Announcement Announcement Module
No announcement yet.
Authentication with an LDAP Proxy on Centos 5.6 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication with an LDAP Proxy on Centos 5.6

    I'm trying to implement an LDAP authentication system passing through an LDAP proxy. I use PAM and libnss for the authentication mechanism. All groups and users are defined in the ldap database. In the proxy i just have the ldap backend back_ldap enabled. When i try to log a user using ssh on a machine with my configuration, it's work when the user exists in local machine or added by the command adduser. All users are declared in the ldap database as posix account and inetOrgPerson.

    When I use the command getent passwd to list users account, i just see the local users and none of the ldap users.

    I would like to know if the accounts must be declared locally, if we want to authenticate on an ldap server passing through an ldap proxy.

    Here my nsswitch.conf:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    #hosts: db files nisplus nis dns
    hosts: files dns

    # Example - obey only what nisplus tells us...
    #services: nisplus [NOTFOUND=return] files
    #networks: nisplus [NOTFOUND=return] files
    #protocols: nisplus [NOTFOUND=return] files
    #rpc: nisplus [NOTFOUND=return] files
    #ethers: nisplus [NOTFOUND=return] files
    #netmasks: nisplus [NOTFOUND=return] files

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files
    rpc: files
    services: files

    netgroup: files

    publickey: nisplus

    automount: files nisplus
    aliases: files nisplus

    Here my ldap.conf:

    host localhost
    base ou=users,dc=my-domain,dc=com
    bind_timelimit 120
    bind_policy soft
    idle_timelimit 3600
    pam_member_attribute memberUid
    nss_base_passwd ou=users,dc=my-domain,dc=com?one
    nss_base_shadow ou=users,dc=my-domain,dc=com?one
    nss_base_group ou=groups,dc=my-domain,dc=com?one
    pam_login_attribute uid
    ssl no
    tls_cacertdir /etc/openldap/cacerts

    Edit/Delete Message