Re: LDAP problems
You should be using sssd on both Fedora and SL7 for authentication against LDAP. install the package sssd-ldap, then configure up a new /etc/sssd/sssd.conf Google for sssd ldap and you'll find all the documentation you need. Just don't forget to use: authconfig --enablesssd --enablesssdauth --update On 2016-09-23 08:42, Ricardo Román Brenes wrote: > Hello everyone. > > I'm Ricardo from Costa Rica. > > I am trying to set up a server with LDAP authentication (via SSH). I have > tried the same configuration on 2 other servers, one with CentOS6.5 and > another one with Feora 24, succesfully but on SL7, it fails, reporting that i > have a wrong password. > > These are my config files: > > -- > [root@login-0 ~]# cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASEdc=example,dc=com > #URIldap://ldap.example.com [1] ldap://ldap-master.example.com:666 [2] > #SIZELIMIT12 > #TIMELIMIT15 > #DEREFnever > #TLS_CACERTDIR /etc/openldap/cacerts > # Turning this off breaks GSSAPI used with krb5 when rdns = false > #SASL_NOCANONon > URI ldap://meta.cnca/ > BASE dc=cnca,dc=cenat > rootbinddn cn=Manager,dc=cnca,dc=cenat > > -- > [root@login-0 ~]# cat /etc/nsswitch.conf > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > #nisplusUse NIS+ (NIS version 3) > #nisUse NIS (NIS version 2), also called YP > #dnsUse DNS (Domain Name Service) > #filesUse the local files > #dbUse the local database (.db) files > #compatUse NIS on compat mode > #hesiodUse Hesiod for user lookups > #[NOTFOUND=return]Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > > passwd: files ldap > shadow: files ldap > group: files ldap > #initgroups: files > > #hosts: db files nisplus nis dns > #hosts: files dns myhostname > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > #services: files sss > services: files > > #netgroup: files sss ldap > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases:files nisplus > > -- > [root@login-0 ~]# cat /etc/nslcd.conf > # This is the configuration file for the LDAP nameservice > # switch library's nslcd daemon. It configures the mapping > # between NSS names (see /etc/nsswitch.conf) and LDAP > # information in the directory. > # See the manual page nslcd.conf(5) for more information. > > # The uri pointing to the LDAP server to use for name lookups. > # Multiple entries may be specified. The address that is used > # here should be resolvable without using LDAP (obviously). > #uri ldap://127.0.0.1/ [3] > #uri ldaps://127.0.0.1/ [3] > #uri ldapi://%2fvar%2frun%2fldapi_sock/ > # Note: %2f encodes the '/' used as directory separator > # uri ldap://127.0.0.1/ [3] > > # The LDAP version to use (defaults to 3 > # if supported by client library) > #ldap_version 3 > > # The distinguished name of the search base. > # base dc=example,dc=com > > # The distinguished name to bind to the server with. > # Optional: default is to bind anonymously. > #binddn cn=proxyuser,dc=example,dc=com > > # The credentials to bind with. > # Optional: default is no credentials. > # Note that if you set a bindpw you should check the permissions of this file. > #bindpw secret > > # The distinguished name to perform password modifications by root by. > #rootpwmoddn cn=admin,dc=example,dc=com > > # The default search scope. > #scope su
LDAP problems
Hello everyone. I'm Ricardo from Costa Rica. I am trying to set up a server with LDAP authentication (via SSH). I have tried the same configuration on 2 other servers, one with CentOS6.5 and another one with Feora 24, succesfully but on SL7, it fails, reporting that i have a wrong password. These are my config files: -- [root@login-0 ~]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASEdc=example,dc=com #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT12 #TIMELIMIT15 #DEREFnever #TLS_CACERTDIR /etc/openldap/cacerts # Turning this off breaks GSSAPI used with krb5 when rdns = false #SASL_NOCANONon *URI ldap://meta.cnca/BASE dc=cnca,dc=cenatrootbinddn cn=Manager,dc=cnca,dc=cenat* -- [root@login-0 ~]# cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # #nisplusUse NIS+ (NIS version 3) #nisUse NIS (NIS version 2), also called YP #dnsUse DNS (Domain Name Service) #filesUse the local files #dbUse the local database (.db) files #compatUse NIS on compat mode #hesiodUse Hesiod for user lookups #[NOTFOUND=return]Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis *passwd: files ldapshadow: files ldapgroup: files ldap* #initgroups: files #hosts: db files nisplus nis dns #hosts: files dns myhostname hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files #services: files sss services: files #netgroup: files sss ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases:files nisplus -- [root@login-0 ~]# cat /etc/nslcd.conf # This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # uri ldap://127.0.0.1/ # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. # base dc=example,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. #bindpw secret # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com #base passwd ou=People,dc=example,dc=com #base shadow ou=People,dc=example,dc=com #scope group onelevel #scope hosts sub # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls #tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/
