NSLCD¶
Just a quick note for the tech staff.
When trying to integrate CentOS 7 into a running Kickstarter setup, the domain authentication failed and no domain user was able to login from the beginning.
Remote users were not resolved and no domain information was available.
When running the kickstarter commands step-by-step to find the place where it was failing, the actual authconfig command failed:
[root@localhost ~]# /usr/sbin/authconfig --enableshadow --enablemd5 --enableldap --ldapserver dc01.example.com --ldapbasedn "ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM" --enablekrb5 --enablekrb5kdcdns --enablesysnetauth --enablemkhomedir --update
Job for nslcd.service failed. See 'systemctl status nslcd.service' and 'journalctl -xn' for details.
getsebool: SELinux is disabled
Just following the error plain simple showed that the service nslcd could not be started:
[root@localhost ~]# systemctl status nslcd.service
Sep 04 10:23:54 localhost.localdomain nslcd[24963]: nslcd: /etc/nslcd.conf:13: unknown attribute to map: 'uniqueMember'
Sep 04 10:23:54 localhost.localdomain systemd[1]: nslcd.service: control process exited, code=exited status=1
Sep 04 10:23:54 localhost.localdomain systemd[1]: Failed to start Naming services LDAP client daemon..
Sep 04 10:23:54 localhost.localdomain systemd[1]: Unit nslcd.service entered failed state.
The line in question (number 13) is the group mapping of uniqueMember to Member:
# /etc/nslcd.conf
binddn cn=ldap-lookup,ou=System or special,ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM
bindpw ************
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
map group uniqueMember member
uid nslcd
gid ldap
uri ldap://dc.example.com/
base ou=COMPANY,dc=DC,dc=EXAMPL,dc=COM
ssl no
tls_cacertdir /etc/openldap/cacerts
A comment on a mailing list gave me the idea just to remove the line and try again:
# /etc/nslcd.conf
binddn cn=ldap-lookup,ou=System or special,ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM
bindpw ************
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
uid nslcd
gid ldap
uri ldap://dc.example.com/
base ou=COMPANY,dc=DC,dc=EXAMPL,dc=COM
ssl no
tls_cacertdir /etc/openldap/cacerts
And : Voilà!
[root@localhost ~]# service nslcd start
Redirecting to /bin/systemctl start nslcd.service
[root@localhost ~]# service nslcd status
Redirecting to /bin/systemctl status nslcd.service
nslcd.service - Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled)
Active: active (running) since Thu 2014-09-04 10:33:27 CEST; 2s ago
Process: 25054 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 25055 (nslcd)
CGroup: /system.slice/nslcd.service
└─25055 /usr/sbin/nslcd
Sep 04 10:33:27 localhost.localdomain systemd[1]: Starting Naming services LDAP client daemon....
Sep 04 10:33:27 localhost.localdomain systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Sep 04 10:33:27 localhost.localdomain nslcd[25055]: version 0.8.13 starting
Sep 04 10:33:27 localhost.localdomain nslcd[25055]: accepting connections
Sep 04 10:33:27 localhost.localdomain systemd[1]: Started Naming services LDAP client daemon..