Again, nerdy stuff follows. Click away now if you were looking for pics of naked chicks or something. Like a lot of people buying new hardware these days, we've recently started to look into migrating from CentOS 5 to CentOS 6. New hardware really is the only reason we're looking to migrate. The new hardware isn't supported by CentOS 5 kickstart and rolling your own updates into a new kickstart image can be a PITA. So why not upgrade to the new stuff? How hard can it be? Kickstart and build stuff aside, the biggest problem we had with building some new CentOS 6 test boxes had to do with LDAP. You see, RedHat (and CentOS as a result) now supports 2 different providers for LDAP authentication. That's right, two. The bad thing is that it's 2 *new* providers. It's not the "new way" and the "old way." It's the "new way" and the "other new way." Those looking for seamless upgrades, keep wishing. Those who want to figure out how to do this easily, read on. Basically, the old PADL NSS stuff is dead. They realized what a steaming pile of shit it was (memory leaks and all) and decided to scrap it. So they took a lot of the same stuff, renamed it, and pushed it out the door. I'll call this the "nslcd/openldap/legacy stuff." This is the closest method to "the old way" of doing things. But here's the catch, they fucked it all up. It's broken, convoluted, and not well documented. Worst, there's a lot of bad advice floating around the Internet in places like StackOverflow, ServerFault, ExpertsExchange, etc. Ignore it all. Just read this page. Ignore any piece of documentation that has you configuring nslcd.conf. Fedora/RedHat realized how terrible PADL software is, so they wrote their own stuff; it's called SSSD. It's a terrible name, but overall it works pretty well. Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in the name. Just use SSSD. Update: This is the page that I used to learn about/configure sssd. Here's the idiot's guide, super easy configuration:
Oh and if you use nscd with sssd, be sure and set the passwd and group caches to "no". It's good to run nscd as a DNS host name cache, but its user and group caching conflicts with sssd's (which does its own).
Matt Bucknam
7/2/2012 05:56:02 am
Awesome write-up. Clear as a bell. Concise. Accurate. Saved me a ton of time.
somecuriousOwl
7/2/2012 06:46:33 pm
Hi. I tried as it's written here. But get nothing. "id username" says that there is no such user.. but no errors.
somecuriousOwl
7/2/2012 07:08:36 pm
it seems that sssd either not working or doesn't like my ldap server cause its logs also clean I'd double check your sssd.conf file and restart the sssd service. Also, the sssd config file shown here is from our use and needs to be customized to your environment. You can't just copy and paste the text. Our working example uses 389ds and the POSIX user/group schema from rfc2307bis.
somecuriousOwl
7/3/2012 02:18:35 pm
Thank U) I've found the place where i'd made a mistake. It was ldap not ldaps in server url. Sorry for bothering U
jt2ga56
7/18/2012 03:39:44 am
NSLCD and SSSD both work. I disagree with the author about sudo with nslcd. sudo will work fine with nslcd. It works fine with sssd also. There IS one reason to use nslcd over sssd, if it applies to you. If you have any applications that use the getent calls for user authentication, sssd will not work. Period. Red Hat decided that it knows better than any other software author, and dropped suooprt for getent shadow (from LDAP users) with sssd. A plus for sssd is that is supports credential caching, however this is only good is a user actually logged into the server while it was connected to LDAP, and we actually turn this caching setting off for security reasons. We are actually working with Red Hat to get some RADIUS support into sssd, and in a way that is not completely retarded.
jt2ga56
7/18/2012 03:58:05 am
I believe that the author must be referring to using LDAP to specify sudo access. This was an issue with nslcd in late 2011, but it should have been in the updated nslcd before this article was written. Of course, this article doesn't actually mention using LDAP to control sudoers, and I don't believe the abive configuration will achieve that goal with sssd either.
sudo w/nslcd was broken when I wrote this post. At least it was in RH6.x at the time. Who knows if/when they took a fix from the 3rd party, but it wasn't working at the time and that's that.
Didn't know about the getent thing, but I don't think it applies to anything we're running since we haven't been bitten by it yet.
Dan Paulus
8/2/2012 07:25:30 am
Spent the entire morning fighting nss, this post saved me from spending my afternoon doing the same.
chris
8/19/2012 05:03:54 pm
There is one possible reason for using nslcd. I can use pam_filter to read the description attribute of a user in the ldap database. This can be used for machine based access control. Unless something like this is also possible with sssd (?).
chris
8/20/2012 10:43:13 am
diq, you are right. With ldap_access_filter looking up values for the description attribute on the ldap server, machine based access control works "out of the box", so to speak. I now agree that sssd is the way to go. Thanks for the great post!
Dan Lark
8/24/2012 12:28:45 am
Well this got me farther than anything I've found so far. Up to this point, I was unable to have it retrieve anything from LDAP. However, while I am able to get 'id $user' to work. I still cannot get it to work for authentication. 8/24/2012 07:09:25 am
I am also having the same problem. Following the instructions in this post, I can confirm that it is using ldap with a command like: id.
Dan Lark
9/9/2012 11:28:00 pm
I did eventually get it going. Here's what I found:
Dan, yeah LDAPS, LDAP w/StartTLS, or SASL should always be used. I know it's frustrating because it's good to test without SSL at first to make sure you have everything setup right, then enable SSL last. The new RHEL/sssd stance makes it that much harder to get everything working.
Dan Lark
9/12/2012 04:29:02 am
One small caveat on the "enumerate" option. There is a known bug on this option. The problem is sssd_be will segfault with this option turned on and id_provider set to anything other than ldap (i.e. ipa, local, etc.). There is a fix present in the sssd source tree, but has not been implemented within the RHEL distribution. (I think this will likely be updated in 6.4, as this causes breakage in FreeIPA.) BTW, I have seen strange issues with enumerate in conjunction with sudo, sssd, and ldap. I suspect this bug is related, also.
Philip
9/9/2012 10:42:54 pm
This worked very well for me. I fought with the CentOS 6.3 client for about 3 weeks and this got me going immediately. I am reluctant to de-install the distro sudo and download the sudo org rpms so I am going to struggle a little bit longer with the nlscd.conf. I have never run into an order problem with sudoers in ldap like someone suggested. I keep my sudoers rules pretty simple. 9/10/2012 12:15:53 am
The solution for me was to simply do this:
Artem
9/10/2012 01:56:46 am
You're a genius. Thanks man!
Chris
9/13/2012 04:50:42 am
Thanks for this. This helped out a lot. Everything I have been getting mixed signals about sssd on the internet... use it / don't use. Ually with no reason. Anyway, this write up helped me out a lot. Thanks for the enumerate option also. I wish Red Hat would document this precise. ;-)
DanTMan63
6/4/2013 12:46:35 am
Did anyone ever answer this or did you find the answer?
msz59
9/29/2012 10:24:31 am
Sorry for slightly OT question but I run into this page googling for "LDAP authentication based on group" :)
Andrew
10/1/2012 12:51:43 am
I configured all as you wrote, and I able to write "id ldapuser" and get info from this command. Also I can from root switch to ldapuser by typing "su ldpauser" and act as ldapuser (it doesn't require password). But when I try to login as ldapuser from non-root user it require password, and when I type password I always get an error: "Incorrecr password" . Same error appears when I try to login using GUI. I think, probably when typing password it don't lookup LDAP. Where may be problem? Thanks.
Chris
10/22/2012 09:37:25 am
> .. Worst, there's a lot of bad advice floating around the Internet in places like StackOverflow, ServerFault, ...
Chris, I normally try and be deferential when responding to obvious flame comments, but you sir, can shut the fuck up.
Aaron
10/27/2012 10:48:10 am
Awesome info! Thanks a ton for making the internet a better place, ;)! I was wondering if you could tell me what the authconfig line changes, as I am looking to automate this via puppet. I can manage the others as you list out the paths, thanks in advance!
Justin
6/10/2013 12:47:04 am
Aaron - I believe the only changes authconfig makes for this are the password-auth and system-auth files. New versions below.
jean
11/14/2012 03:09:43 am
1. yum install sssd -- works!
Sum Yung Gai
4/4/2013 11:14:26 pm
I noticed that as well. You've got to write one, like the article shows. A little strange, given that Red Hat are trying to GUI-fy everything and make it easier for Microsoft sysadmins. Usually RH include an example config file, but it wasn't too hard to write one.
Chandan
11/16/2012 06:24:42 am
Thanks for the article it helped me a lot. However, still I have to manually create each user in the machine after creating it at the server. Is it way that once I create a user a the ldap server, rest things will get automatically created on the very first login of the use.
Todor
11/19/2012 11:24:42 pm
Thanks for the wonderful guide, it's the best one I have found.
diq
11/20/2012 09:14:08 am
Yeah I didn't really think about the homedir thing because we have all of our home directories mounted over NFS (via LDAP and automount).
Todor
11/20/2012 03:48:14 pm
Yes, NFS directories are about to be implemented in my case, but still not yet.
diq
11/21/2012 03:34:42 am
I believe that 389DS supports the pasword change exop, so you shouldn't have to do anything for sssd. The user should just change his password with the passwd command. In fact, I just changed mine. You're probably not running multi-master in 389DS so you should have config lines in sssd.conf like this:
Todor
11/21/2012 04:12:40 am
Yeah, I figured it out. Was trying to do it by the root user at first. Now I am looking into adding the list of co-workers with a script, something like http://linuxadministration.us/?p=140. Will try it tomorrow and let you know, if you are interested.
bill
5/6/2013 09:32:30 am
As you said, the passwd works out of the box. However, local root user cannot use passwd to change an ldap user's password, with the following msgs: bill, that's just not going to work. I'm sure it violates lots of security principles. For one, a local root user having the ability to change external user's passwords sounds like a terrible idea. If you need to reset LDAP passwords or change them, use a dedicated account in LDAP for that (or let users change their own).
mjr
7/23/2013 11:57:38 pm
Stephen Gallagher (one of the SSSD developers) wrote [1]:
chandan
12/6/2012 09:48:16 am
You article is superb. It helped me to get sssd worked with password caching, but I am facing one strange issue. Getting the error "id: cannot find name for group ID" on login. The login is successful but everytime getting this error. Did a lot google but could not resolve the issue. I am using Centos 6.3 on server (389) and client.
Todor
12/6/2012 07:36:18 pm
Have you checked /etc/nsswitch.conf? It should contain a line like this:
chandan
12/7/2012 02:58:19 am
I think now I understand little bit. Thank you very much you guys, I have been struggling for this simple thing for so long as finally I got answer over here.
Chandan
12/7/2012 01:04:13 am
Todor
12/7/2012 01:56:48 am
I can not see any GID property of a group, are you sure there are any?
chandan
12/7/2012 02:10:05 am
May be I have configure wrongly. But while creating user, I do specify Posix properties such as GID and UID. Right, you've got half of the equation down. The other half is creating the groups that map to the correct GID. The POSIX user entry tells Linux what the UID and GID should be. The POSIX group entry tells Linux what the name of that GID is (and typically which users are groups but that depends on your LDAP implementation). You need the POSIX group objectClass with appropriate attributes to map back to the GID's you specified for your users. Hope this helps.
bill
5/5/2013 07:35:21 am
Although I've setup a posixGroup and insert the user names in it (memberUid=user1) I'm still unable to resolve group names. The strange thing is that while my logs report that the search query is correct no result is returned. For instance the following returns netries=0:
Yeah, a solution that worked for years fell on its face with CentOS 6.3. No amount wrangling of pam_ldap nss-pam-ldapd nss_ldap pam_crapdap would make this work. I throw sssd into the mix, still no joy but I get TLS errors in /var/log/messages:
thefold
1/28/2013 11:03:44 pm
Excellent guide! I'd got sssd setup on some RHEL workstations just fine but I was having some problems with a CentOS migration I'm carrying out. My problem was that I was still thinking LDAP/PAM had to be in the picture.
shakour
1/29/2013 02:39:57 am
After I added the RHEL6.3 to the Ldap server as instructed above and automount a home from the sever (auto.home & auto.master configured), local users (such as admin) cannot access /home/admin?
linuxlife
2/14/2013 10:55:41 pm
Great work, keep it up.
aliaj00
2/19/2013 11:25:37 pm
thanks a lot. i also have the issue with the:
Chandan
3/21/2013 09:26:03 am
I had the same problem. You have to separately create posix group with Group ID and while creating the user you have to specify that UID. Best is read the Manager Entries section in the deployment guide of the RHDS documentation it has nice explanation with examples. If uid/gid is done properly then id <username> will return with all names and numbers without any error.
Dan
2/25/2013 12:50:28 pm
ldaps:// is deprecated in favor of Start TLS [RFC2830]
Rick
2/26/2013 08:20:24 pm
Thank you!! Worked flawlessy and finally, I can get rid of the tons of files of the old implementation that, frankly, just sucks, as you said!
Todor
3/6/2013 07:51:10 pm
Diq, have you tried to use sudo without password for some users? I can not get rid of the password prompt:(
I have installed 389 directory server on Centos 6 and sssd clients (thanks for your article). Now So far things look good, but one thing I don't understand, If I delete a user from a group, it takes almost 4-5 minutes to reflect the same on the clients (output of "id" command). I am wondering what could be the reason? (group add works immediately) Is there any timer/caching that could be changed. I tried restating sssd but that did not help either. For Linux user group I am using 389's static groups and adding users in a group by
Chandan
3/21/2013 07:31:20 am
Answering my own question. That turn out to be controlled by the parameter "entry_cache_timeout" in sssd.conf file. Now after I set it to 5 (secocds) the changes are shown immediately as all cached entries are expired after 5 second and hence sssd will make fresh query to ldap for that.
Justin
3/21/2013 10:05:34 am
First and foremost - thank you for this! Taking a dive into LDAP and this is the most helpful thing i have found by far.
justin
3/23/2013 07:08:47 am
Thank you very much! Worked like a charm after setting up SSL
Dexter
3/22/2013 12:58:58 am
This is a great post Diq. Thank you. 3/24/2013 04:41:11 pm
Save me quite a lot time on this. It works on my case. Thx.
toldav
4/11/2013 12:06:14 pm
I had been told that don't use /etc/openldap/ldap.conf on the client side if you are using SSSD only use sssd.conf can someone please explain what this two files are different from one to another. I'm using 389ds on rh. well the /openldap files are used for openldap clients such as ldapsearch/modify etc and /etc/sssd/ files used for sssd. clients. So if you plan to use openldap-client packages then you must setup /etc/openldap files (hostname and cert files). usually the cert files are stored in single place and it is often /etc/openldap/cacert (for sssd and openldap clients as well). HTH
John
4/19/2013 12:01:37 am
Awesome post - clear concise and extremely helpful
Collins Richey
4/19/2013 06:58:29 am
We use ldap-only for id/auth. We don't use kerberos for anything. Is the krb5_kdclp in your example just required for completeness, or is actual kerberos required to do ldap authentication using sssd?
Collins Richey
4/23/2013 12:59:25 am
It turns out that krb_kdcip is deprecated anyway. Now I'm having troubles getting authentication to work. In our previous configs without sssd (works flawlessly for rel 5 systems), we have the parameters "sudo w/nslcd was broken when I wrote this post. At least it was in RH6.x at the time. Who knows if/when they took a fix from the 3rd party, but it wasn't working at the time and that's that." <<--- THAT! Many people don't realize that "fixed in git" means shit to the installed base because there's no little elves doing the QA for RHEL and patch rollout to your servers while you're sleeping. 4/26/2013 07:38:28 am
Thanks for the info on this post. I used most of what you have here with some minor edits and got our RHEL6 servers authenticating quite nicely with our AD.
diq
4/30/2013 10:02:04 am
Great! As a former Windows admin, it's always good to see Linux interoperability.
Gerard
5/20/2013 10:24:28 am
Mate, this really helped me. Been battling with PAM LDAP for a long time. But sssd was so simple! Been using this simple formula. Really appreciate this.
Dannycorp
5/22/2013 12:52:50 am
This works flawlessly thank you.
Jarkko
6/12/2013 09:14:05 pm
Thank you very much for this article, I have successfully configured nearly all. I can login via ssh and from console as ldap user, but for some strange reason I can not get the graphical login to work? I use gdm and when I try to login it approves my login/password and tries to load the Desktop but it just returns back to login screen. /var/log/secure just stated that session was opened and on the next line session was closed. I can successfully login as a local user to Desktop and I can get the Desktop to work if I first login as ldap user via console and startx from there, no problem. Any help would be appriciated! 6/17/2013 05:00:32 am
Great post. Up to the point and insightful. I was struggling with the point for a few hours before I hit your post and could configure my system in minutes. I also had special setup on the ldap server and these additional settings helped me to fix the issues:
SuperAdmin
6/19/2013 07:11:01 pm
Your R A Genius Man !!!
Faruk Okcu
6/23/2013 11:21:18 pm
Thanks for this precious info but it doesn't work for me. I want to auth users in zimbra ldap. (openldap). My client is a Centos 6.4. getent passwd lists only local file. nsswitch.conf and tls is configured. I can see sssd pings ldap server and receives a reply. It still remains a mystery If the query (id $user) is sent to ldap server or not, even with debug_level = 0xFFF0 Config files are as follows can sb give a hint where to start debugging? Comments are closed.
|
AuthorA NOLA native just trying to get by. I live in San Francisco and work as a digital plumber for the joint that runs this thing. (Square/Weebly) Thoughts are mine, not my company's. Archives
May 2021
Categories
All
|