Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication Troubleshooting

Hey all, I've been trying to configure LDAP on my Xeon Phi and I'm about ready to pull my hair out trying to get it to work. All of the guides that I've read make it sound pretty straightforward, but I can't seem to get it to work or narrow down why it's not working. I'll try to include as much relevant information as possible, but please ask if there's something else you'd like me to include.

# micctrl --config

    Config Version: 1.1

    Linux Kernel:   /usr/share/mpss/boot/bzImage-knightscorner
    Map File:       /usr/share/mpss/boot/
    Family:         x100
    MPSSVersion:    3.x
    BootOnStart:    Enabled
    Shutdowntimeout: 300 seconds

    ExtraCommandLine: highres=off noautogroup
    PowerManagment: cpufreq_on;corec6_on;pc3_on;pc6_on

    Root Device:   Dynamic Ram Filesystem /var/mpss/mic0.image.gz from:
        Base:      CPIO /usr/share/mpss/boot/initramfs-knightscorner.cpio.gz
        Overlay:   RPM /opt/mpss/3.7.1/k1om//pam-ldap-1* on
        Overlay:   RPM /opt/mpss/3.7.1/k1om//pam-plugin-mkhomedir-1* on
        Overlay:   RPM /opt/mpss/3.7.1/k1om//nss-ldap-2* on
        CommonDir: Directory /var/mpss/common
        Micdir:    Directory /var/mpss/mic0

    Network:       Static bridge br0
        MIC IP:
        Host IP:
        Net Bits:  24
        MtuSize:   9000
        MIC MAC:   4c:79:ba:82:01:52
        Host MAC:  4c:79:ba:82:01:53

    LDAP:          Enabled
     NIS:          Disabled

        Memory:    Disabled

    Console:        hvc0
    VerboseLogging: Disabled
    CrashDump:      /var/crash/mic 16GB


# cat /var/mpss/mic0/etc/ldap.conf
URI ldap://
BASE dc=glbrc,dc=org
bind_policy soft


# cat /var/mpss/mic0/etc/nsswitch.conf
passwd:         files ldap nis
group:          files ldap nis
shadow:         files ldap nis

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis



# cat /var/mpss/mic0/etc/pam.d/common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.

auth    required              
auth    sufficient            
auth    [success=1 default=ignore] nullok_secure
auth    requisite             



# cat /var/mpss/mic0/etc/ssh/sshd_config
Protocol 2
UsePAM yes
UsePrivilegeSeparation yes
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem       sftp    /usr/libexec/sftp-server



When I try to run `id <username>` I get the unknown user message and the following line in /var/log/message:

Sep 13 14:28:49 scarcity-10-mic0 user.err id: nss_ldap: could not search LDAP server - Server is unavailable

This led me to think there might be a networking issue, but using tcpdump on the host machine I could see that there was a back and forth between the domain controller and the MIC. I decided to try and play around with the ldap.conf settings and after adding a binduser and associated password, I still got the unknown user message, but nothing in /var/log/messages. I'm at a bit of a loss what to think of that, but even so none of the Intel guides I read mentioned using a binduser, so I didn't spend too much time dwelling.

We are currently using winbind for authentication on the host machine. I don't think that should matter but figured it was worth mentioning. The host machine is running CentOS 6.6 and we are running MPSS 3.7

For reference, this was the guide that I used for the process, along with the MPSS User Guide.


0 Kudos
0 Replies