Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 02-13-2019, 12:21 PM   #16
Registered: Feb 2016
Posts: 41

Original Poster
Rep: Reputation: Disabled

Here is my nsswitch.conf:
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files ldap

publickey: nisplus

automount: files ldap
aliases: files nisplus

uid:gid is root:root I haven't made any manual changes to it.

Last edited by vinmansbrew; 02-13-2019 at 12:22 PM. Reason: info
Old 02-14-2019, 10:29 AM   #17
LQ Newbie
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 14

Rep: Reputation: Disabled
Let's verify a few things with ldapsearch and nslcd.conf.

Get the following lines from your nslcd.conf

base group
base passwd

Try the following from your client using the values from your nslcd.conf.

bash-prompt $ ldapsearch -x -W -H "uri" -b "base passwd" -D "binddn" "(objectClass=posixAccount)"
bash-prompt $ ldapsearch -x -W -H "uri" -b "base group" -D "binddn" "(objectClass=posixGroup)"
bash-prompt $ ldapsearch -x -W -H "uri" -b "base" -D "binddn" "(objectClass=posixGroup)"
A working example on my CentOS7 machine I tested my article against:

[root@centos7 ~]# ldapsearch -x -W -H "ldap://localhost/" -b "ou=users,dc=tylersguides,dc=com" -D "cn=osproxy,ou=system,dc=tylersguides,dc=com" "(objectClass=posixAccount)"
Enter LDAP Password: 
# extended LDIF
# LDAPv3
# base <ou=users,dc=tylersguides,dc=com> with scope subtree
# filter: (objectClass=posixAccount)
# requesting: ALL

# testuser, users,
dn: uid=testuser,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: First Name
sn: Last Name
uid: testuser
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: Full Name

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Last edited by tyler2016; 02-14-2019 at 10:35 AM.
Old 02-15-2019, 12:42 PM   #18
Registered: Feb 2016
Posts: 41

Original Poster
Rep: Reputation: Disabled
Ok, so I tried that. I ended up using a different entry for the binddn than what I thought I was supposed to use in my nslcd.conf. If I used what was in my nslcd.conf, getent passwd does run through, but the ldapsearch command fails with authentication error.
When I changed the binddn, then the ldapsearch works and gives me a long list of returns, and the getent passwd worked with changed binddn.
However, if I try to ssh to the server with an ldap user, the password still fails.
Nothing in /var/log/messages, however /var/log/secure shows:
pam_ldap: reconnecting to LDAP server...
pam_ldap: ldap_simple_bind Can't contact LDAP server
Failed password for ldapuser from port 33220 ssh2
Connection closed by

Now, I have a local account on the client, I do that on all my servers. The account I am using for testing, is my ldap acct. My user/pass work everywhere else, however.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
pam-ldap and pam-mysql gangadhar402 Linux - Software 2 03-09-2013 05:50 AM
Openssh + PAM + LDAP fails only with LDAP users asimula Linux - Newbie 2 04-01-2010 08:10 AM
PAM or ldap, which will be best for my needs? DaijoubuKun Linux - Security 4 11-22-2009 04:23 PM
Pam ldap sci3ntist Linux - Software 1 01-28-2008 08:46 AM
Ldap and pam not working! Neruocomp Linux - Software 2 05-23-2006 06:07 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:17 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration