-   Fedora (
-   -   Can't get LDAP authentication working on Fedora 13 (

Xudonax 06-29-2010 10:31 AM

Can't get LDAP authentication working on Fedora 13
Hi everyone,

I'm trying to get LDAP working with 389 Directory Server on Fedora 13. I have the server all ready to go, and I can query it with the 389 console. But when I tried to move on to the next step, user authentication trough LDAP, it just won't work :(

I followed the PAM Howto, but the given authconfig command doesn't work. If I manually add a user with the 389 console, I can't login with it.
Since I had X11 forwarding working over SSH, I tried authconfig-gtk. I setup a SSL LDAP connection for this to work, but it still didn't work. I did have this working on my (now crashed :() Fedora 12 VM.

Does anyone know what I'm missing here?

acid_kewpie 06-29-2010 10:34 AM

you're missing a bit of divide and conquer...

do a "getent passwd". Does that show a full valid posix account for the user you want? same for "getent group" for the group. That will say a lot about what state you're in, and also you should check your /etc/ldap.conf as authconfig itself really doesn't cover many of the often used options, e.g. tls / ssl support.

Xudonax 06-29-2010 10:45 AM

I tried getent passwd | grep kplop (with kplop being the name of the user), and this returns nothing. Same for the group. It does, however, return all the normal users and groups (those in /etc/passwd, /etc/shadow and /etc/group). So I'm guessing somewhere there is going something wrong with the LDAP<=>PAM connection?

Since I am not sure what should be in the file /etc/openldap/ldap.conf, here is the file (without the comments):

BASE        dc=patrickbregman,dc=eu
HOST        kanata
PORT        389
URI        ldaps://
TLS_CACERTDIR /etc/openldap/cacerts

acid_kewpie 06-29-2010 11:05 AM

well that shows that it's NOT pam yet, you're not even getting that far, which is useful. And one VERY important thing is that /etc/openldap/ldap.conf is NOT the same as /etc/ldap.conf. The former is used for the openldap tools, the latter is actually used for the system stack, so ldapsearch and getent will reach LDAP through different configuration tools, so one doesn't prove the others config at all.

Xudonax 06-29-2010 11:18 AM

Ah, now I see :) After re-reading the PAM howto I linked above, I made these changes to /etc/ldap.conf:

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

# Use the OpenLDAP password change
# extended operation to update the password.
pam_password exop

(As said in the PAM howto) But I still can't login with my LDAP user account :(

I'm 100% sure that I'm missing something, the question is, what am I missing?

acid_kewpie 06-29-2010 01:28 PM

well those options are for pam, and we're not at pam yet. you have two stages at stake here 1) User Information and 2) User Authentication. Linux systems will first get a user name and obtain the posix account details for that user. then when it has a user that authenticating against LDAP (which is not known at this stage - all the accounts from wherever look the same) the pam stack will, by virtue of the user having failed to authenticate using /etc/shadow, then contact the LDAP server and try to bind (login) to it with that user account with the password provided. Again, due to the two separate parts of the process, pam has no idea if the user actually is in LDAP, but it then passes hopefully and you get your shell. So you have to deal with the user information part first, then the authentication, and understand the really very large gap between the two will help you a lot.

Xudonax 06-30-2010 03:35 PM

Could you give a little hint on where to look to fix those two steps?
In Fedora 12 everything went automatically, so I just followed to the howto and everything magically worked :(
I'd like to learn a bit more about this as well so I can fix stuff like this myself :)

acid_kewpie 06-30-2010 03:39 PM

well for now, just get back to the first part. Get "getent passwd" working. that will only require configuration changes to /etc/ldap.conf and /etc/nsswitch.conf. authconfig will sort the nsswitch.conf just fine, but it's pretty common to require some tweaks to ldap.conf, especially if you have anything resembling security on it.

Xudonax 07-01-2010 01:58 PM

Well, I circumvented SSS with /etc/nsswitch.conf and now I get correct results with getent passwd. I changed this:

passwd: files sss
shadow: files sss
group:  files sss

to this:

passwd: files ldap sss
shadow: files ldap sss
group:  files ldap sss

Not sure if this is completely correct, but it works so far :)

If I'm not mistaken, I should be able to move to phase 2, User Authentication, right?
I tried sudo passwd kplop, but then I get passwd: Authentication token manipulation error, so I think I'm still missing a step here. Maybe I *should* try to get everything working trough sss...

EDIT: Also, getent -s ldap passwd is very slow (I left it there for 5 minutes and nothing happened), while getent -s 'dns ldap' passwd is very fast and returns my kplop user...

rajeev_rattra 07-03-2010 07:17 AM

Hi Xudonax,

I am also struck at same point. Hope can get some healp.

Please share in case you get any result.


tad1073 11-05-2010 01:42 PM

yes, do tell...we are at unit 8 of linux admin class which has us installing and configuring ldap. The instructor was having the same authentication problems when tried the lab.

Xudonax 11-06-2010 03:08 AM

I didn't try anything after 07-01-10, and I effectively put these plans into the freezer since I got more important things going on now :(
I would suggest trying Fedora 14 by now, but I have no idea if that actually fixes or changes anything...

All times are GMT -5. The time now is 01:42 AM.