centos 6 - no ldaps or tls

Issues related to configuring your network
Post Reply
jameslast
Posts: 37
Joined: 2011/05/24 18:24:33

centos 6 - no ldaps or tls

Post by jameslast » 2011/08/29 12:13:08

Dear All,

I'm trying to connect some CentOs boxes to an Ldap server.

It looks like it needs ldaps or tls, but the Ldap server has neither.

Tls we certainly donn't have , and when using ldaps://adressofftheserver
I can see userinfo with the $id command, but the password does not get accepted.

I found a useful post here :

http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/
So I edited /etc/sysconfig/authconfig and changed

FORCELEGACY=no

to

FORCELEGACY=yes

then I ran the command #authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=*.*.*.* --ldapbasedn="dc=example,dc=com" --update

and this works. I can now logon as ldap user.

The problem is, after rebooting, I see this message in /var/log/messages :

james nslcd[1484]: [0bd78f] ldap_result() timed out

The system boots, but very slow, and no more ldap authentication, until if give the same #authconfig --enableldap .....command again.

Any advise anyone on how to solve this issue?

best regards, James

jameslast
Posts: 37
Joined: 2011/05/24 18:24:33

Re: centos 6 - no ldaps or tls

Post by jameslast » 2011/08/30 08:58:25

Dear All,

no answer is in fact also an answer :=)

So I will set up CentOs5 stations until we have a decent LDAP server WITH tls.

This also solves it for me.

Kind regards, James

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

centos 6 - no ldaps or tls

Post by r_hartman » 2011/09/05 09:29:45

I set up LDAP earlier on a minimal install RHEL6 box and it runs fine, just like my RHEL5 and CentOS5 setups. I use implicit SSL (ssl on, port 636) not TLS.
Last week, I set up a CentOS workstation, and when setting up LDAP it got to a completely different setup from my RHEL6 setup.

While my minimal RHEL6 uses the same setup as CentOS5.6, plus /etc/nslcd.conf and the nslcd daemon, the CentOS6 setup does NOT use nslcd, but sssd, and I could not get it to work. I then started changing the CentOS6 setup to use nslcd instead of sssd, and that involved uninstalling sssd, sssd-client and oddjob, changing all sss references in nsswitch.conf to ldap (sed -i 's/sss/ldap/g' /etc/nsswitch.conf) and changing all pam_sss references in /etc/pam.d/system-auth-ac, /etc/pam.d/password-auth and /etc/pam.d/password-auth-ac to pam_ldap (sed -i 's/pam_sss/pam_ldap/g').

I then had to start nslcd (was not set to start automatically; fixed using chkconfig nslcd on) and it would work.
After rebooting: no ldap, until nslcd is restarted.

It turns out that while network starts just before nslcd, NetworkManager starts after nslcd, and as by default the interface is controlled by NetworkManager it was started after nslcd. So I ended up disabling NetworkManger and reconfiguring /etc/sysconfig/network-scripts/ifcfg-eth0 to remove all NetworkManager related entries.

Now I have stable LDAP on CentOS6, with still one anomaly: it does not honor the pam_check_host_attr directive in /etc/openldap/ldap.conf, while it does with my RHEL6 setup.
Still working on sorting that one out.

All in all LDAP keeps living up to its reputation: a source of issues, while hardly any useful documentation is available, and the available docs are contradicting one another. A bag of worms might be a more appropriate description. Still, it's great, when it works. :-?

The OP's LinuxQuestions link also reveals the unpredictability in LDAP installations: while the thread starts out with a config using sssd, the second poster had nslcd. Whichever will be used apparently depends on how 'rich' the original installation was; a minimal install seems to favor nslcd over sssd.

Post Reply