Hello everyone.
I'm Ricardo from Costa Rica.
I am trying to set up a server with LDAP authentication (via SSH).
I have tried the same configuration on 2 other servers, one with CentOS6.5
and another one with Feora 24, succesfully but on SL7, it fails, reporting
that i have a wrong password.
These are my config files:
--------------------------------------------------------------------------------------------------
[root@login-0 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
#SASL_NOCANON on
*URI ldap://meta.cnca/BASE dc=cnca,dc=cenatrootbinddn
cn=Manager,dc=cnca,dc=cenat*
--------------------------------------------------------------------------------------------------
[root@login-0 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
*passwd: files ldapshadow: files ldapgroup: files ldap*
#initgroups: files
#hosts: db files nisplus nis dns
#hosts: files dns myhostname
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
#services: files sss
services: files
#netgroup: files sss ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
--------------------------------------------------------------------------------------------------
[root@login-0 ~]# cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
# base dc=example,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this
file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# NDS mappings
#map group uniqueMember member
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group uniqueMember msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group uniqueMember posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
#map group uniqueMember member
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group uniqueMember member
#map group gidNumber gid
*uid nslcdgid ldapuri ldap://meta.cnca/base dc=cnca,dc=cenatssl
notls_cacertdir /etc/openldap/cacerts*
--------------------------------------------------------------------------------------------------
[root@login-0 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
#auth sufficient pam_sss.so forward_pass
*auth sufficient pam_ldap.so use_first_pass*
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
*account [default=bad success=ok user_unknown=ignore] pam_ldap.so*
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
#password sufficient pam_sss.so use_authtok
*password sufficient pam_ldap.so use_authtok*
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
*session optional pam_ldap.so*
--------------------------------------------------------------------------------------------------
[root@login-0 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
#auth sufficient pam_sss.so forward_pass
*auth sufficient pam_ldap.so use_first_pass*
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
*account [default=bad success=ok user_unknown=ignore] pam_ldap.so*
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
#password sufficient pam_sss.so use_authtok
*password sufficient pam_ldap.so use_authtok*
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
*session optional pam_ldap.so*
Has anyone encountered a problem like this one? Does anyone knows what can
I do?
Any help will be welcomed!
-Ricardo
|