LDAP Authentication On Red Hat Enterprise 6

red hat logoAfter receiving a comment from my previous post on LDAP authentication on RHEL5, I decided to test it on RHEL6. According to the reader, Nick, there are some differences in the LDAP authentication in RHEL6. I tried it out myself and indeed it doesn’t work. Even getent passwd doesn’t work. Nick mentioned that configuration is needed in nslcd.conf. This is a file which I have not seen before.

In any case, I looked up on nslcd and found that it’s the local LDAP name service daemon. And on my machine, this daemon isn’t running. I started the daemon and everything sprang to life. SSH and getent works. In all my previous deployments, I made sure there’s was no caching on the local machine by disabling nscd (Name Service Caching Daemon). Now that there’s a dependency on another caching daemon, I need to consider the pros and cons again and possibly disabling the caching.

This is an interesting note for upgraders from RHEL5 to RHEL6. Thanks to Nick for raising this issue.

Author: yibi

YiBi's numb :) YiBi writes about anything. Technology, Gossips, Rubbish YiBi's a half f%#k geek :P

Comments

  1. Do yo have any method of restricting who can actually log in? While I enjoy the concept of single sign-on, I’d dearly love to have the ability to restrict this.

  2. Hi Yibi,

    Many thanks for the info on the nslcd. Seems to work for me (once logged with a local account, I can pull the full list of LDAP users with the ‘getent passwd’) but still can’t SSH remotely to the server. Although I am using a valid username and password, keep getting a “permission denied, please try again” message.

    Users credentials are on a container called ‘users’. I made the changes in nslcd.conf file like:
    base passwd ou=users,dc=domain,dc=org
    base shadow ou=users,dc=domain,dc=org

    I have also followed your previous post on using the authconfig command to allow SSH with LDAP. But still no luck.

    What could be wrong or missing that my users still can’t ssh to the host? Any pointers, much appreciated.

    1. Hi Guillermo,

      Is your LDAP server accepting TLS connection? Check /var/log/messages for sssd TLS errors.

      RHEL defaults to TLS connection to LDAP server because of the use of sssd. I’m not sure how to disable this behavior though.

  3. I have same problem as Guillermo here, that is, “getent passwd ” can retrieve user info from my AD server, but users still can’t ssh into the machine.

    One weird observation is that “getent shadow ” for AD users will return “:*:0::::::0”, notice that all fields after encrypted passwd are either empty or 0.

    BTW, I have “FORCELEGACY=yes” in /etc/sysconfig/authconifg, so I am not using TLS.

    Any ideas where else I shoudl be looking ?

  4. Hi yiping,
    Can you search for traces of pam_sss in your /var/log/secure.
    If errors for pam_sss is found, remove sssd, then restarted your nslcd. Just double check to make sure that there’s no trace of pam_sss anywhere in your pam configs. I suspect sssd is the culprit.

    This might solve Guillermo’s problem as well. :)

  5. Ok, probably a simpler way here.

    authconfig has the following new options in RHEL6

    –enablesssd
    –disablesssd
    –enablesssdauth
    –disablesssdauth

    Just use authconfig to disable sssdauth. :)

  6. I found out that now there is a separate /etc/pam_ldap.conf which seems to control passwd/shadow lookup in LDAP.

    Once I have correct values in this file, AD users can ssh into RHEL6 nodes.

    FYI, here is what I have in /etc/pam_ldap.conf:

    uri ldap://ad.example.com
    base dc=example,dc=com
    scope sub

    BTW, since I used FORCELEGACY=yes in /etc/sysconfig/authconfig, sssd is not started on my rhel6 nodes
    bind_policy soft
    # RFC 2307 (AD) mappings
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute shadowLastChange pwdLastSet
    nss_map_attribute uid sAMAccountName
    nss_map_attribute uniqueMember member

    nss_map_objectclass posixAccount user
    nss_map_objectclass posixGroup group
    nss_map_objectclass shadowAccount user

    pam_filter objectclass=User
    pam_login_attribute sAMAccountName
    pam_password ad
    ssl no

  7. sorry, cut & paste messed up in previous post.

    Here is what’s in my /etc/pam_ldap.conf:

    uri ldap://ad.example.com
    base dc=example,dc=com
    scope sub
    bind_policy soft
    # RFC 2307 (AD) mappings
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute shadowLastChange pwdLastSet
    nss_map_attribute uid sAMAccountName
    nss_map_attribute uniqueMember member

    nss_map_objectclass posixAccount user
    nss_map_objectclass posixGroup group
    nss_map_objectclass shadowAccount user

    pam_filter objectclass=User
    pam_login_attribute sAMAccountName
    pam_password ad
    ssl no

  8. Just want to provide a summary on the whole RHEL6/LDAP client situation, since you guys provided a lot information to unscramble my confusion (thanks!). The info below will result in a RHEL6 LDAP client connecting unencrypted to LDAP server:
    – RHEL6 uses SSL/TLS by default to talk to external LDAP server. For this, service sssd is used so you will have to configure it.
    – To use non-encrypted auth to LDAP server from RHEL6, install the nss-pam-ldapd and pam-ldap packages. This will allow LDAP lookup and auth instead of sssd. Additionally, edit /etc/sysconfig/authconfig by changing “FORCELEGACY=NO” to “FORCELEGACY=YES”. Finally, run authconfig-tui or authconfig-gtk command to provide the LDAP parameters, necessary for the client to connect to and query the LDAP server. By running this commands, the sssd service is stopped and the nslcd service started, to allow non-authenticated connection to LDAP server.

    Thanks again for the help, yibi and yiping,

  9. Hi,

    thanks for publish this information.

    Now i have a problem with the local LDAP authntication on RHLE.
    I would like to login on the desktop with a ldap user but it doesn’t work. I recieve no errors. The login on the console or by ssh works.

    In the log “/var/log/secure” are follow entris
    – Sep 16 16:58:44 moe-server pam: gdm-password[7992]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=tuser

    – Sep 16 16:58:44 moe-server pam: gdm-password[7992]: pam_unix(gdm-password:session): session opened for user tuser by (uid=0)

    – Sep 16 16:58:44 moe-server pam: gdm-password[7992]: pam_unix(gdm-password:session): session closed for user tuser

    Have any user the same problem? Thx 4 help!

    1. Hi, check your /etc/pam.d/gdm. Looks like GDM doesn’t know it has to be using LDAP for whatever reasons.
      In my /etc/pam.d/gdm, there’s a include for passwd-auth which has references to LDAP after I enabled LDAP using the authconfig command.

  10. Hi, can you show me your pam.d/gdm file.
    I have change my file with include system-auth an password-auth for auth, account, password and session.

    After then I restarted the follow services: nscd,nslcd and oddjbod. But the problem is not fixed.

    When i use the authconfig tool, they would enable sssd and rewrite some config files. After then worked nothing.

    1. Here you go. The last include for system-auth does the ldap part.

      # cat /etc/pam.d/gdm
      #%PAM-1.0
      auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
      auth required pam_succeed_if.so user != root quiet
      auth required pam_env.so
      auth substack system-auth
      auth optional pam_gnome_keyring.so
      account required pam_nologin.so
      account include system-auth
      password include system-auth
      session required pam_selinux.so close
      session required pam_loginuid.so
      session optional pam_console.so
      session required pam_selinux.so open
      session optional pam_keyinit.so force revoke
      session required pam_namespace.so
      session optional pam_gnome_keyring.so auto_start
      session include system-auth

    1. Hey Luk,

      I have no problem on my RHEL6 boxes. GDM plays nicely with LDAP.
      Can you try this
      > initctl list
      > restart prefdm
      > restart splash-manager

      These 2 commands restarts the login manager.

  11. hi, i try this but it doesn’t works.

    In the secure log find i 2 entries. Can you compare this with your log. (var/log/secure)

    Sep 27 14:51:41 moe-server pam: gdm-password[2629]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=tuser

    Sep 27 14:51:41 moe-server pam: gdm-password[2629]: pam_unix(gdm-password:session): session opened for user tuser by (uid=0)

    Sep 27 14:51:41 moe-server pam: gdm-password[2629]: pam_unix(gdm-password:session): session closed for user tuser

    Maybe the error is in the gdm-passord file in /etc/pam.d/ or with th pam_unix.
    When i logon, the deskop will be loaded but then you return to the login-screen. I dont haven any idea.

    Maby you would like to contact me with email?

  12. Hi,

    Thanks for the series of howto’s for setting up LDAP on RHEL 5 /6 systems! They have been very helpful!

    I am trying to set up ldap-based user management on RHEL 6, and it almost works! but there is an issue : I get errors like this when trying to log in: id: cannot find name for group ID 510
    Also getent group draws a blank.
    Could you help me on this please? Thanks again!
    ldapsearch shows output like this, for an user ldapone, and group ldapgrp:

    # a.b.edu
    dn: dc=a.b,dc=edu
    dc: a.b
    objectClass: top
    objectClass: domain

    # People, a.b.edu
    dn: ou=People,dc=a.b,dc=edu
    ou: People
    objectClass: top
    objectClass: organizationalUnit

    # Group, a.b.edu
    dn: ou=Group,dc=a.b,dc=edu
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

    # ldapone, People, a.b.edu
    dn: uid=ldapone,ou=People,dc=a.b,dc=edu
    uid: ldapone
    cn: ldapone
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    userPassword:: e2NyeXB0fSQ2JHdmYTA3UEtMJE9WNm94eXE3Y29KajRYc0xreURCL2hVRlFmWWl
    0ZkhxYzNueTdrS0wyTXFyMFc1eWRyMDJxU3RXbTlESERMdlpuNmxCT3NOR0t1VUg4LnJHSTFzd04w
    shadowLastChange: 15580
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 505
    gidNumber: 510
    homeDirectory: /home/ldapone

    # ldapgrp, Group, a.b.edu
    dn: cn=ldapgrp,ou=Group,dc=a.b,dc=edu
    objectClass: posixGroup
    objectClass: top
    cn: ldapgrp
    userPassword:: e2NyeXB0fXg=
    gidNumber: 510
    memberUid: ldapone

  13. guys,

    I have the same problem here (no result from getent group/passwd and ldap user cannot ssh into RHEL 6.1). I find that sssd is the source of the problem so I make sure sssd doesn’t start. Then I change all pam_sss.so in /etc/pam.d/system-auth into pam_ldap.so. Now I can do getent group or getent passwd, but I still cannot ssh into it using ldap user. Any hint, maybe? Thank you.

    Note: FORCELEGACY=YES.

    Oh…one more question. Do I need all those nss_ things inside /etc/pam_ldap.conf, since I don’t have them in my other RHEL5 /etc/ldap.conf. Thanx.

Optimization WordPress Plugins & Solutions by W3 EDGE