HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication using LDAP

 
oza
Advisor

Authentication using LDAP

Hi,
I need to implement central authentication mechanism for Linux using LDAP. The LDAP is already setup and running. I have over 1000 Redhat Linux boxes that I want the authentication to be done centrally from the LDAP. I will also want resilence, so that when the LDAP is down, I can still logon to my linux boxes. Any detail documentation or hints will be appreciated.
6 REPLIES
Michal Kapalka (mikap)
Honored Contributor

Re: Authentication using LDAP

bullz
Super Advisor

Re: Authentication using LDAP

Haa haaa funny, you want to use ldap for 1000 servers to make your job easier, same way if ldap is down, u want the server to login via local accout as well? am i right?

In such case, you need to have an account on LDAP and local server as well, and need to modify /etc/nsswitch.conf accordinlgy.

ex

passwd ldap [NOTFOUND] files

not sure about the above systax, google for apt.
oza
Advisor

Re: Authentication using LDAP

The challenge that I have is that when I failed the LDAP, the password fail to logon locally.
Ivan Krastev
Honored Contributor

Re: Authentication using LDAP

See these options for authconfig (from man page):

The --enablelocauthorize option allows to bypass checking network authentication services for autho-
rization and the --enablesysnetauth allows authentication of system accounts (with uid < 500) by
these services.


regards,
ivan
ozas
Advisor

Re: Authentication using LDAP

Bullz, I have tried your suggestion but still did not work. Ivan can you explain more about the authconfig:

My /etc/nsswitch.conf is now set as:

passwd: files ldap
shadow: files ldap
group: files ldap

Do my LDAP need to have any special attributes on the schema?

Any suggestion will be appreciated. When the LDAP is running the password set from the LDAP works. But when I stop/fail the LDAP, am unable to logon with the same password to the client.

ozas
Advisor

Re: Authentication using LDAP

Below is my /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so