[rhelv6-list] Problem with ldap

Prentice Bisbal prentice at ias.edu
Thu Dec 2 17:45:22 UTC 2010


Collins, Kevin [BEELINE] wrote:
> I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to
> test on RHEL6 and have run into a problem.
> 
>  
> 
> I figured out that I need pam_ldap and nss-pam-ldapd, but I am having
> some troubles getting things to work correctly. I think I have the
> /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing
> some strange behavior.
> 
>  
> 
> As an example, I have an “oracle” ID in LDAP:
> 
>  
> 
> # grep oracle /etc/passwd
> 
>  
> 
> # getent passwd | grep ^oracle:
> 
> oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh
> 
>  
> 
> # getent passwd oracle        
> 
>  
> 
> #  ldapsearch -LLL -x "(uid=oracle)"
> 
> dn: uid=oracle,ou=People,dc=afis,dc=sr
> 
> uid: oracle
> 
> cn: Oracle Owner
> 
> objectClass: account
> 
> objectClass: posixAccount
> 
> objectClass: top
> 
> userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio=
> 
> loginShell: /usr/bin/sh
> 
> uidNumber: 200
> 
> gidNumber: 200
> 
> homeDirectory: /oracle
> 
> gecos: Oracle Owner
> 
>  
> 
> I can’t figure out why getent (or id, or groups, etc) can’t resolve
> specific IDs from LDAP, but I can get obviously read the data...
> 
>  
> 
> Any ideas?
> 

Kevin,

I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday
myself.  After getting nscd and nslcd configured correctly, I was able
to make this work, but then I  switched to using sssd for my name
services/PAM.

SSSD appears to be the RH "blessed" method for handling this sort of
stuff, and if you ever use authconfig, it will configure sssd to perform
these functions. You should look into switching to sssd, to avoid RH
utils from "fixing" things for you in the future.

Have you tried using strace on getent to see what functions are being
called and what errors are being reports? I would also turn on logging
on your ldap server and do a tail -f while running getent to see if
search being performed by 'getent passwd oracle' is being tranformed
into something other than what your server needs to get a result.


-- 
Prentice




More information about the rhelv6-list mailing list