LDAP user authentication on CentOS 7: Permission denied

centos ldap openldap selinux centos7
22,018

Solution 1

Some advices for you:
- Disable selinux and reboot
# vi /etc/selinux/config selinux=disabled
- Stop iptables
# systemctl stop iptables.service
- Have you created one ldap user? (try with following guide http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=2 )
- Edit /etc/ssh/sshd_conf
PermitRootLogin yes UsePAM yes
- Check logs into /var/log/secure

Solution 2

I faced same problem like you, when i read your post i didn't have a clue to solve that, but now i solve my problem. Here's my solution's :

Install nss-pam-ldapd if you didn't install it previously :

[root@www ~]# yum -y install nss-pam-ldapd

Disable selinux and reboot :

[root@ldap ~]# vi /etc/selinux/config

Change this line : selinux=disabled

Execute authconfig :

#ldapserver=(LDAP server's hostname or IP address)
#ldapbasedn="dc=(your own domain name)"

[root@ldap ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=my.domain.world \
--ldapbasedn="dc=my,dc=domain,dc=world" \
--enablemkhomedir \
--update

getsebool: SELinux is disabled

If you use TLS for your LDAP, don't forget to execute this :

[root@ldap ~]# authconfig --enableldaptls --update

getsebool: SELinux is disabled

Maybe my solution can be your solution too. :D

Share:
22,018

Related videos on Youtube

Neil
Author by

Neil

Updated on September 18, 2022

Comments

  • Neil
    Neil almost 2 years

    I configured LDAP on CentOs 7 and now I'm trying to configure external user authentication. Browsing I found this: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-pam.html that is for CentOS 5.

    Also in other sites says that you can access for testing with the following:

    ssh my_LDAP_user@LDAP_hostname_or_IP:389

    But doesn't work for me. CentOS throws me ans error:

    ssh: Could not resolve hostname hostname:389: Name or service not known

    When I try without 389, 'Permission denied' and I'm entering the correct password:

    [root@localhost openldap]# ssh lolo@hostname
lolo@hostname's password:
Permission denied, please try again.

    Do you know any hint or guide lines to move a little bit from this hole? Thanks in advance!

    EDIT:

    The idea is login to LDAP from external. I must to check if all goes fine. Do you help me with some guide lines for do this?

    nslcd service log:

    gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> failed to bind to LDAP server ldap://ldap.192.168.150.105:389/: Can't contact LDAP server
gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> no available LDAP server found: Can't contact LDAP server

    authconfig --test:

    [root@localhost openldap]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://192.168.150.105/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "#"
 krb5 realm via dns is disabled
 krb5 kdc = ""
 krb5 kdc via dns is disabled
 krb5 admin server = ""
pam_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://192.168.150.105/"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

    Is possible that the main problem is Authenticate system accounts against network services is disabled at last line of authconfig --test? In some tutorials it appears but is not a problem :-/

  • Neil
    Neil over 9 years
    I'll check it! Thanks. Yes I have some users added with ldif files and ldapadd. After disable have I to enable another time? Then how to access with user? Like this: ssh my_LDAP_user@LDAP_hostname_or_IP ?
  • Neil
    Neil over 9 years
    I've tried but it persist with: [root@localhost openldap]# ssh lolo@hostname lolo@hostname's password: Permission denied, please try again. I've checked different users, but nothing.
  • alex87alex
    alex87alex over 9 years
    What's your hostname? "hostname"? ssh user@hostname_or_ip is the right procedure.. From fresh install of Centos 7 have you changed some permission of folders?
  • Neil
    Neil over 9 years
    For hostname I use my IP address. Of VM like 192.168.xxx.xxx. Yes I've change slapd.d folder and slapd.conf file. The owner is ldap user. Is it right?
  • Neil
    Neil over 9 years
    Also I've checked the UsePam and is in 'YES' like says here: serverfault.com/questions/93331/…
  • Neil
    Neil over 9 years
    I uncomment the line PermitRootLogin yes but still persists with Permission denied
  • alex87alex
    alex87alex over 9 years
    Owner correct; set 755 permission to slap.d and 744 slapd.conf. After changing sshd_config you have to restart sshd.service (# systemctl restart sshd.service). Stupid question: have you started ldap service? (# systemctl start sldapd.service). Check also /var/log/slapd.log file. Check slapd configuration files with authconfig (# authconfig --test) and search ldap users with ldapsearch ( idevelopment.info/data/LDAP/LDAP_Resources/… )
  • Neil
    Neil over 9 years
    Ok. Permission changed, restart ok, yes it's started, ldapsearch works and slapd.log doesn't exists :( - Is there a problem with authentication. You can see it in authentication --test log added in my question (edited). What I'm doing bad?
  • Neil
    Neil over 9 years
    Is there anyway to solve this?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Installation OpenLDAP on CentOS 7
Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
ldap_modify: No such object (32)
Slaptest, bad configuration file
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
could not stat config file “slapd.conf” to add entries to LDAP
ldapsearch result: Can't contact LDAP server (-1)
Setup a openldap proxy to another LDAP server on centos 6
Getting the LDAP password from the LDAP Directory
Centos 7 and OpenVPN: how make them friends?