[SOLVED] LDAP password not accepting on client

james000 · 04-06-2019, 12:26 AM

Hi,

I have a Openldap server running on RHEL 7.2. I created one new RHEL 7.2 client and added it on server side and did client side config too.
On server side, I added this new client and I can see this new client on server side with below command

Code:

[root@ldapmaster1 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=pp,dc=qq,dc=rr,dc=ss" "cn=client21"

On client side, here is config

Code:

[root@client21 ~]# authconfig --enableldap --enableldapauth --ldapserver="ldapmaster1-data.pp.qq.rr.ss" --ldapbasedn="dc=pp,dc=qq,dc=rr,dc=ss" --update
[root@client21 ~]# 
[root@client21 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
URI ldap://ldapmaster1-data.pp.qq.rr.ss/
BASE dc=pp,dc=qq,dc=rr,dc=ss
[root@client21 ~]#
[root@ia-dav-nms1 ~]# cat /etc/nsswitch.conf | egrep "passwd|shadow|group|sudoers" | grep -v "#"
passwd:     files ldap
shadow:     files ldap
group:      files ldap
netgroup:   files ldap
sudoers:    ldap
[root@ia-dav-nms1 ~]#

When I try to login with my credential (non-root), it denied password. On LDAP master side I see with tcpdump that client's IP is hitting on server. But password not accepting. Same password is working on other clients.
Please suggest, how it should be fixed, what am I missing?
Thanks

tyler2016 · 04-06-2019, 02:24 PM

Have you installed nss-pam-ldapd?

Are you able to resolve UIDs? I.e. can you chown a file to a user that is in LDAP but not your password file?

What does your OpenLDAP ACL look like? I don't see where you configured a proxy account. What does your /etc/nslcd.conf look like? Maybe your configuration isn't allowing anonymous binds.

I am assuming your LDAP entries for users and groups have the posixAccount and posixGroup classes? Keep in mind the posixAccount class is Auxiliary and the posixGroup class is structural.

Can you post an LDIF of one of your users as well as your /etc/pam.d/password-auth? By default, there is a module that forces you to use UIDs of at least a 1000 for LDAP users.

I wrote a few guides covering this on my website. If answering my questions doesn't get it working, they might be able to help you. The first is how to minimally configure OpenLDAP for OS authentication, the second is how to setup CentOS 7 to authenticate to it. They should work if you installed OpenLDAP from the repos. I usually install it from source so I can control the TLS library (I have seen the TLS library OpenLDAP is linked to change with package updates, breaking the TLS configuration).

https://tylersguides.com/guides/conf...uthentication/
https://tylersguides.com/guides/conf...tion-centos-7/

If you opt to install from source, here is how I do it:

https://tylersguides.com/guides/inst...urce-centos-7/

james000 · 04-06-2019, 07:44 PM

Your guides are amazing. I cleared config and did reconfiguration and it worked. Thanks much for sharing

tyler2016 · 04-07-2019, 05:23 AM

You're welcome. Glad I could help.