Get openldap to authenticate with ldap server without TLS/SSL under CentOS 6

Jephe Wu - http://linuxtechres.blogspot.com

Objective: use ldap to authenticate user with openldap server without TLS/SSL
environment: CentOS 6.1 64bit (ldap client), openldap server


Concepts:

Since RHEL6/CentOS6, it uses sssd and nslcd in ldap client to authenticate with ldap server by default. And it requires TLS/SSL cert during authentication because it will transit password in plaintext otherwise.

Refer to http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
----------
To perform authentication, SSSD requires that the communication channel be encrypted. This means that if sssd.conf is configured to connect over a standard protocol (ldap://), it attempts to encrypt the communication channel with Start TLS. If sssd.conf is configured to connect over a secure protocol (ldaps://), then SSSD uses SSL.

This means that the LDAP server must be configured to run in SSL or TLS. TLS must be enabled for the standard LDAP port (389) or SSL enabled on the secure LDAPS port (636). With either SSL or TLS, the LDAP server must also be configured with a valid certificate trust.
---------

Steps:

1. make sure the following packages are installed 
pam_ldap
nss_pam_ldapd  (thanks Eric to point out it, it's not underscore, it's dash)
nss-pam-ldapd

run rpm -qa  | grep ldap to check

2. modify /etc/sysconfig/authconfig
change
FORCELEGACY=no
to
FORCELEGACY=yes

3. run setup command under putty
choose 'Use LDAP' in User Information
choose 'Use Shadow Password', 'Use LDAP Authentication', 'Use Fingerprint reader' and 'Local authorization is sufficient' ,then Next
type in Server and Base DN: part such as
ldap://ldap.jephe
dc=jephewu,dc=com

Note: it will stop sssd daemon and disable it from statup by running 'chkconfig sssd off'

If you run 'setup' before changing FORCELEGACY from no to yes, it have to change it then run setup again to stop sssd, and changing /etc/pam.d/system-auth, modify all pam_sss.so to pam_ldap.so.

Note: /etc/pam.d/system-auth is a symbolic link to /etc/pam.d/system-auth-ac

4. test it
ssh as root
# getent passwd # should show all ldap users such as jwu
# getent group
# id jwu
# su - jwu


5. Troubleshooting:

a. put debug_level = 9 in /etc/sssd/sssd.conf under domain/LDAP part
or directory run
#sssd -d4 , then check /var/log/sssd/* when login.

b. nss_initgroups_ignoreusers
The LDAP server is queried even for users found in /etc/passwd.

To setup permissions correctly, the login environment needs to find all the groups that a user is a member of. If you have configured NSS to lookup groups in LDAP (group: ldap in /etc/nsswitch.conf), then the NSS library will lookup group information in LDAP for users in /etc/passwd too. To avoid this lookup for users whose group membership information is not stored on LDAP, add that user to the nss_initgroups_ignoreusers option in /etc/ldap.conf.

c. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html

d. make sure you started nslcd daemon, #chconfig nslcd on

e. ldap client, unable to login as root when ldap server is down.
put the following into /etc/pam.d/system-auth after pam_unix.so line

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient   /lib/security/$ISA/pam_localuser.so

f. master-slave ldap sync
A syncrepl slave LDAP server doesn't sync with the master if the sync interval is more then 35 minutes on RHEL5

6. References:
http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Deployment_Guide/SSSD-Troubleshooting.html
http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3