# [LDAP] groupadd not working after adding LDAP authentication

## foux

I've setup today an LDAP authentication on our server.

The authentication works great, but I can't add any group localy (not really a problem), but what's more problematic, neither can emerge.

Here are my different configuration files

emerge --info

```
Portage 2.1.11.55 (default/linux/amd64/13.0/desktop/kde, gcc-4.6.3, glibc-2.15-r3, 3.7.10-gentoo x86_64)

=================================================================

System uname: Linux-3.7.10-gentoo-x86_64-Intel-R-_Core-TM-_i3_CPU_540_@_3.07GHz-with-gentoo-2.1

KiB Mem:     3981520 total,    941364 free

KiB Swap:    1828120 total,   1827880 free

Timestamp of tree: Fri, 05 Apr 2013 08:00:02 +0000

ld GNU ld (GNU Binutils) 2.22

app-shells/bash:          4.2_p37

dev-java/java-config:     2.1.12-r1

dev-lang/python:          2.7.3-r3, 3.2.3-r2

dev-util/cmake:           2.8.9

dev-util/pkgconfig:       0.28

sys-apps/baselayout:      2.1-r1

sys-apps/openrc:          0.11.8

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.13, 2.69

sys-devel/automake:       1.10.3, 1.11.6

sys-devel/binutils:       2.22-r1

sys-devel/gcc:            4.6.3

sys-devel/gcc-config:     1.7.3

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r4

sys-kernel/linux-headers: 3.7 (virtual/os-headers)

sys-libs/glibc:           2.15-r3

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=native -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/splash /etc/terminfo"

CXXFLAGS="-march=native -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="http://distfiles.gentoo.org"

LANG="fr_FR.UTF-8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j5"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X a52 aac acl acpi alsa amd64 avahi berkdb bindist bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif git gpm gtk iconv ipv6 jpeg kde kipi lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds qt3support qt4 readline sdl semantic-desktop session spell sse sse2 ssl startup-notification subversion svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="fr" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
```

/etc/ldap.conf

```
base xxxx

uri ldaps://www.www.info/

TLS_REQCERT never

.....

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping

nss_initgroups_ignoreusers ldap,openldap,mysql,syslog,root,postgres
```

/etc/nssswitch.conf

```
passwd:      compat ldap

shadow:      compat ldap

group:       compat ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

/etc/pam.d/system-auth

```
auth            required        pam_env.so 

auth            sufficient      pam_unix.so nullok try_first_pass likeauth

auth            sufficient      pam_ldap.so use_first_pass

auth            required        pam_deny.so

 

account         sufficient      pam_ldap.so

account         required        pam_unix.so

account         required        pam_deny.so

 

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

password        sufficient      pam_unix.so try_first_pass use_authtok sha512 shadow 

password        sufficient      pam_ldap.so use_authtok use_first_pass

password        required        pam_deny.so

 

session         required        pam_limits.so 

session         required        pam_env.so 

session         required        pam_unix.so

session         required        pam_mkhomedir.so skel=/etc/skel umask=0022

session         optional        pam_ldap.so 

session         optional        pam_permit.so
```

And what happens if I try to emerge a package that try to creates a group :

```
>>> Emerging (1 of 3) net-mail/mailbase-1.1

 * Adding group 'mail' to your system ...

 *  - Groupid: 12

groupadd : échec de la méthode d'authentification PAM

 * ERROR: net-mail/mailbase-1.1 failed (setup phase):

 *   (no error message)

 * 

 * Call stack:

 *             ebuild.sh, line  93:  Called pkg_setup

 *   mailbase-1.1.ebuild, line  21:  Called enewgroup 'mail' '12'

 *           user.eclass, line 343:  Called die

 * The specific snippet of code:

 *              groupadd -r ${opts} "${egroup}" || die
```

Any idea what I can do to solve the issue?

Thanks in advance

----------

## Jimmy Jazz

probably because it doesn't exist...

try,

account     required      pam_ldap.so ignore_authinfo_unavail ignore_unknown_user no_warn

password   sufficient   pam_ldap.so use_authtok try_first_pass ignore_authinfo_unavail

----------

## dr.nil

 *Jimmy Jazz wrote:*   

> account     required      pam_ldap.so ignore_authinfo_unavail ignore_unknown_user no_warn
> 
> password   sufficient   pam_ldap.so use_authtok try_first_pass ignore_authinfo_unavail

 

I'm having the same problem (and config) as the OP. I tried your pam changes but the problem remains the same:

 *Quote:*   

> >>> Merging net-misc/dhcp-4.2.5_p1 to /
> 
>  * Adding group 'dhcp' to your system ...
> 
>  *  - Groupid: next available
> ...

 

Does anyone have further tips?

----------

