[rhelv6-list] Problem with ldap

Fri Dec 3 22:06:56 UTC 2010

That depends:

If you are using SSSD, you only need to configure the files in /etc/sssd.

If you are using nss-pam-ldap, you need to configure
/etc/pam_ldap.conf and /etc/nslcd.conf.

If you used the openldap client programs (ldapsearch, ldapmodify, etc.),
you will still need to configure /etc/openldap/ldap.conf.

--
Prentice

Collins, Kevin [BEELINE] wrote:
> Related to this issue, do I still need /etc/ldap.conf or has /etc/pam_ldap.conf basically repalced that?
> 
> -----Original Message-----
> From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE]
> Sent: Thursday, December 02, 2010 10:29 AM
> To: Prentice Bisbal; rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] Problem with ldap
> 
> Thanks - I plan to look in to SSSD, but was trying to work my way from "known" towards "unknown" :)
> 
> However, your reply hit one thing I forgot - I had not yet restarted nscd... that fixed the issue I was seeing and things appear to be working as expected now.
> 
> Kevin
> 
> -----Original Message-----
> From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal
> Sent: Thursday, December 02, 2010 9:45 AM
> To: rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] Problem with ldap
> 
> Collins, Kevin [BEELINE] wrote:
>> I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to
>> test on RHEL6 and have run into a problem.
>>
>>  
>>
>> I figured out that I need pam_ldap and nss-pam-ldapd, but I am having
>> some troubles getting things to work correctly. I think I have the
>> /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing
>> some strange behavior.
>>
>>  
>>
>> As an example, I have an “oracle” ID in LDAP:
>>
>>  
>>
>> # grep oracle /etc/passwd
>>
>>  
>>
>> # getent passwd | grep ^oracle:
>>
>> oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh
>>
>>  
>>
>> # getent passwd oracle        
>>
>>  
>>
>> #  ldapsearch -LLL -x "(uid=oracle)"
>>
>> dn: uid=oracle,ou=People,dc=afis,dc=sr
>>
>> uid: oracle
>>
>> cn: Oracle Owner
>>
>> objectClass: account
>>
>> objectClass: posixAccount
>>
>> objectClass: top
>>
>> userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio=
>>
>> loginShell: /usr/bin/sh
>>
>> uidNumber: 200
>>
>> gidNumber: 200
>>
>> homeDirectory: /oracle
>>
>> gecos: Oracle Owner
>>
>>  
>>
>> I can’t figure out why getent (or id, or groups, etc) can’t resolve
>> specific IDs from LDAP, but I can get obviously read the data...
>>
>>  
>>
>> Any ideas?
>>
> 
> Kevin,
> 
> I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday
> myself.  After getting nscd and nslcd configured correctly, I was able
> to make this work, but then I  switched to using sssd for my name
> services/PAM.
> 
> SSSD appears to be the RH "blessed" method for handling this sort of
> stuff, and if you ever use authconfig, it will configure sssd to perform
> these functions. You should look into switching to sssd, to avoid RH
> utils from "fixing" things for you in the future.
> 
> Have you tried using strace on getent to see what functions are being
> called and what errors are being reports? I would also turn on logging
> on your ldap server and do a tail -f while running getent to see if
> search being performed by 'getent passwd oracle' is being tranformed
> into something other than what your server needs to get a result.
> 
> 