Hi,

I have installed openldap server on 1 machine (10.40.10.186). It is CentOS 4.4.
I created a ldap user named 'ramesh' on this machine.

The openldap client is installed on another machine (10.40.10.217). It is CentOS 5.
To enable ldap authentication, I modified 3 files on this machine:
1) /etc/ldap.conf
2) /etc/openldap/ldap.conf
3) /etc/nsswitch.conf
I wish to access 10.40.10.217 using ldap-user ramesh.
But I am unable to do so.

The details are as follows:
=================================================================

The output of "getent passwd ramesh" command on client machine (10.40.10.217) is:
ramesh:x:701:700:Ramesh Patil:/home/ramesh:/bin/bash

The output of "finger ramesh" command is:
Login: ramesh Name: Ramesh Patil
Directory: /home/ramesh Shell: /bin/bash
Never logged in.
No mail.
No Plan.

The output of ldapsearch command is as follows:
dn: uid=ramesh,dc=mwm,dc=com
objectClass: top
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
cn: Ramesh Patil
uid: ramesh
uidNumber: 701
gidNumber: 700
loginShell: /bin/bash
homeDirectory: /home/ramesh
shadowLastChange: 13908
shadowMin: 0
shadowMax: 99999
shadowInactive: -1
shadowWarning: 7
shadowFlag: 0
shadowExpire: -1
userPassword:: cmFtZXNo

===========================================================

On client machine (10.40.10.217), the files are as follows:
(PS: I have ignored comment lines in all files)
1) /etc/ldap.conf
host 10.40.10.186
base dc=mwm,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
__________________________________________________________

2) /etc/openldap/ldap.conf
HOST 10.40.10.186
BASE dc=mwm,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
__________________________________________________________

3) /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: nisplus ldap
publickey: nisplus
automount: files ldap
aliases: files
_________________________________________________________________________

On ldap-server machine (10.40.10.186), the /etc/openldap/slapd.conf is as follows:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

database bdb
suffix "dc=mwm,dc=com"
rootdn "cn=Manager,dc=mwm,dc=com"
rootpw {SSHA}ZU7FCC7Y+RDeMnC6Y4q2YPa6KOd5TyTS

directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

==============================================================

I read many how-to and manuals regarding ldap authentication.
Still no success in solving this problem.

Kindly tell me if I am missing something.
Thanks in advance.

Raghavendra.

You are missing libpam-ldap or just haven't configured it yet.

Hi,

Thanks rupertwh for your advice.

On client machine (10.40.10.217) I run the following command:
# authconfig-tui

It displayed a menu as shown below.
I selected the options as indicated by asterisk(*).

───────────────┤ Authentication Configuration ├────────────────

User Information _______ Authentication
[ ] Cache Information ____[*] Use MD5 Passwords
[ ] Use Hesiod _________[*] Use Shadow Passwords
[*] Use LDAP ___________[*] Use LDAP Authentication
[ ] Use NIS ____________ [ ] Use Kerberos
[ ] Use Winbind ________ [ ] Use SMB Authentication
______________________ [ ] Use Winbind Authentication
______________________[*] Local authorization is sufficient

┌──────┐ ┌────┐
│Cancel│ │Next│
└──────┘ └────┘
________________________________________________________________


On clicking "Next" the following menu was displayed.
I entered the Server and Base DN as shown below:
(Note: 10.40.10.186 is the machine where ldap server is installed).

────────────────┤ LDAP Settings ├───────────────

[ ] Use TLS
Server: ldap://10.40.10.186/____________________
Base DN: dc=mwm,dc=com__________________________

┌────┐ ┌──┐
│Back│ │Ok│
└────┘ └──┘
────────────────────────────────────────────────

This solved the problem.
Now I am able to login on client machine(10.40.10.217) using ldap-user.

The task is to have the server using corporate ldap server for user authentication.

I have spend several days but unable to move any further except following:

1) I have installed....
------------------------------------------------------------------------------------------------------------
nss_ldap-253-3
openldap-2.3.27-5
openldap-clients-2.3.27-5

2) Configured ldap client and can hit the ldap server and get following response:
------------------------------------------------------------------------------------------------------------

[root@poc-mcs-004 etc]# ldapsearch -x -LLL uid=muhshaik
dn: uid=muhshaik,ou=active,ou=employees,ou=people,o=cisco.com
voicemail: XXX XXXX
telephoneNumber: +1 XXX XXX XXXX
ciscoITInternalPhoneNumber: XXXXXXX
state: CALIFORNIA
site: San Jose Site 4
roomNumber: G5-9
registeredAddress: 3550 Cisco Way
postOfficeBox: SJC19/4/4
postalCode: 95134
locationtype: TRADITIONAL
floor: 4
country: United States
city: San Jose
building: SJ-19
groupmembership: allusers
groupmembership: c2cusers
groupmembership: c2users
groupmembership: cdo_all
groupmembership: csg-codedrop
groupmembership: dpt21633
groupmembership: engall
groupmembership: engonly
groupmembership: fit-users
groupmembership: guido
groupmembership: ibsgit
groupmembership: owt370-r
groupmembership: owtallusers
groupmembership: relops-website
groupmembership: rlspreview-eng
groupmembership: solpmt
groupmembership: tsbu
manageruid: XXXXX
vendorname: XXX Software Services Inc
facsimileTelephoneNumber:
status: Active
acquisitionno:
mobile:
seeAlso:
publishpager: n
labeledUri:
title: System Engineer
employeeNumber: XXXXXX
utcoffset:
cn: Mxxxxxxx Sxxxxx
employeeType: Vendor
uid: muhshaik
epage: n
publishmobile: n
middleinitial:
description: TXBU Engineering
mail: muhshaik@cisco.com
supportorganization: n
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: ciscoPerson
secondaryaddress:
nickname:
publishpicture: y
manager: Gxxxx Hxxx (gxxxxx)
directreports:
sn: Shaikh
givenName: Mxxxxxxx
departmentNumber: XXXXXXXXX

Also see the configuration for pam:
------------------------------------------------------------------------------------------------------------
[root@poc-mcs-004 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

But when I try to login as muhshaik, it fails as Access Denied, I grep for logs as:
------------------------------------------------------------------------------------------------------------
login as: muhshaik
muhshaik@poc-mcs-004's password:
Access denied
muhshaik@poc-mcs-004's password:


See messages in log files:
------------------------------------------------------------------------------------------------------------
tail -f /var/log/messages

Feb 26 22:54:01 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1)
Feb 26 22:54:22 poc-mcs-004 nscd: nss_ldap: reconnected to LDAP server ldap://171.70.150.78 after 1 attempt
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1)
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1)
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1)


tail -f /var/log/secure
Feb 26 22:54:22 poc-mcs-004 sshd[25721]: Invalid user muhshaik from 10.21.67.114
Feb 26 22:54:22 poc-mcs-004 sshd[25722]: input_userauth_request: invalid user muhshaik
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): check pass; user unknown
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sjc-vpn3-882.cisco.com
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_succeed_if(sshd:auth): error retrieving information about user muhshaik
Feb 26 22:54:28 poc-mcs-004 sshd[25721]: Failed password for invalid user muhshaik from 10.21.67.114 port 2718 ssh2


Could some please let me know what is wrong here, am I doing something missing here, why my login is not working.

Am I blind? I can't see a password in the user entry.

Here's what I have in a trial ldap entry (just play directory), difference schema by the looks

In the world of the LDAP turns LOL
I have FDS running. Runs good (IMHO)
have SSL/TLS or is that TLS/SSL not sure

have three computers
fdstest.example.edu
home.example.edu
client.example.edu

If I turn off the TLS on the client authentication and AUTOMOUNT works great!!
turn on TLS and I get

gdm-binary[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds)

gdmgreeter[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds)

I have entries for fdstest, home, & client in the /etc/hosts

I have entries in the /etc/openldap/ldap.conf for URI, BASE, HOST, TLS_CACERTDIR, and TLS_RQCERT on the home.example.edu and client.example.edu

have copies of the cert on the client and home (did diff on them to verify they are the same JUST in case they were bad or something)

home.example.edu is able to authenticate with TLS but client is not able too

any thoughts on troubleshooting to solve this issue?

**update**
I am able to ping via FQDN (from client) home & fdstest
I am able to ssh VIA fqdn (from client) home & fdstest

I will continue to post what I find

here is a cut and paste (modified for public viewing) /var/log/dirsrv/slapd-instance/access
"
[01/Apr/2008:16:13:15 -0400] conn=59 op=1 fd=64 closed - U1
[01/Apr/2008:16:14:19 -0400] conn=60 fd=64 slot=64 connection from 192.168.2.6 to 192.168.2.5
[01/Apr/2008:16:14:19 -0400] conn=60 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[01/Apr/2008:16:14:19 -0400] conn=60 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[01/Apr/2008:16:14:19 -0400] conn=60 SSL 256-bit AES
[01/Apr/2008:16:14:19 -0400] conn=60 op=1 UNBIND
[01/Apr/2008:16:14:19 -0400] conn=60 op=1 fd=64 closed - U1
[01/Apr/2008:16:14:19 -0400] conn=61 fd=65 slot=65 connection from 192.168.2.6 to 192.168.2.5
[01/Apr/2008:16:14:19 -0400] conn=61 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[01/Apr/2008:16:14:19 -0400] conn=61 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[01/Apr/2008:16:14:19 -0400] conn=61 SSL 256-bit AES
"
/var/log/dirsrv/slapd-instance/errors
"
[01/Apr/2008:15:58:51 -0400] - Fedora-Directory/1.1.0 B2008.03.27 starting up
[01/Apr/2008:15:58:52 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[01/Apr/2008:15:58:52 -0400] - Listening on All Interfaces port 636 for LDAPS requests
"

It takes long long period of time before the computer boots then it still wont authenticate a user

Hy,

I have the same problem, please tell me if you find a solution to it.

Thanks

I am sorry I did not post my solution. Sometimes I will have so many threads going in different areas I loose track.

solutions I have found for several different issues. please excuse and check spelling, typos and so forth, because I am not a typist LOL

in /etc/openldap/ldap.conf you will need to verify
uri ldap//123.123.123.123 **ldap servers IP address
base dc=examplehost, dc=exampledomain, dc=edu
TLS_CACERTDIR /etc/openldap/cacerts/ **verify this is the path to the cacert
TLS_REQCERT allow ***this is something you will more than likely need to add

@@@@@@@@@@@@@@@@@@@@@@@@@@@@

/etc/ldap.conf same here verify info is here too
base dc=examplehost, dc=exampledomain, dc=edu

*****this is the one that got me**********
#OpenLDAP SSL options
#Require and verify server certificate (yes/no)
#Default is to use libldap's default behavior, which can be configured in
#/etc/openldap/ldap.conf using the TLS_REQCERT setting. the default for
#OpenLDAP 2.0 and earlier is"no", for 2.1 and later is "yes"
tls_checkpeer no *must uncomment and change to no for as your can see above

uri ldap://123.123.123.123 *the IP address for your ldap server
sssl start_tls *verify this it is suppose to change when you change system-config-authentication
tls_cacertdir /etc/openldap/cacerts *the path to the cacert
pam passwords md5


********
these are the some of the things I look for in troubleshooting ldap issues for me

usually what I do is ssh in two terminal windows to the ldap server (from the client pc that is logged in local account) as root
tail -f /var/log/messages in one terminal
tail -f /var/dirsrv/slapd-*instance*/access in the other terminal
then I su - *username*
and see what happens in the log files

hope that didnt sound to newbie LOL



now if there are other things going on let me know...I might have run accross it and if I didnt I probably will in time