[rhelv6-list] trying to get ldap system authentication working via nslcd

Jason Welsh jawelsh at cisco.com
Wed Aug 28 17:35:29 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

actually, i finally got the nslcd part working! I had to use 
map    passwd uid cn
filter passwd (objectClass=user)


now the system will recognize my userid when i do 
id userid

but now the issue is with the system authentication, whenever i ssh into the server and put in my password, I get 

sshd[11964]: pam_ldap: ldap_search_s Bad search filter

and I cannot figure out whats causing it.. Im guessing its the /etc/pam_ldap.conf

pam_filter objectclass=user

?? but ive tried many things there, but cant get past this error message.

regards,
Jason


On 08/26/2013 07:46 PM, Collins, Kevin [Contractor Acquisition Program]
wrote:
> I think your problem might be this:
> 
> --ldapbasedn="ou=Some Users,dc=cisco,dc=com"
> 
> This option is for specifying the base of your directory, which is where the various OUs (People, Group, Netgroup, etc) will reside.
> 
> I have only run LDAP on linux in environments where we migrated from NIS, but that is how it is there. 
> 
> Here are some example DNs from our environment:
> 
> dn: uid=oracle,ou=People,dc=xxx,dc=yyy
> 
> dn: cn=dba,ou=Group,dc=xxx,dc=yyy
> 
> dn: cn=os,ou=Netgroup,dc=xxx,dc=yyy
> 
> dn: cn=daemon,ou=Aliases,dc=xxx,dc=yyy
> 
> I masked the Base DN as "dc=xxx,dc=yyy" but you can see how all the other OUs are "based" to that?
> 
> Kevin
> 
> -----Original Message-----
> From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Jason Welsh
> Sent: Friday, August 23, 2013 2:33 PM
> To: rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] trying to get ldap system authentication working via nslcd
> 
> 
> 
> On 08/23/2013 04:35 PM, Camron W. Fox wrote:
>> On 13/08/23 5:03 AM, Jason Welsh wrote:
>>> hey folks, Im using a RHEL 6.4 server and I am trying to set up
>>> system ldap authentication via nslcd.conf and I have the
>>> authenticated bind working, but I cannot get the system to
>>> recognize users when i do a "su - userid"
> 
>>> im pretty sure its my filter thats not right.. Im not quite sure
>>> what my filter and map statements should look like.
> 
>>> right now, im using a simple filter in nslcd.conf like
> 
>>> filter passwd (objectClass=User)
> 
>>> when i sniff the transaction to the ldap server (not using
>>> encryption yet) i see the client bind to the ldap server, and in
>>> the search request, i see Filter:
>>> (&(objectClass=posixGroup)(memberUid=tcpdump))
> 
>>> huh? tcpdump user?  o_O and of course 0 results come back.
> 
>>> any ideas why this is happening? Any suggestions on a better
>>> filter/map to use?
> 
>>> regards, Jason
> 
> 
>> Jason,
> 
>> 	What did your authconfig line look like when you setup authentication?
> 
>> Best Regards,
>> Camron
> 
> 
>  authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --disableldaptls --ldapserver="myldapserver.cisco.com"  --ldapbasedn="ou=Some Users,dc=cisco,dc=com" --updateall
> 
> 
> 
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> 

- -- 
Jason Welsh
Systems Administrator  .:|:.:|:.
Threat Response, Intelligence and Development
W:  919-392-6816
M:  919-637-3693
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iD8DBQFSHjThrKCA2ghdtQQRAgmkAKC4QZCBA4+n9CjU1ML79/ipKNcraACeOnnM
m36nmLx9hIbhrezdZdD0/1o=
=kGMA
-----END PGP SIGNATURE-----




More information about the rhelv6-list mailing list