Reputation: 63
Unable to make ldap authentication work on Ubuntu 18.04 LTS
I'm trying to enable LDAP authentication on Ubuntu using the guides below: https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
https://help.ubuntu.com/community/LDAPClientAuthentication
https://www.youtube.com/watch?v=l0e8rG0mku8
Nothing seems to work so far. ldapsearch works, but I can't login or test with "id" and "getent" commands. The only difference from the manuals is that I don't have ldap admin account and do not specify it, but I don't think this should break the rest. Appreciate any suggestions on how to troubleshoot PAM and ldap client
cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
. . .
cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
sudo nano /etc/pam.d/common-auth
auth required pam_group.so use_first_pass
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
sudo nano /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha$
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_$
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
$ ldapsearch -x -H ldap://ldap.server.com -b ou=employee,o=test,c=an -LLL "(alias=test_username)" cn
dn: cn=Test User 5142,ou=employee,o=slb,c=an
cn: Test User
cn: Test User 5142
$su - test_username
No passwd entry for user 'test_username'
$ getent passwd test_username
$
Upvotes: 1
Views: 8486
Answers (1)
Reputation: 308
From the provided information, it is seen that your LDAP server works properly, but it is not the case for the NSS module, which is your LDAP client. You should check that /etc/ldap.conf contains the correct search base and LDAP server URI. Alternatively, you can run sudo dpkg-reconfigure ldap-auth-config for interactive editing.
PAM seems to be configured correctly. If not, it always can be fixed by interactive utility pam-auth-update.
Additionally, all the guides that you follow suggest you to install libnss-ldap implementation. If you are going to use the desktop version of Ubuntu, be aware that there are known issues between systemd-logind and libnss-ldap. The solution is to use the newer package libnss-ldapd. See this answer for details.
Upvotes: 2
Related Questions
- ldapsearch: Invalid credentials
- Pam authentication, try first local user and then LDAP
- LDAP - ldapwhoami returns "ldap_bind: Invalid credentials (49)"
- How to authenticate LDAP properly?
- Can't connect to LDAP server
- ldapsearch - Invalid credentials
- authentication failed using ldapsearch
- ldap authentication issue with the right credentials
- Connecting python to ldap server using python-ldap: getting 'desc': 'Invalid credentials' though username and password are valid
- client failing to connect to ldap server