Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I'm managing a file server project and we've run into a problem integrating CentOS with LDAP. The issue is outlined below. Any suggestions would be greatly appreciated. Thanks, Bryn ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2013
    Posts
    1

    LDAP problem


    Hi,

    I'm managing a file server project and we've run into a problem integrating CentOS with LDAP. The issue is outlined below. Any suggestions would be greatly appreciated.

    Thanks,

    Bryn kanar
    UCSC Library
    Web Developer



    I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across.

    When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs.

    drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
    drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
    drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
    drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
    drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
    drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5

    Other details: centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

    I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off.

    I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient.

    Relevant parts of /etc/nsswitch:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    #hosts: db files nisplus nis dns
    hosts: files dns

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files ldap
    rpc: files
    services: files ldap

    netgroup: nisplus ldap
    #netgroup: ldap

    publickey: nisplus

    automount: files nisplus ldap
    #automount: files ldap
    aliases: files nisplus

    Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com

    # basic auth config
    binddn cn=admin,dc=ourdomain,dc=com
    rootbinddn cn=admin,dc=ourdomain,dc=com

    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap

    # pam config
    #pam_password md5
    pam_password md5

    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group ou=group,dc=ourdomain,dc=com?one

    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no

    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes

    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts

    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

    Relevant parts of /etc/pam.d/system-auth:

    auth required pam_env.so
    auth sufficient pam_fprintd.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pam_mkhomedir.so skel=/etc/skel umask=077

    And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

    Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,753
    So, to cut to the chase, your "problem" is that you see gid and uid numbers, not names in your directory listings? My guess is that the ldap authentication ids/names are not seen when you login manually to the system. You need to change your password authentication from local to ldap so when you login directly, your system should then properly display the names instead of #'s. I haven't played much with ldap on Linux, but I have used YP on Unix, and this was always an issue there.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •