CentOS 7 LDAP Authentication: "Permission denied"
OK, I found the problem.
See link
When editing the PAM files: /etc/pam.d/password-auth and /etc/pam.d/system-auth
The edits must be done to the appropriate sections, not just added to the bottom of the file. In particular, the password required pam_deny.so lines MUST be the LAST entry in the section.
I can now log in with LDAP user/password via SSH and the GUI.
Related videos on Youtube
12 : 32
10 : 46
07 : 03
13 : 17
09 : 49
09 : 52
02 : 15
Richard Wymarc
Updated on September 18, 2022Comments
-
Richard Wymarc almost 2 years
I'm running a CentOS 7 VirtualBox instance. I am trying to set up LDAP authentication through our company Active Directory server.
Note: The AD server DOES NOT have Unix extensions installed.
Setup:
- I have nss-pam-ldapd installed
- The nslcd and nscd services are set to run at startup
/etc/nsswitch.conf has been edited to add ldap:
passwd: files ldap group: files ldap shadow: files ldap hosts: files ldap dns myhostname ethers: files ldap networks: files ldap protocols: files ldap rpc: files ldap services: files ldap sss aliases: files ldap nisplus/etc/pam.d/password-auth and /etc/pam.d/system-auth edited to add:
auth sufficient pam_ldap.so use_first_pas account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authok session optional pam_ldap session required pam_mkhomedir.so skel=/etc/skel umask=0077/etc/nslcd.conf edited:
uid nslcd gid nslcd uri ldap://myserver.com/ base dc=myserver,dc=com binddn CN=My Name,OU=Users,OU=DV,DC=myserver,DC=com bindpw PASSWORDHERE # Alternative mappings for Active Directory pagesize 1000 referrals off idle_timelimit 800 filter passwd (&(objectClass=user)(!(objectClass=computer))) map passwd uid userPrincipalName map passwd uidNumber objectSid:CorrectSID map passwd gidNumber objectSid:CorrectSID map passwd homeDirectory "/home/$cn" map passwd gecos displayName map passwd loginShell "/bin/bash" filter group (objectClass=group) map group gidNumber objectSid:CorrectSID ssl no
On rebooting the VM, and remoting in with the default user, I can list all the AD users ([email protected]), and the groups, using
$ getent passwd and $ getent groupHowever, if I attempt to either login to the GUI or remote in with my AD user:
$ ssh [email protected]@linuxboxip [email protected]@linuxboxip's password: Permission denied, please try again.I've been over the related questions on this site, through the debug, and reconfigured fresh from scratch. No luck.
Any thoughts?
-
Admin over 7 yearsI'd work with your systems adminstration group...your system might be restricted administratively from getting to the AD. -
Admin over 7 yearsI'll look into it, but I'm betting it is not the problem. I can see all the users and groups in the AD inside the Linux instance using getent