You should be using sssd on both Fedora and SL7 for authentication against LDAP.
install the package sssd-ldap, then configure up a new /etc/sssd/sssd.conf Google for sssd ldap and you'll find all the documentation you need. Just don't forget to use: authconfig --enablesssd --enablesssdauth --update On 2016-09-23 08:42, Ricardo Román Brenes wrote: > Hello everyone. > > I'm Ricardo from Costa Rica. > > I am trying to set up a server with LDAP authentication (via SSH). I have > tried the same configuration on 2 other servers, one with CentOS6.5 and > another one with Feora 24, succesfully but on SL7, it fails, reporting that i > have a wrong password. > > These are my config files: > > -------------------------------------------------------------------------------------------------- > [root@login-0 ~]# cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASE dc=example,dc=com > #URI ldap://ldap.example.com [1] ldap://ldap-master.example.com:666 [2] > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > #TLS_CACERTDIR /etc/openldap/cacerts > # Turning this off breaks GSSAPI used with krb5 when rdns = false > #SASL_NOCANON on > URI ldap://meta.cnca/ > BASE dc=cnca,dc=cenat > rootbinddn cn=Manager,dc=cnca,dc=cenat > > -------------------------------------------------------------------------------------------------- > [root@login-0 ~]# cat /etc/nsswitch.conf > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd: db files nisplus nis > #shadow: db files nisplus nis > #group: db files nisplus nis > > passwd: files ldap > shadow: files ldap > group: files ldap > #initgroups: files > > #hosts: db files nisplus nis dns > #hosts: files dns myhostname > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > #services: files sss > services: files > > #netgroup: files sss ldap > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > -------------------------------------------------------------------------------------------------- > [root@login-0 ~]# cat /etc/nslcd.conf > # This is the configuration file for the LDAP nameservice > # switch library's nslcd daemon. It configures the mapping > # between NSS names (see /etc/nsswitch.conf) and LDAP > # information in the directory. > # See the manual page nslcd.conf(5) for more information. > > # The uri pointing to the LDAP server to use for name lookups. > # Multiple entries may be specified. The address that is used > # here should be resolvable without using LDAP (obviously). > #uri ldap://127.0.0.1/ [3] > #uri ldaps://127.0.0.1/ [3] > #uri ldapi://%2fvar%2frun%2fldapi_sock/ > # Note: %2f encodes the '/' used as directory separator > # uri ldap://127.0.0.1/ [3] > > # The LDAP version to use (defaults to 3 > # if supported by client library) > #ldap_version 3 > > # The distinguished name of the search base. > # base dc=example,dc=com > > # The distinguished name to bind to the server with. > # Optional: default is to bind anonymously. > #binddn cn=proxyuser,dc=example,dc=com > > # The credentials to bind with. > # Optional: default is no credentials. > # Note that if you set a bindpw you should check the permissions of this file. > #bindpw secret > > # The distinguished name to perform password modifications by root by. > #rootpwmoddn cn=admin,dc=example,dc=com > > # The default search scope. > #scope sub > #scope one > #scope base > > # Customize certain database lookups. > #base group ou=Groups,dc=example,dc=com > #base passwd ou=People,dc=example,dc=com > #base shadow ou=People,dc=example,dc=com > #scope group onelevel > #scope hosts sub > > # Bind/connect timelimit. > #bind_timelimit 30 > > # Search timelimit. > #timelimit 30 > > # Idle timelimit. nslcd will close connections if the > # server has not been contacted for the number of seconds. > #idle_timelimit 3600 > > # Use StartTLS without verifying the server certificate. > #ssl start_tls > #tls_reqcert never > > # CA certificates for server certificate verification > #tls_cacertdir /etc/ssl/certs > #tls_cacertfile /etc/ssl/ca.cert > > # Seed the PRNG if /dev/urandom is not provided > #tls_randfile /var/run/egd-pool > > # SSL cipher suite > # See man ciphers for syntax > #tls_ciphers TLSv1 > > # Client certificate and key > # Use these, if your server requires client authentication. > #tls_cert > #tls_key > > # NDS mappings > #map group uniqueMember member > > # Mappings for Services for UNIX 3.5 > #filter passwd (objectClass=User) > #map passwd uid msSFU30Name > #map passwd userPassword msSFU30Password > #map passwd homeDirectory msSFU30HomeDirectory > #map passwd homeDirectory msSFUHomeDirectory > #filter shadow (objectClass=User) > #map shadow uid msSFU30Name > #map shadow userPassword msSFU30Password > #filter group (objectClass=Group) > #map group uniqueMember msSFU30PosixMember > > # Mappings for Services for UNIX 2.0 > #filter passwd (objectClass=User) > #map passwd uid msSFUName > #map passwd userPassword msSFUPassword > #map passwd homeDirectory msSFUHomeDirectory > #map passwd gecos msSFUName > #filter shadow (objectClass=User) > #map shadow uid msSFUName > #map shadow userPassword msSFUPassword > #map shadow shadowLastChange pwdLastSet > #filter group (objectClass=Group) > #map group uniqueMember posixMember > > # Mappings for Active Directory > #pagesize 1000 > #referrals off > #filter passwd > (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) > #map passwd uid sAMAccountName > #map passwd homeDirectory unixHomeDirectory > #map passwd gecos displayName > #filter shadow > (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) > #map shadow uid sAMAccountName > #map shadow shadowLastChange pwdLastSet > #filter group (objectClass=group) > #map group uniqueMember member > > # Mappings for AIX SecureWay > #filter passwd (objectClass=aixAccount) > #map passwd uid userName > #map passwd userPassword passwordChar > #map passwd uidNumber uid > #map passwd gidNumber gid > #filter group (objectClass=aixAccessGroup) > #map group cn groupName > #map group uniqueMember member > #map group gidNumber gid > > uid nslcd > gid ldap > > uri ldap://meta.cnca/ > base dc=cnca,dc=cenat > ssl no > > tls_cacertdir /etc/openldap/cacerts > > -------------------------------------------------------------------------------------------------- > [root@login-0 ~]# cat /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so nullok > try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet_success > #auth sufficient pam_sss.so forward_pass > AUTH SUFFICIENT PAM_LDAP.SO USE_FIRST_PASS > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > ACCOUNT [DEFAULT=BAD SUCCESS=OK USER_UNKNOWN=IGNORE] PAM_LDAP.SO > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > #password sufficient pam_sss.so use_authtok > PASSWORD SUFFICIENT PAM_LDAP.SO USE_AUTHTOK > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > #session optional pam_sss.so > SESSION OPTIONAL PAM_LDAP.SO > > -------------------------------------------------------------------------------------------------- > [root@login-0 ~]# cat /etc/pam.d/password-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so nullok > try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet_success > #auth sufficient pam_sss.so forward_pass > AUTH SUFFICIENT PAM_LDAP.SO USE_FIRST_PASS > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > ACCOUNT [DEFAULT=BAD SUCCESS=OK USER_UNKNOWN=IGNORE] PAM_LDAP.SO > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > #password sufficient pam_sss.so use_authtok > PASSWORD SUFFICIENT PAM_LDAP.SO USE_AUTHTOK > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > #session optional pam_sss.so > SESSION OPTIONAL PAM_LDAP.SO > > Has anyone encountered a problem like this one? Does anyone knows what can I > do? Any help will be welcomed! > > -Ricardo -- Steven Haigh Email: [email protected] Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Links: ------ [1] http://ldap.example.com [2] http://ldap-master.example.com:666 [3] http://127.0.0.1/
