[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: getent passwd only catch local user passwd
Findlay,
Thanks for your help! But the problem is not addressed. On centOS 6 and 7 I test "getent passwd yli28". The same result, no ouput. On my own ldap client server env, both cnetos 6.6, it works. I started sssd on client. It did not work. Then I start nscd. It still not work.
I would like to list all my configurations here:
/etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.91.96.141 LVD-LDAP-C6IT hostname
10.91.96.142 LDV-LDAP-CENT6
/etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE ou=people,dc=ra-int,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://usmkemsi107.ra-int.com
#URI 10.91.96.142
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
/etc/nsswitch.conf (All sss were replaced by ldap. Both did not work)
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
/etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=ra-int,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://usmkemsi107.ra-int.com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
config_file_version = 2
enumerate = true
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Yesterday, I configured LDAP authentication on Artifactory (a repository software) on centos 7. It works. I use ldapsearch -x -D binddn_username -w password "samaccount=yli28". It works.
I really do not know what else can I do to make getent work. Then I can su yli28.
If you find anything wrong, please let me know. I can only configure the client side, the LDAP server controlled by IT.
Thank you!
Yingbo
-----Original Message-----
From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk]
Sent: Wednesday, April 29, 2015 4:39 AM
To: Yingbo Li
Cc: openldap-technical@openldap.org
Subject: Re: getent passwd only catch local user passwd
On Tue, Apr 28, 2015 at 07:49:07PM +0000, Yingbo Li wrote:
> I am new to LDAP. The company’s IT own LDAP server, I tried to
> configure openldap client but failed. My OS is CentOS 7, openldap is 2.4.39.
>
> I configured ldap and ldaps. I can use ldapsearch to find out full
> ldap info of my LDAP account. I configured with authconfig-tui. I also
> modified /etc/pam.d/ system-auth and password-auth, change pam_sss.so
> to pam_ldap.so. While when I tried getent passwd, I can only find
> local users. I cannot su to my LDAP account. Why?
You have probably messed up the config by making those changes. CentOS 7 expects to use SSSD to access LDAP: it provides useful services and isolates system processes from the LDAP service so you should not try to bypass it.
Lots of useful information here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.html#SSSD-Introduction
Rather than editing config files directly, try to get a basic system running by using the authconfig command. This should make sure that you have a consistent setup. Better still, select LDAP authentication when you install the system and let the install wizard help you through the process.
If your LDAP service places size limits or restrictive access-control on the data you may need to create an account for SSSD to bind with so that it can bypass the limits.
This is not really an OpenLDAP problem, so you are likely to get more detailed help on a Red Hat or CentOS mailing list or forum.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------