Linux RHEL 6.4 Integration to LDAP, authentication fine, session failing

So, today i found myself fighting with an ldap integration, getent passwd <user> was working fine but for some reason each time they logged in the users got no session, i.e. ldap authentication was fine authorization and session were failing;

Initial setup, this was done on RedHat 6.4

//Install RPMs
# yum install nss-pam-ldapd pam_ldap
Loaded plugins: product-id, subscription-manager
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package nss-pam-ldapd.x86_64 0:0.7.5-18.el6 will be installed
–> Processing Dependency: nscd for package: nss-pam-ldapd-0.7.5-18.el6.x86_64
—> Package pam_ldap.x86_64 0:185-11.el6 will be installed
–> Running transaction check
—> Package nscd.x86_64 0:2.12-1.107.el6 will be installed
–> Processing Dependency: glibc = 2.12-1.107.el6 for package:  nscd-2.12-1.107.el6.x86_64
–> Finished Dependency Resolution
Error: Package: nscd-2.12-1.107.el6.x86_64 (RedHat64)
Requires: glibc = 2.12-1.107.el6
Installed: glibc-2.12-1.107.el6_4.5.i686 (@RhelEwpErrata)
glibc = 2.12-1.107.el6_4.5
Available: glibc-2.12-1.107.el6.i686 (RedHat64)
glibc = 2.12-1.107.el6
You could try using –skip-broken to work around the problem
You could try running: rpm -Va –nofiles –nodigest
[root@server ~]#

//Force install of dependency

#rpm -U nscd-2.12-1.47.el6.x86_64.rpm  –nodeps

//Then installed failed rpm;

# yum install nss-pam-ldapd-0.7.5-14.el6.x86_64.rpm
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Examining nss-pam-ldapd-0.7.5-14.el6.x86_64.rpm: nss-pam-ldapd-0.7.5-14.el6.x86_64
Marking nss-pam-ldapd-0.7.5-14.el6.x86_64.rpm to be installed
Resolving Dependencies
–> Running transaction check
—> Package nss-pam-ldapd.x86_64 0:0.7.5-14.el6 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================
Package                           Arch                       Version                             Repository                                              Size
===============================================================================================================================================================
Installing:
nss-pam-ldapd                     x86_64                     0.7.5-14.el6                        /nss-pam-ldapd-0.7.5-14.el6.x86_64                     454 k

Transaction Summary
===============================================================================================================================================================
Install       1 Package(s)

Total size: 454 k
Installed size: 454 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), ‘yum check’ output follows:
nscd-2.12-1.107.el6.x86_64 has missing requires of glibc = (‘0’, ‘2.12’, ‘1.107.el6’)
Installing : nss-pam-ldapd-0.7.5-14.el6.x86_64                                                                                                           1/1
Verifying  : nss-pam-ldapd-0.7.5-14.el6.x86_64                                                                                                           1/1

Installed:
nss-pam-ldapd.x86_64 0:0.7.5-14.el6

Complete!

//Update auth config

the domain in this case was test.com.ug and ldap IPs 172.16.12.13,172.16.12.14

authconfig –update –enableldap –enableldapauth –ldapserver=172.16.12.13,172.16.12.14 –ldapbasedn=”dc=test,dc=com,dc=ug” –enableforcelegacy

// Restart service and ensure it is persistent across reboot
service nscd restart
chkconfig  nscd on

//Verify user access;
#getent passwd testuser
testuser:x:1233:13:test user, System Administration:/home/testuser:/bin/bash

It was observed after this that the user could authenticate successfully but couldn’t get a shell prompt, this was due to the /etc/pam.d/sshd, the following modules were added to get it working;

auth sufficient pam_ldap.so
account sufficient pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022

// SSH service was restarted
/etc/init.d/sshd restart

All worked well afterwards

// Simon Peter
clarsp@live.se

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s