16.04 fails ldap authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

16.04 fails ldap authentication

Ian Taylor

Sir/Madam

I am having some trouble to get ldap authentication to work in Ubuntu 16.04

I can get it to work in 14.04 ok but so far it fails in 16.04

What I did in 14.04 is

apt-get install ldap-utils libpam-ldap libnss-ldap nslcd

      filled in the various details LDAP Server etc


apt-get install sssd libpam-sss libnss-sss

    ensured /etc/sssd/sssd.conf , /etc/certs/cacert.pem, /etc/nsswitch.conf correct


ensure package auth-client-config is installed

/etc/init.d/nscd restart

update-rc.d nslcd enable


This worked every time for 14.04 but it fails in 16.04


On the 16.04 machine a    telnet (to my ldap server) 636

   Trying 138.251....1...

   Connected to ldap.st-andrews.ac.uk.

   Escape character is '^]'.


Which suggests the 16.04 machine sees the ldap server

Any help to resolve this would be sincerely appreciated

a getent  returns only the contains of /etc/passwd on the local machine


-- 

Thanking you.

Yours sincerely



Ian Taylor
University of St.Andrews,
School of Physics & Astronomy,
North Haugh,
St.Andrews,
Fife  KY16 9SS,
Scotland.

e-Mail :- [hidden email]
Tel    :- (0)1334-463141
Fax    :- (0)1334-463104

The University of St Andrews 
is a charity registered in 
Scotland : No SC013532.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 16.04 fails ldap authentication

Xen
Ian Taylor schreef op 16-06-2017 12:58:


> Any help to resolve this would be sincerely appreciated
>
> a getent  returns only the contains of /etc/passwd on the local machine

I have had (and still have) a system 16.04 that can derive group and/or
user from an LDAP on the local network.

I have not used nsss.

The URI ldap:// did not work for me.

I used HOST and then an IP address, I believe.

I believe I employed unscd as a caching daemon because it functioned
better for a certain cause. My use case was for negative results
(nonexistent groups) to have a very long timeout (cache duration)
because otherwise they would hang the lookups and cause delays in mainly
log-in attemps and so on. I also set the timelimits and timeouts of
ldap.conf to very low values (seconds).

The libnss-ldap package is broken for a very long time already and they
won't fix it.

You have to run /usr/sbin/nssldap-update-ignoreusers manually as root to
ensure lookups are not performed through LDAP for system users and
groups.

But you didn't get that far yet.

I can't say anything else, I did nothing special. Although in the LDAP
database I have set "loginShell" to false because I didn't want these
users to be used for local login ;-).

When initially "getent" wouldn't work, it was because the URI thing
didn't work for me.

Regards.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Loading...