Setting up LDAP Server and Client Issues

15 posts / 0 new
Last post
#1 Sun, 02/24/2013 - 11:48
Valentin04

Setting up LDAP Server and Client Issues

Hello,

I followed this document to configure LDAP server and clients on Virtualmin (GPL): http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/. My LDAP server lives on a separate server, which is the same as the NFS server I am using for the users home directories.

The last completed section of that document was "Setting Up Webmin's LDAP USers and Groups Module. I haven't gone any further. In that section, I "added a new LDAP user" but the user would fail to be created because there was no group selected. So, I went into webmin and created a new group for LDAP (under the LDAP Users and Groups) called clients. Then when I added the user again, I had to manually select a group (the 'client' group) for the user to be a part of to allow LDAP to create the user. If not, it would always fail saying "invalid : Group".

Once I got over that hump, I went to test the new/test account I created via SSH (the test account is called testaccount). However, I cannot login. Here is the error I am getting when trying to login:

Feb 24 12:16:27 virtualmin01 sshd[4500]: Invalid user testaccount from 10.8.0.6 Feb 24 12:16:27 virtualmin01 sshd[4501]: input_userauth_request: invalid user testaccount Feb 24 12:16:35 virtualmin01 sshd[4500]: pam_unix(sshd:auth): check pass; user unknown Feb 24 12:16:35 virtualmin01 sshd[4500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.6 Feb 24 12:16:35 virtualmin01 sshd[4500]: pam_succeed_if(sshd:auth): error retrieving information about user testaccount Feb 24 12:16:37 virtualmin01 sshd[4500]: Failed password for invalid user testaccount from 10.8.0.6 port 65474 ssh2 Feb 24 12:16:42 virtualmin01 sshd[4501]: Connection closed by 10.8.0.6

It looks like the authentication is not even looking at pam_ldap.so and going straight to pam_unix.so.

My configuration for servers is as follows:

2 virtualmin servers 1 LDAP/NFS Server

Virtualmin servers mount NFS share for home directories NFS/LDAP server host the LDAP Server 2 Virtualmin servers connect to LDAP Server for authentication

What works?:

When creating a user, it creates the user and its home directory. You can see the users home directory on both virtualmin servers as well as the NFS server (because of the NFS export). I can also see the user on the ldap client on both virtualmin servers and the ldap server.

So, the accounts are created just fine but I can't authenticate via SSH. I haven't tried to login from a local console because I don't have iLO/DRAC setup (licenses) and the servers are remote.

According to the doc above, I needed to edit the PAM Authentication section, which I did. I also ensured that pam_ldap.so was above pam_unix.so. I did this on both virtualmin servers and the ldap server as well. What could I be missing?

Mon, 02/25/2013 - 06:57
Valentin04

Anyone ran into this problem before?

Mon, 02/25/2013 - 08:05
andreychek

Howdy,

Which distro/version are you using?

And if you run this command, what output do you receive:

id testaccount

That'll show whether your issue is limited to SSH, or if other Linux components aren't seeing your LDAP users.

-Eric

Mon, 02/25/2013 - 09:27 (Reply to #3)
Valentin04

Eric,

Thanks for the response. 'id testaccount' will return 'No such user' because I don't have the account as a local account. I believe LDAP doesn't require a local account. Either way, I created the account locally as well but didn't supply a password for the account since the password should be stored in LDAP, and I still can't login. When I add the account locally, I do get info back with the 'id' command.

I am running CentOS 6.3

Mon, 02/25/2013 - 16:14
JamieCameron

It sounds like NSS-LDAP hasn't been setup correctly on your system, so users in LDAP aren't showing up as Unix users.

If you go to the LDAP Client module in Webmin and click the validate button, what errors does it report?

''

Mon, 02/25/2013 - 16:41 (Reply to #5)
Valentin04

Hmmm...I was getting an error that the "example" user didn't exist. However, I created the user manually because it looked like it was searching for a local "example" user rather than looking in LDAP. Once I added the user locally, the validation passed and I received no errors.

Mon, 02/25/2013 - 19:40 (Reply to #6)
JamieCameron

Creating the user locally will just trick the validation into thinking it is working when it really isn't :-)

The real problem is that the LDAP / unix user integration is broken somehow. If you check your system's /etc/nsswitch.conf file, do the passwd and shadow lines contain ldap ?

''

Tue, 02/26/2013 - 07:13 (Reply to #7)
Valentin04

Jamie,

Yep:

passwd: files ldap
shadow: files ldap
group: files ldap

This is true for both the virtualmin ldap clients and the ldap server itself as well.

Tue, 02/26/2013 - 14:03
Valentin04

Is there a way to pay for support to help me get this fixed? I currently have one license in a production environment but before moving over to a redundant system (this one) and purchasing the license for the new infrastructure and moving our production license over, I wanted to get things rolling in the GPL environment first and then upgrading the license to it.

I am out of options here. I don't know what could be the problem and the secure and messages log files don't log anything at all for failures.

Tue, 02/26/2013 - 15:29 (Reply to #9)
JamieCameron

I could login to your system to take a look at this. Email me directly at jcameron@virtualmin.com if that is possible.

''

Tue, 02/26/2013 - 15:48 (Reply to #10)
Valentin04

Jamie,

I sent you an email with the login info...thanks!!!

Tue, 02/26/2013 - 17:00
JamieCameron

Thanks for the login - it turns out that on CentOS 6.x , there is a new config file /etc/nslcd.conf that has to be created before LDAP will work. Also, I had to run /etc/init.d/nslcd start to launch the new daemon that uses that config file!

I found docs on this at : https://www.centos.org/modules/newbb/viewtopic.php?topic_id=38442

Let me know if your system is working now.

''

Tue, 02/26/2013 - 17:19 (Reply to #12)
Valentin04

Jamie,

Excellent...this works..thanks a bunch for your help on this. I'll have to take a look at that document. I was not aware of this.

On another note, the home accounts are created via NFS share. Now, when I login with the new LDAP account, it can't chdir to the home dir because of permission issues. For example, here is what I get:

Could not chdir to home directory /home/testaccount: Permission denied
-bash: /home/testaccount/.bash_profile: Permission denied
-bash-4.1$

Do I need to tell LDAP how to create the home directories via Virtualmin? I didn't see anything like that in the docs. I am sure I can figure this out but thought I would ask to see if you knew off the top of your head if there is anything extra I missed.

By the way, this is why I have always enjoyed Virtualmin...the dedication to the community you guys put especially with support. Thanks a million!! I look forward to testing our new infrastructure and moving our current license from a single system over and getting a few more to support our load balancing infrastructure.

Tue, 02/26/2013 - 18:08 (Reply to #13)
JamieCameron

Is the home directory owned by the new user? Virtualmin should create it automatically, and set the ownership to match the new user.

''

Tue, 02/26/2013 - 19:42 (Reply to #14)
Valentin04

Gotcha. The test account was created manually by me using Webmin "LDAP Users and Groups" so I suspect this is why it didn't work out as I expected. I have some tweaking to do on that part but overall LDAP is working. Thanks again for your help. I really appreciate it!!!