[rhelv6-list] Problem with ldap

Collins, Kevin [BEELINE] KCollins at chevron.com
Thu Dec 2 18:29:26 UTC 2010 

Thanks - I plan to look in to SSSD, but was trying to work my way from "known" towards "unknown" :)

However, your reply hit one thing I forgot - I had not yet restarted nscd... that fixed the issue I was seeing and things appear to be working as expected now.

Kevin

-----Original Message-----
From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal
Sent: Thursday, December 02, 2010 9:45 AM
To: rhelv6-list at redhat.com
Subject: Re: [rhelv6-list] Problem with ldap

Collins, Kevin [BEELINE] wrote:
> I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to
> test on RHEL6 and have run into a problem.
> 
>  
> 
> I figured out that I need pam_ldap and nss-pam-ldapd, but I am having
> some troubles getting things to work correctly. I think I have the
> /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing
> some strange behavior.
> 
>  
> 
> As an example, I have an “oracle” ID in LDAP:
> 
>  
> 
> # grep oracle /etc/passwd
> 
>  
> 
> # getent passwd | grep ^oracle:
> 
> oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh
> 
>  
> 
> # getent passwd oracle        
> 
>  
> 
> #  ldapsearch -LLL -x "(uid=oracle)"
> 
> dn: uid=oracle,ou=People,dc=afis,dc=sr
> 
> uid: oracle
> 
> cn: Oracle Owner
> 
> objectClass: account
> 
> objectClass: posixAccount
> 
> objectClass: top
> 
> userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio=
> 
> loginShell: /usr/bin/sh
> 
> uidNumber: 200
> 
> gidNumber: 200
> 
> homeDirectory: /oracle
> 
> gecos: Oracle Owner
> 
>  
> 
> I can’t figure out why getent (or id, or groups, etc) can’t resolve
> specific IDs from LDAP, but I can get obviously read the data...
> 
>  
> 
> Any ideas?
> 

Kevin,

I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday
myself.  After getting nscd and nslcd configured correctly, I was able
to make this work, but then I  switched to using sssd for my name
services/PAM.

SSSD appears to be the RH "blessed" method for handling this sort of
stuff, and if you ever use authconfig, it will configure sssd to perform
these functions. You should look into switching to sssd, to avoid RH
utils from "fixing" things for you in the future.

Have you tried using strace on getent to see what functions are being
called and what errors are being reports? I would also turn on logging
on your ldap server and do a tail -f while running getent to see if
search being performed by 'getent passwd oracle' is being tranformed
into something other than what your server needs to get a result.


-- 
Prentice

_______________________________________________
rhelv6-list mailing list
rhelv6-list at redhat.com
https://www.redhat.com/mailman/listinfo/rhelv6-list

More information about the rhelv6-list mailing list