Troubleshooting LDAP Authentication Failures on CentOS 7: Migrating from pam_ldap to nss-pam-ldapd


4 views

After upgrading from CentOS 6 to CentOS 7, many administrators encounter LDAP authentication failures despite having working ldapsearch connectivity. The root cause lies in the deprecated pam_ldap package and its replacement with nss-pam-ldapd.

# Verify installed packages
rpm -qa | grep -i ldap
openldap-2.4.39-3.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-3.el7.x86_64

# Install missing components if needed
yum install nss-pam-ldapd openldap-clients pam_ldap

/etc/nslcd.conf

# Basic LDAP server configuration
uri ldap://172.16.64.25
base dc=sub,dc=example,dc=org
ssl no
tls_reqcert never
ldap_version 3

# Bind credentials (if required)
binddn cn=Manager,dc=sub,dc=example,dc=org
bindpw secret

PAM Configuration Updates

Modify both /etc/pam.d/password-auth and /etc/pam.d/system-auth:

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so
# Enable debug logging for nslcd
sed -i 's/^#debug.*/debug 1/' /etc/nslcd.conf
systemctl restart nslcd

# Check authentication attempts
tail -f /var/log/secure
journalctl -u nslcd -f
# Check SELinux denials
grep nslcd /var/log/audit/audit.log | audit2allow

# Apply necessary permissions
setsebool -P authlogin_nsswitch_use_ldap=1
semanage port -a -t ldap_port_t -p tcp 389
# Verify system authentication setup
authconfig --test | grep -i ldap

# Test LDAP user resolution
getent passwd user.name
id user.name

After implementing these changes, restart all relevant services and test authentication again. The key difference from CentOS 6 is the proper integration between nslcd and PAM modules.

CentOS 7 introduced significant changes to its LDAP authentication stack, replacing the legacy pam_ldap package with nss-pam-ldapd. This migration often causes authentication failures for users coming from CentOS 6 environments.

First, confirm your installed LDAP packages:

rpm -qa | grep -i ldap
openldap-2.4.39-3.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-3.el7.x86_64

Your /etc/nslcd.conf needs these essential parameters:

# Basic LDAP server connection
uri ldap://your.ldap.server
base dc=example,dc=com

# Security settings
ssl no
tls_cacertdir /etc/openldap/cacerts

# Search mappings
filter passwd (objectClass=posixAccount)
map    passwd homeDirectory "/home/$uid"

Modify your PAM files to work with nslcd instead of pam_ldap:

# /etc/pam.d/system-auth changes:
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok

Enable verbose logging in /etc/nslcd.conf:

debug 1
logfile /var/log/nslcd.log

Then restart the service and monitor logs:

systemctl restart nslcd
tail -f /var/log/nslcd.log /var/log/secure

Ensure your firewall allows LDAP traffic:

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

For more complex environments, consider SSSD as an alternative:

yum install sssd authconfig
authconfig --enablesssd --enablesssdauth --enableldap \
  --enableldapauth --ldapserver=ldap://your.server \
  --ldapbasedn="dc=example,dc=com" --update

Verify all services are running:

systemctl status nslcd
systemctl status sssd
getent passwd ldapuser