LDAP authentication on CentOS 7
Running nslcd in debug mode shows the problem:
$ $(which nslcd) -d
...
nslcd: [8b4567] <authc="user.name"> DEBUG: myldap_search(base="dc=sub,dc=example,dc=org", filter="(&(objectClass=posixAccount)(uid=user.name))")
...
nslcd: [8b4567] <authc="user.name"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <authc="user.name"> DEBUG: "user.name": user not found: No such object
...
nslcd sets a filter by default. It's not possible to remove this filter or set it to blank.
Because none of my LDAP users has an objectClass called posixAccount the users cannot be found and the login is denied.
To fix this problem I had to overwrite this filter with an own one. Because I'm looking for the uid it's useful to set the filter on an attribute which is searched for anyways.
New content of my /etc/nslcd.conf:
filter passwd (uid=*)
uri ldap://172.16.64.25
base dc=sub,dc=example,dc=org
ssl no
After changing the nslcd.conf I had to restart the service nslcd: systemctl restart nslcd
Source: http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00025.html
.
This seems to be a problem for _nss-pam-ldapd-0.8.13-8.el7.x86_64_ on CentOS 7!
$ nslcd -V
nss-pam-ldapd 0.8.13
I tried to reproduce the problem on CentOS 6, but on this nss-pam-ldapd has dependencies to pam_ldap which has its config file in /etc/pam_ldap.conf and seems to not use /etc/nslcd.conf in the way it works on CentOS 7.