On 05/05/2015 06:47 PM, Gordon Messmer wrote:
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
/etc/openldap/ldap.conf contains the line:
pam_check_host_attr yes
/etc/openldap/ldap.conf is the configuration file for openldap clients. It is not used for system authentication or name service.
'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf is a softlink to that file.
Those two files have completely different syntax and are used by different software. Don't symlink them.
i deleted the link now. /etc/ldap.conf was not present before. I gave openldap
/etc/sssd/sssd.conf:
If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present.
[domain/default] access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
ldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present.
ldap_access_filter is now commented out.
in /etc/nscd.conf:
nscd is also not used when using sssd.
/etc/nsswitch.conf: ................... passwd: files sss ldap shadow: files sss ldap group: files sss ldap
This is wrong. Don't use sss and ldap together. It's redundant. At best it will cause performance problems.
Get rid of the ldap module and see if the system starts working correctly with just sssd. It's possible that right now sssd is correctly filtering users, but the PADL ldap module is providing them.
This was a good hint (i should have got the idea myself). Now i set passwd: files ldap shadow: files ldap group: files ldap
and got "pam_unix(sshd:auth): check pass; user unknown" the same when i set in sssd.conf services = pam
So, does it mean only the NSS is providing the ldap user information, and sssd cannot read the pam information? So pam is not set up correctly?
I am confused about what to do now. Do i have to configure anything else in /etc/pam.d apart from system-auth?
With kind regards, ulrich