You should be using sssd on both Fedora and SL7 for authentication
against LDAP. 

install the package sssd-ldap, then configure up a new
/etc/sssd/sssd.conf 

Google for sssd ldap and you'll find all the documentation you need.
Just don't forget to use: 

authconfig --enablesssd --enablesssdauth --update  

On 2016-09-23 08:42, Ricardo Román Brenes wrote:

> Hello everyone.
> 
> I'm Ricardo from Costa Rica.
> 
> I am trying to set up a server with LDAP authentication (via SSH). I have 
> tried the same configuration on 2 other servers, one with CentOS6.5 and 
> another one with Feora 24, succesfully but on SL7, it fails, reporting that i 
> have a wrong password.
> 
> These are my config files:
> 
> --------------------------------------------------------------------------------------------------
> [root@login-0 ~]# cat /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> #BASE    dc=example,dc=com
> #URI    ldap://ldap.example.com [1] ldap://ldap-master.example.com:666 [2]
> #SIZELIMIT    12
> #TIMELIMIT    15
> #DEREF        never
> #TLS_CACERTDIR /etc/openldap/cacerts
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> #SASL_NOCANON    on
> URI ldap://meta.cnca/
> BASE dc=cnca,dc=cenat
> rootbinddn cn=Manager,dc=cnca,dc=cenat
> 
> --------------------------------------------------------------------------------------------------
> [root@login-0 ~]# cat /etc/nsswitch.conf
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Valid entries include:
> #
> #    nisplus            Use NIS+ (NIS version 3)
> #    nis            Use NIS (NIS version 2), also called YP
> #    dns            Use DNS (Domain Name Service)
> #    files            Use the local files
> #    db            Use the local database (.db) files
> #    compat            Use NIS on compat mode
> #    hesiod            Use Hesiod for user lookups
> #    [NOTFOUND=return]    Stop searching if not found so far
> #
> 
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
> 
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> #initgroups: files
> 
> #hosts:     db files nisplus nis dns
> #hosts:      files dns myhostname
> hosts:      files dns
> 
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files     
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> #services:   files sss
> services:   files
> 
> #netgroup:   files sss ldap
> netgroup:   files ldap
> 
> publickey:  nisplus
> 
> automount:  files ldap
> aliases:    files nisplus
> 
> --------------------------------------------------------------------------------------------------
> [root@login-0 ~]# cat /etc/nslcd.conf
> # This is the configuration file for the LDAP nameservice
> # switch library's nslcd daemon. It configures the mapping
> # between NSS names (see /etc/nsswitch.conf) and LDAP
> # information in the directory.
> # See the manual page nslcd.conf(5) for more information.
> 
> # The uri pointing to the LDAP server to use for name lookups.
> # Multiple entries may be specified. The address that is used
> # here should be resolvable without using LDAP (obviously).
> #uri ldap://127.0.0.1/ [3]
> #uri ldaps://127.0.0.1/ [3]
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
> # uri ldap://127.0.0.1/ [3]
> 
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> #ldap_version 3
> 
> # The distinguished name of the search base.
> # base dc=example,dc=com
> 
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> #binddn cn=proxyuser,dc=example,dc=com
> 
> # The credentials to bind with.
> # Optional: default is no credentials.
> # Note that if you set a bindpw you should check the permissions of this file.
> #bindpw secret
> 
> # The distinguished name to perform password modifications by root by.
> #rootpwmoddn cn=admin,dc=example,dc=com
> 
> # The default search scope.
> #scope sub
> #scope one
> #scope base
> 
> # Customize certain database lookups.
> #base   group  ou=Groups,dc=example,dc=com
> #base   passwd ou=People,dc=example,dc=com
> #base   shadow ou=People,dc=example,dc=com
> #scope  group  onelevel
> #scope  hosts  sub
> 
> # Bind/connect timelimit.
> #bind_timelimit 30
> 
> # Search timelimit.
> #timelimit 30
> 
> # Idle timelimit. nslcd will close connections if the
> # server has not been contacted for the number of seconds.
> #idle_timelimit 3600
> 
> # Use StartTLS without verifying the server certificate.
> #ssl start_tls
> #tls_reqcert never
> 
> # CA certificates for server certificate verification
> #tls_cacertdir /etc/ssl/certs
> #tls_cacertfile /etc/ssl/ca.cert
> 
> # Seed the PRNG if /dev/urandom is not provided
> #tls_randfile /var/run/egd-pool
> 
> # SSL cipher suite
> # See man ciphers for syntax
> #tls_ciphers TLSv1
> 
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
> 
> # NDS mappings
> #map group uniqueMember member
> 
> # Mappings for Services for UNIX 3.5
> #filter passwd (objectClass=User)
> #map    passwd uid              msSFU30Name
> #map    passwd userPassword     msSFU30Password
> #map    passwd homeDirectory    msSFU30HomeDirectory
> #map    passwd homeDirectory    msSFUHomeDirectory
> #filter shadow (objectClass=User)
> #map    shadow uid              msSFU30Name
> #map    shadow userPassword     msSFU30Password
> #filter group  (objectClass=Group)
> #map    group  uniqueMember     msSFU30PosixMember
> 
> # Mappings for Services for UNIX 2.0
> #filter passwd (objectClass=User)
> #map    passwd uid              msSFUName
> #map    passwd userPassword     msSFUPassword
> #map    passwd homeDirectory    msSFUHomeDirectory
> #map    passwd gecos            msSFUName
> #filter shadow (objectClass=User)
> #map    shadow uid              msSFUName
> #map    shadow userPassword     msSFUPassword
> #map    shadow shadowLastChange pwdLastSet
> #filter group  (objectClass=Group)
> #map    group  uniqueMember     posixMember
> 
> # Mappings for Active Directory
> #pagesize 1000
> #referrals off
> #filter passwd 
> (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> #map    passwd uid              sAMAccountName
> #map    passwd homeDirectory    unixHomeDirectory
> #map    passwd gecos            displayName
> #filter shadow 
> (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> #map    shadow uid              sAMAccountName
> #map    shadow shadowLastChange pwdLastSet
> #filter group  (objectClass=group)
> #map    group  uniqueMember     member
> 
> # Mappings for AIX SecureWay
> #filter passwd (objectClass=aixAccount)
> #map    passwd uid              userName
> #map    passwd userPassword     passwordChar
> #map    passwd uidNumber        uid
> #map    passwd gidNumber        gid
> #filter group  (objectClass=aixAccessGroup)
> #map    group  cn               groupName
> #map    group  uniqueMember     member
> #map    group  gidNumber        gid
> 
> uid nslcd
> gid ldap
> 
> uri ldap://meta.cnca/
> base dc=cnca,dc=cenat
> ssl no
> 
> tls_cacertdir /etc/openldap/cacerts
> 
> --------------------------------------------------------------------------------------------------
> [root@login-0 ~]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        [default=1 success=ok] pam_localuser.so
> auth        [success=done ignore=ignore default=die] pam_unix.so nullok 
> try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
> #auth        sufficient    pam_sss.so forward_pass
> AUTH        SUFFICIENT    PAM_LDAP.SO USE_FIRST_PASS
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> #account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> ACCOUNT     [DEFAULT=BAD SUCCESS=OK USER_UNKNOWN=IGNORE] PAM_LDAP.SO
> account     required      pam_permit.so
> 
> password    requisite     pam_pwquality.so try_first_pass local_users_only 
> retry=3 authtok_type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> #password    sufficient    pam_sss.so use_authtok
> PASSWORD    SUFFICIENT    PAM_LDAP.SO USE_AUTHTOK
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond 
> quiet use_uid
> session     required      pam_unix.so
> #session     optional      pam_sss.so
> SESSION     OPTIONAL      PAM_LDAP.SO
> 
> --------------------------------------------------------------------------------------------------
> [root@login-0 ~]# cat /etc/pam.d/password-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        [default=1 success=ok] pam_localuser.so
> auth        [success=done ignore=ignore default=die] pam_unix.so nullok 
> try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
> #auth        sufficient    pam_sss.so forward_pass
> AUTH        SUFFICIENT    PAM_LDAP.SO USE_FIRST_PASS
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> #account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> ACCOUNT     [DEFAULT=BAD SUCCESS=OK USER_UNKNOWN=IGNORE] PAM_LDAP.SO
> account     required      pam_permit.so
> 
> password    requisite     pam_pwquality.so try_first_pass local_users_only 
> retry=3 authtok_type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
> use_authtok
> #password    sufficient    pam_sss.so use_authtok
> PASSWORD    SUFFICIENT    PAM_LDAP.SO USE_AUTHTOK
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in crond 
> quiet use_uid
> session     required      pam_unix.so
> #session     optional      pam_sss.so
> SESSION     OPTIONAL      PAM_LDAP.SO
> 
> Has anyone encountered a problem like this one? Does anyone knows what can I 
> do? Any help will be welcomed!
> 
> -Ricardo

-- 
Steven Haigh

Email: net...@crc.id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
 

Links:
------
[1] http://ldap.example.com
[2] http://ldap-master.example.com:666
[3] http://127.0.0.1/
  • LDAP problems Ricardo Román Brenes
    • Re: LDAP problems Steven Haigh

Reply via email to