[rhelv6-list] trying to get ldap system authentication working via nslcd

Collins, Kevin [Contractor Acquisition Program] KCollins at chevron.com
Fri Aug 30 01:02:20 UTC 2013 

What is the type of LDAP server being used? I am only familiar with using OpenLDAP via the mode supported from RFC2307 (basically NIS within LDAP). In my case, the object type of users is "posixAccount" and "account". As far as my experience, this is what RH is expecting.

What types of attributes belong to a objectClass of "user"? By default I think it is expecting an attribute of "userPassword" to contain the users password.

Kevin
-----Original Message-----
From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Jason Welsh
Sent: Wednesday, August 28, 2013 10:35 AM
To: rhelv6-list at redhat.com
Subject: Re: [rhelv6-list] trying to get ldap system authentication working via nslcd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

actually, i finally got the nslcd part working! I had to use 
map    passwd uid cn
filter passwd (objectClass=user)


now the system will recognize my userid when i do 
id userid

but now the issue is with the system authentication, whenever i ssh into the server and put in my password, I get 

sshd[11964]: pam_ldap: ldap_search_s Bad search filter

and I cannot figure out whats causing it.. Im guessing its the /etc/pam_ldap.conf

pam_filter objectclass=user

?? but ive tried many things there, but cant get past this error message.

regards,
Jason


On 08/26/2013 07:46 PM, Collins, Kevin [Contractor Acquisition Program]
wrote:
> I think your problem might be this:
> 
> --ldapbasedn="ou=Some Users,dc=cisco,dc=com"
> 
> This option is for specifying the base of your directory, which is where the various OUs (People, Group, Netgroup, etc) will reside.
> 
> I have only run LDAP on linux in environments where we migrated from NIS, but that is how it is there. 
> 
> Here are some example DNs from our environment:
> 
> dn: uid=oracle,ou=People,dc=xxx,dc=yyy
> 
> dn: cn=dba,ou=Group,dc=xxx,dc=yyy
> 
> dn: cn=os,ou=Netgroup,dc=xxx,dc=yyy
> 
> dn: cn=daemon,ou=Aliases,dc=xxx,dc=yyy
> 
> I masked the Base DN as "dc=xxx,dc=yyy" but you can see how all the other OUs are "based" to that?
> 
> Kevin
> 
> -----Original Message-----
> From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Jason Welsh
> Sent: Friday, August 23, 2013 2:33 PM
> To: rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] trying to get ldap system authentication working via nslcd
> 
> 
> 
> On 08/23/2013 04:35 PM, Camron W. Fox wrote:
>> On 13/08/23 5:03 AM, Jason Welsh wrote:
>>> hey folks, Im using a RHEL 6.4 server and I am trying to set up
>>> system ldap authentication via nslcd.conf and I have the
>>> authenticated bind working, but I cannot get the system to
>>> recognize users when i do a "su - userid"
> 
>>> im pretty sure its my filter thats not right.. Im not quite sure
>>> what my filter and map statements should look like.
> 
>>> right now, im using a simple filter in nslcd.conf like
> 
>>> filter passwd (objectClass=User)
> 
>>> when i sniff the transaction to the ldap server (not using
>>> encryption yet) i see the client bind to the ldap server, and in
>>> the search request, i see Filter:
>>> (&(objectClass=posixGroup)(memberUid=tcpdump))
> 
>>> huh? tcpdump user?  o_O and of course 0 results come back.
> 
>>> any ideas why this is happening? Any suggestions on a better
>>> filter/map to use?
> 
>>> regards, Jason
> 
> 
>> Jason,
> 
>> 	What did your authconfig line look like when you setup authentication?
> 
>> Best Regards,
>> Camron
> 
> 
>  authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --disableldaptls --ldapserver="myldapserver.cisco.com"  --ldapbasedn="ou=Some Users,dc=cisco,dc=com" --updateall
> 
> 
> 
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> 
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> 

- -- 
Jason Welsh
Systems Administrator  .:|:.:|:.
Threat Response, Intelligence and Development
W:  919-392-6816
M:  919-637-3693
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iD8DBQFSHjThrKCA2ghdtQQRAgmkAKC4QZCBA4+n9CjU1ML79/ipKNcraACeOnnM
m36nmLx9hIbhrezdZdD0/1o=
=kGMA
-----END PGP SIGNATURE-----

_______________________________________________
rhelv6-list mailing list
rhelv6-list at redhat.com
https://www.redhat.com/mailman/listinfo/rhelv6-list

More information about the rhelv6-list mailing list