LDAP user authentication on CentOS 7: Permission denied
Solution 1
Some advices for you:
- Disable selinux and reboot
# vi /etc/selinux/config
selinux=disabled
- Stop iptables
# systemctl stop iptables.service
- Have you created one ldap user? (try with following guide http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=2 )
- Edit /etc/ssh/sshd_conf
PermitRootLogin yes
UsePAM yes
- Check logs into /var/log/secure
Solution 2
I faced same problem like you, when i read your post i didn't have a clue to solve that, but now i solve my problem. Here's my solution's :
Install nss-pam-ldapd
if you didn't install it previously :
[root@www ~]# yum -y install nss-pam-ldapd
Disable selinux
and reboot :
[root@ldap ~]# vi /etc/selinux/config
Change this line : selinux=disabled
Execute authconfig
:
#ldapserver=(LDAP server's hostname or IP address)
#ldapbasedn="dc=(your own domain name)"
[root@ldap ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=my.domain.world \
--ldapbasedn="dc=my,dc=domain,dc=world" \
--enablemkhomedir \
--update
getsebool: SELinux is disabled
If you use TLS for your LDAP, don't forget to execute this :
[root@ldap ~]# authconfig --enableldaptls --update
getsebool: SELinux is disabled
Maybe my solution can be your solution too. :D
Related videos on Youtube
Neil
Updated on September 18, 2022Comments
-
Neil almost 2 years
I configured LDAP on CentOs 7 and now I'm trying to configure external user authentication. Browsing I found this: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-pam.html that is for CentOS 5.
Also in other sites says that you can access for testing with the following:
ssh my_LDAP_user@LDAP_hostname_or_IP:389
But doesn't work for me. CentOS throws me ans error:
ssh: Could not resolve hostname hostname:389: Name or service not known
When I try without 389, 'Permission denied' and I'm entering the correct password:
[root@localhost openldap]# ssh lolo@hostname lolo@hostname's password: Permission denied, please try again.
Do you know any hint or guide lines to move a little bit from this hole? Thanks in advance!
EDIT:
The idea is login to LDAP from external. I must to check if all goes fine. Do you help me with some guide lines for do this?
nslcd service log:
gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> failed to bind to LDAP server ldap://ldap.192.168.150.105:389/: Can't contact LDAP server gen 19 19:30:57 localhost nslcd[7020]: [ad6f57] <authc="test"> no available LDAP server found: Can't contact LDAP server
authconfig --test:
[root@localhost openldap]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.150.105/" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "#" krb5 realm via dns is disabled krb5 kdc = "" krb5 kdc via dns is disabled krb5 admin server = "" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.150.105/" LDAP base DN = "dc=example,dc=com" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled
Is possible that the main problem is
Authenticate system accounts against network services is disabled
at last line ofauthconfig --test
? In some tutorials it appears but is not a problem :-/ -
Neil over 9 yearsI'll check it! Thanks. Yes I have some users added with ldif files and
ldapadd
. After disable have I to enable another time? Then how to access with user? Like this:ssh my_LDAP_user@LDAP_hostname_or_IP
? -
Neil over 9 yearsI've tried but it persist with:
[root@localhost openldap]# ssh lolo@hostname lolo@hostname's password: Permission denied, please try again.
I've checked different users, but nothing. -
alex87alex over 9 yearsWhat's your hostname? "hostname"? ssh user@hostname_or_ip is the right procedure.. From fresh install of Centos 7 have you changed some permission of folders?
-
Neil over 9 yearsFor hostname I use my IP address. Of VM like 192.168.xxx.xxx. Yes I've change slapd.d folder and slapd.conf file. The owner is ldap user. Is it right?
-
Neil over 9 yearsAlso I've checked the UsePam and is in 'YES' like says here: serverfault.com/questions/93331/…
-
Neil over 9 yearsI uncomment the line
PermitRootLogin yes
but still persists withPermission denied
-
alex87alex over 9 yearsOwner correct; set 755 permission to slap.d and 744 slapd.conf. After changing sshd_config you have to restart sshd.service (# systemctl restart sshd.service). Stupid question: have you started ldap service? (# systemctl start sldapd.service). Check also /var/log/slapd.log file. Check slapd configuration files with authconfig (# authconfig --test) and search ldap users with ldapsearch ( idevelopment.info/data/LDAP/LDAP_Resources/… )
-
Neil over 9 yearsOk. Permission changed, restart ok, yes it's started, ldapsearch works and slapd.log doesn't exists :( - Is there a problem with authentication. You can see it in
authentication --test
log added in my question (edited). What I'm doing bad? -
Neil over 9 yearsIs there anyway to solve this?