Thanks a lot for the explanation. I have confused some things while crawling through the manuals.
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks like this:
passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplu
My /etc/openldap/ldap.conf is this: TLS_CACERTDIR /etc/openldap/cacerts/ SASL_NOCANON on URI ldap://ldap.mydomain.tld BASE o=XXX
The sssd.conf is this: [sssd] config_file_version = 2 services = nss, pam, autofs domains = default
[nss] filter_groups = root filter_users = root
[pam]
[domain/default] ldap_uri = ldap://ldap.mydomain.tld ldap_search_base = o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX
access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host
autofs_provider = ldap krb5_realm = # [autofs]
When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don't commit syntax errors). I also tried with ldap_access_filter and inserting "pam_check_host_attr yes" into ldap.conf. Still the same: When username and password are correct, the host atribute is ignored.
Is there another config file i have to edit?
With kind regards, ulrich
On 05/05/2015 11:43 PM, Gordon Messmer wrote:
On 05/05/2015 11:14 AM, Ulrich Hiller wrote:
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
This is wrong. Don't use sss and ldap together. It's redundant. At best it will cause performance problems.
Get rid of the ldap module and see if the system starts working correctly with just sssd. It's possible that right now sssd is correctly filtering users, but the PADL ldap module is providing them.
This was a good hint (i should have got the idea myself). Now i set passwd: files ldap shadow: files ldap group: files ldap
That's exactly the opposite of what I suggested. Your system is now using the deprecated PADL ldap module for name service instead of sssd.
You should probably remove nscd and nss-pam-ldapd from your system entirely. They're deprecated, and they're going to waste your time.
and got "pam_unix(sshd:auth): check pass; user unknown"
That seems consistent with having "ldap" in nsswitch.conf and no /etc/ldap.conf.
Don't use "ldap". Use "sss".
So, does it mean only the NSS is providing the ldap user information, and sssd cannot read the pam information? So pam is not set up correctly?
That's a confusing question, so let me explain the stack a little.
At one end you have your applications. Everything that needs to resolve user names, groups, hosts, services, etc is here. For example, "ls". "ls" reads directories and stats files, those files have numeric user and group IDs, which need to be resolved to names.
In the middle you have glibc and its "nss" API. "nss" provides a single interface to applications for resolving names and numbers for the types defined in nsswitch.conf.
At the other end of the stack you have nss modules. These include the "unix" module which reads files in /etc, the deprecated LDAP module from PADL, and the sss module that's part of sssd.
(sssd extends the stack a little bit. it provides one interface to nss, and has its own modules to resolve names through LDAP and other directories)
PAM is completely separate from all of that. PAM provides authentication services. It's a completely different interface from resolving names and numbers.
So, right now it sounds like you have the system configured to read information from the "ldap" module, but that module needs /etc/ldap.conf. You should be using the "sss" module in nsswitch.conf instead.
I am confused about what to do now. Do i have to configure anything else in /etc/pam.d apart from system-auth?
You probably shouldn't ever touch the files in /etc/pam.d.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos