I am trying get centos 6 to authenticate against ldap (active directory to be specific) I am a bit confuse though because after installing nss-pam-ldapd I see several files that appear to be the same configuration. For example I have /etc/pam_ldap.conf and /etc/nslcd.conf. Both of these files seem to have the same configuration options. None seem to work. Any guidance would be much appreciated.
Asked
Active
Viewed 2.1k times
4 Answers
4
Make sure you:
1. yum remove sssd
2. yum install openldap-clients nss-pam-ldapd
3. Run Authconfig
4. Check your /etc/openldap/ldap.conf
- Check for your valid certfile is pointed to
5. Check your /etc/nslcd.conf
- confirm ssl start_tls
- confirm certfile is pointing to a valid file
Here is a example authconfig line:
authconfig --enableldap --enableldapauth \
--ldapserver=ldap://ldap.example.com/,ldap://ldap2.example.com/ \
--ldapbasedn=dc=example,dc=com --update
Then make sure:
/etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_REQCERT demand
And in /etc/nslcd.conf:
ssl start_tls
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
tls_reqcert never
So that you get a certificate not a empty directory.
Mark
- 56
- 1
-
This is the 'correct' method of conf file use according to the nss-pam-ldapd documentation. http://arthurdejong.org/nss-pam-ldapd/setup . There are further configuration changes to make depending on your environment (such as TLS certificates for verification). – NcA May 07 '12 at 23:48
3
While this has already been answered, there are few things to keep in mind:
- It is important to note that there is no need to disable sssd, as that can connect to active directory.
- You can also enable TLS and everything else in one shot with authconfig.
So to connect to LDAP, you would:
- Install pam_ldap, nss-pamd-ldapd and sssd (using yum to satisfy the dependencies) and enable sssd
- Copy the cert file into /etc/openldap/cacerts
Then in one shot, run this:
authconfig --enablesssd --enableldap --enableldaptls --ldapserver=ldap.example.com --ldapbasedn=dc=example,dc=com --enableldapauth --update
(authconfig will automatically pick up the cert residing in /etc/openldap/cacerts)
Rilindo
- 5,078
- 5
- 28
- 46
2
I can confirm the steps should be working.
if not use the TLS, just "ssl yes" is ok too
Must install these packages, cost me a lot of time to find out all these necessary packages on Redhat 6 nss-pam-ldapd pam_ldap openldap openldap-clients
Sam
sam
- 21
- 1
0
I basically got this to work (except its sending passwords in clear text, I plan to fix this) so I figured I would share what I did.
I installed the nss-pam-ldap package using yum. I edited both pam_ldap.conf and nslcd.conf to reflect my environment. I then ran authconfig-tui answered its questions as best as I could. I did not turn on tls or ssl, just wanted to see if things were working. I ran "/etc/init.d/nslcd restart" and then I could su into ldap users as well as login with them via ssh. Then when I turned on ssl/tls it stopped working. And so I looked using TCP dump and grep-ed and found that my password was getting sent in clear text. So it works but I still need to get ssl/tls working. I would ldap client would send passwords already hashed but I guess not. Maybe there is a way to tell it what cypher to use to has before sending the password to ldap.
Any way I hope this helps others with this problem. Thanks
startoftext
- 257
- 2
- 5
- 14
-
1Transmitting pre-encoded passwords is a terrible idea because the directory server cannot enforce password quality without knowing the password, therefore all passwords should be sent in clear-text. Any directory server environment used for authentication, authorization, or other purposes where passwords must be transmitted should use TLS, or at the very least SSL. – Terry Gardner Aug 15 '11 at 10:23
-
Good point. In the end I configured krb5 to talk to AD which does not send passwords as plain text (as in they cant be easily read by any one listening on the network). – startoftext Aug 25 '11 at 15:14