I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf: passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
I can nss_updatedb ldap succssfully:
# nss_updatedb ldap
passwd... done.
group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
However, I cannot do an id ldapuser
ex:
$ id tony
id: tony: No such user
Here's my auth.log: Dec 1 21:08:17 webdev120 sshd[14765]: pam_unix(sshd:auth): check pass; user unknown
Here's my syslog: sshd[14648]: Libgcrypt warning: missing initialization - please fix the application
Here's my /etc/pam.d/commoun-auth: auth [success=4 default=ignore] pam_unix.so nullok_secure
auth [success=3 default=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
#auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ccreds.so minimum_uid=1000 action=store
# end of pam-auth-update config
Here's my /etc/pam.d/common-account: # here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
Here's my test on my ldap user 'tony'
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd |grep tony
tony:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
* Stopping Name Service Cache Daemon nscd [ OK ]
root@webtest111:/etc/pam.d# getent passwd |grep tony
tony:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new after the schema upgrade and all is well.
Bookmarks