Hello there.
I got Leap 42.2 (xen VM, fresh install, updated) with LDAP installed (How-to: https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.auth.html ).
All was fine untill i restarted machine. Its wont boot.
So, here solution to boot after fresh install LDAP (and configuring it):
nsswitch.conf - Modify these file and uncomment passd, groups, shadow (that 3 with niss used files) and comment ldap passwd and groups. After that VM works just fine. BUT - as u can see, i cant loggin with LDAP users e.t.c.
## /etc/nsswitch.conf
#
# For more information, please read the nsswitch.conf.5 manual page.
#
## THAT WAS COMMENTED AND SYSTEM WONT BOOT
passwd: files nis
shadow: files nis
group: files nis
## THAT WAS UNCOMENTED
#passwd: compat ldap
#group: compat ldap
hosts: files mdns_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
sudoers: ldap
To modify file u can use single mod or LiveCD.
How to solve that problem and make my LDAP work fine without this boot issue?
P.S. - First time i thought that i have this issue coz of i had “ldap://ip.add.res.1” instead of “ldap://localhost” in /etc/ldap.conf - But this doesnt work for me.
Im tryed new fresh install on another hypervisor - same result, VM wont start after installing and configuring LDAP.
PS - I forgot to tell that systemd-logind.service needed to be stoped (disabled) via systemctl to boot after modifying “/etc/nsswitch.conf” file.
ldap-server:# systemctl disable systemd-logind.service
Can anyone give me an advice?
Its seems that logind.service and nscd.service starts before network.
Im tryed many variations of configuring it - but thats still doesnt work.
System wont start until i disable that 2 services and correct /etc/nsswitch.conf file.
Yes, by default there is no direct dependency. To test whether it helps you can order nscd.service after network. Are you using wicked or NetworkManager?
Im using wicked.
OpenSUSE 42.2 without graphics + last updates.
After installing SSSD + PAM and configuring nsswitch it seems working fine. (Im dont rebooted yet, but ldap auth works well).
Issue was in using “YAST>Network Services> Client LDAP and Kerberos” instead of “YAST>NetworkServices>AuthenticationClient”
I can post nssswith.conf and pam.d common files, if its gonna help someone.
P.S. - Should i create bug report about not workin “Client LDAP and Kerberos”?
I got same result using SSSD+PAM+NSS. Configs was checked many times. I can post it here. VM wont boot when it connected to ldap server.
Now i got next services doesnt work on boot:
- NSCD
- Wicked-AutoIPv4
- Wicked-DHCPv6
- SSSD
- Wicked-DHCPv4
After disabling that 5 service + systemd-logind.service via systemctl OpenSuse tryin to load it on boot anyway.
After that LEAP display me that he cant load them and system booting stops.
Found solution.
If u have same problem - reconfig ur /etc/nsswitch.conf
# cat /etc/nsswitch.conf#
# /etc/nsswitch.conf
#
#**THAT WAS COMMENTED! - Uncomment it** and add **sss** in end of passwd and group strings.
#Then save and restart sssd.
passwd: files **sss**
shadow: files
group: files **sss**
#**That was UNCOMENTED - Comment it!** (Was configured with yast).
#passwd: compat ldap sss
#group: compat ldap sss
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
sudoers: files sss
I suspect some of these issues resulted from configurations implemented using the YaST authentication client module. I continue to have conversations with the relevant developers to smooth out the terminology used in those UIs.
That said you can check which module(s) is/are being used for authentication (pam_ldap.so, pam_krb5.so or pam_sss.so) and mirror those settings in the /etc/nsswitch.conf file, if the configuration is done outside of YaST or mangled by it.
Checking for modules:
pam-config --query --ldap
pam-config --query --krb5
pam-config --query --sss
pam_ldap.so can be run standalone or with pam_krb5.so, but pam_sss.so is always run standalone.
Use pam-config --add --xxxx or pam-config --delete --xxx as necessary.
These will correctly modify the necessary pam.d files but be sure to add either “files ldap” or “files sss” to the passwd, group, automount, or sudoers records in the /etc/nsswitch.conf file.
Hoping it helps.
– lawrence