:date: 2014-09-04 10:35 .. index:: tech, ldap NSLCD ===== Just a quick note for the tech staff. When trying to integrate `CentOS 7 `_ into a running `Kickstarter `_ setup, the domain authentication failed and no domain user was able to login from the beginning. Remote users were not resolved and no domain information was available. When running the kickstarter commands step-by-step to find the place where it was failing, the actual `authconfig` command failed: .. code:: bash [root@localhost ~]# /usr/sbin/authconfig --enableshadow --enablemd5 --enableldap --ldapserver dc01.example.com --ldapbasedn "ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM" --enablekrb5 --enablekrb5kdcdns --enablesysnetauth --enablemkhomedir --update Job for nslcd.service failed. See 'systemctl status nslcd.service' and 'journalctl -xn' for details. getsebool: SELinux is disabled Just following the error plain simple showed that the service `nslcd` could not be started: .. code:: bash [root@localhost ~]# systemctl status nslcd.service Sep 04 10:23:54 localhost.localdomain nslcd[24963]: nslcd: /etc/nslcd.conf:13: unknown attribute to map: 'uniqueMember' Sep 04 10:23:54 localhost.localdomain systemd[1]: nslcd.service: control process exited, code=exited status=1 Sep 04 10:23:54 localhost.localdomain systemd[1]: Failed to start Naming services LDAP client daemon.. Sep 04 10:23:54 localhost.localdomain systemd[1]: Unit nslcd.service entered failed state. The line in question (number 13) is the group mapping of *uniqueMember* to *Member*: .. code:: bash # /etc/nslcd.conf binddn cn=ldap-lookup,ou=System or special,ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM bindpw ************ pagesize 1000 referrals off filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) map group uniqueMember member uid nslcd gid ldap uri ldap://dc.example.com/ base ou=COMPANY,dc=DC,dc=EXAMPL,dc=COM ssl no tls_cacertdir /etc/openldap/cacerts `A comment `_ on a mailing list gave me the idea just to remove the line and try again: .. code:: bash # /etc/nslcd.conf binddn cn=ldap-lookup,ou=System or special,ou=COMPANY HQ,dc=DC,dc=EXAMPLE,dc=COM bindpw ************ pagesize 1000 referrals off filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) uid nslcd gid ldap uri ldap://dc.example.com/ base ou=COMPANY,dc=DC,dc=EXAMPL,dc=COM ssl no tls_cacertdir /etc/openldap/cacerts And : **Voilà!** .. code:: bash [root@localhost ~]# service nslcd start Redirecting to /bin/systemctl start nslcd.service [root@localhost ~]# service nslcd status Redirecting to /bin/systemctl status nslcd.service nslcd.service - Naming services LDAP client daemon. Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled) Active: active (running) since Thu 2014-09-04 10:33:27 CEST; 2s ago Process: 25054 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS) Main PID: 25055 (nslcd) CGroup: /system.slice/nslcd.service └─25055 /usr/sbin/nslcd Sep 04 10:33:27 localhost.localdomain systemd[1]: Starting Naming services LDAP client daemon.... Sep 04 10:33:27 localhost.localdomain systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start. Sep 04 10:33:27 localhost.localdomain nslcd[25055]: version 0.8.13 starting Sep 04 10:33:27 localhost.localdomain nslcd[25055]: accepting connections Sep 04 10:33:27 localhost.localdomain systemd[1]: Started Naming services LDAP client daemon..