I have an existing set of Centos 5.4 servers that restrict login based on being a uniquemember of an ldap group vizusers. The users can be a direct uniquemember of the group or be a member of a group that is a uniquemember of vizusers.
I am trying to implement this same method under Centos 6.4. The ldap server is on a closed network and does not support SSL or TLS so sssd is not possible. Using pam_ldap and nslcd is required.
Users that are direct uniquemembers resolve correctly as evidenced by "groups username" returning vizusers as a secondary group. Users that should inherit this group return only their primary group.
pam_ldap.conf, ldap.conf and nslcd.conf do not vary from the working configuration on the Centos 5.4 hosts.
ldapsearch of vizusers returns all the users and groups that are uniquemembers. A subsequent search of subgroups, correctly returns the expected users.
What am I missing?
