Configuring ldap client authentication using authconfig
Hello there,
I like to configure a RHEL 7 system to use ldap based client authentication with the authconfig tool.
At first i tested the connection and availability of my ldap server with ldapsearch:
ldapsearch -v -h hostname -y /root/passwdfile -D "cn=stringA,ou=stringB,o=stringC,o=stringD,o=stringE" -b "o=stringC,o=stringD,o=stringE" "(uid=john)"
This query returned the expected result:
filter: (uid=john) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # basewith scope subtree # filter: (uid=john) # requesting: ALL # # john, people, stringC, stringD, stringE dn: uid=john,ou=people,o=StringC,o=stringD,o=stringE uidNumber: 123456 loginShell: /usr/bin/bash homeDirectory: /home/john gecos:: IErDtnJnIEthc3RuaW5nLFVIUlosLDA= gidNumber: 101 cn: john sn: john uid: john objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: organizationalPerson objectClass: person # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
In the second step I used authconfig to configure my system for using ldap authentication:
authconfig --enableldap --enableldapauth --ldapserver="ldap://ldapbackend.example.com" --ldapbasedn="o=stringC,o=stringD,o=stringE" --update
After that the configuration looks like as follows:
authconfig --enableldap --enableldapauth --ldapserver="ldap://ldapbackend.example.com" --ldapbasedn="o=stringC,o=stringD,o=stringE" --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldapbackend.example.com" LDAP base DN = "o=stringC,o=stringD,o=stringE" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldapbackend.example.com" LDAP base DN = "o=stringC,o=stringD,o=stringE" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled
My /etc/nsswitch.conf shows the following entries:
passwd: files sss ldap shadow: files sss ldap group: files sss ldap
But when I try to id the user used in the ldapsearch the user could not be found:
id john id: john: no such user
I'm very new to ldab based client authentication and followed the section authconfig in the System-Level Authentication Guide. I do not see any errors in the journal or /etc/messages that give me a hint what's wrong here.
I appreciate if someone could give my some good advice on how to get ldap based configuration up and running.
Kind regards,
Joerg K.
Responses