldap.conf
etc/pam.d/sshd
etc/ssh/sshd_conf
etc/nsswitch.conf
*probably more. My head is spinning.

I am pointing my TLS_CACERTDIR to an empty directory but again, it's working on the other machine.
========================================
The way the process is supposed to work!

In case it helps, this is the big picture. We have openLDAP and an RSA server. No local accounts for anyone on the servers. The process is a user uses ssh to connect to the server (no GUI running). It should prompt you for your RSA pin. It then checks you against RSA and then against LDAP. If you succeed in both checks, you are allowed in (note, you are not asked for your LDAP password). Once you are in, only members of a certain group are allowed to elevate themselves to root. At that point, you are asked for your LDAP password.


All times are GMT -5. The time now is 06:45 AM.