1

I'm trying to set up LDAP on a Gentoo workstation to authenticate against a central server. However, I encountered some issues and I really hope you guys can help me out here :)

First off, the LDAP server is running fine because the other machines can connect to it. Second, I followed this guide on Gentoo wiki to set up the client. Third, I even tried using the ldap/nss/pam config files from the other workstations but still can't login...

What works is the ldapsearch:

ldapsearch -Z '(objectclass=*)'

I used the -Z for TSL (That's what I read it is for) but -x also works.

From what I researched/googled/tried it seems that the error is not with ldap but with nss configuration? Any help would be greatly appreciated :)

Here is ldap.conf (slightly redacted)

timelimit 120
bind_timelimit 120
idle_timelimit 3600

TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://<sub>.<domain>.edu/
BASE dc=<sub>,dc=<domain>,dc=edu

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,    rtkit,pulse

ssl start_tls
TLS_CHECKPEER no
TLS_CRLCHECK none
TLS_REQCERT never
pam_password md5

Current nsswitch.conf

# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      files ldap
shadow:      files ldap
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    files sss
protocols:   files
rpc:         files
ethers:      files
netmasks:    files
netgroup:    files
bootparams:  nisplus [NOTFOUND=return]files
publickey:   nisplus
automount:   files ldap
aliases:     files nisplus

system-auth

auth            sufficient      pam_ldap.so
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         optional        pam_permit.so

password        sufficeint      pam_ldap.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so


session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_ldap.so
session         optional        pam_permit.so

Let me know if any other configuration files/information would be helpful.

Drakkainen
  • 123
  • 3
  • 9
  • What does the following command returns (run as root)? `getent shadow` Which service are you trying to log to? Maybe this service uses pam so you would also need to install and configure libpam_LDAP. – alxgomz Jan 07 '14 at 18:24
  • getent shadow returns local users then hangs for a bit (trying to connect to ldap?) and returns nothing and exists. I'm trying to set up the workstation so the users can login to any machine and access their files (home folders are on a central server, they mount fine on boot though). So pretty much just login to the machine through ldap. I have pam_ldap module installed and configured as per gentoo's wiki page. – Drakkainen Jan 07 '14 at 18:56
  • Oh yes I missed the pam part in your initial post...You may have to configure you libnss-ldap as well. I am not sure about Henri, but under Debian it's in a file called /etc/libnss-ldap.conf. take a look at the corresponding man page. – alxgomz Jan 07 '14 at 22:13

1 Answers1

1

Figured it out, and I hope this will help someone in the future :)

The workstations that can login to ldap were using SSSD to authenticate against the ldap server. After installing and configuring it all I had to do was switch the lines in nsswitch.conf like so:

passwd:      files ldap
shadow:      files ldap
group:       files ldap

to:

passwd:      files sss
shadow:      files sss
group:       files sss

I hope this will help someone out there :)

Drakkainen
  • 123
  • 3
  • 9