On 2014-08-29 08:37, Mihamina Rakotomandimby wrote: > Hi all, > > On a C6 box, when I want to enable LDAP authentication, I issue: > > # yum -y install nss-pam-ldapd pam_ldap nscd > # authconfig --enableldap --enableldapauth --enablemkhomedir \ > --ldapserver=ldap://ldap-blabla/ \ > --ldapbasedn="blabla" \ > --enablecache --disablefingerprint \ > --kickstart --update > > All is working fine, the directory structure is fine and compliant. > > What about C7? > > As far as I read, > - there is a switch to "sssd" > - I found 1 link: > http://www.certdepot.net/ldap-client-configuration-authconfig/ > > Is there something in particular I should pay attention for? > Note that I have only GUI-less servers. > > Thank you. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > sssd is a hard peace to configure. In C7 it wants absolutely to have an encrypted connection to the LDAP server. Therefore, it must at least have a valid CAcert at disposition. Also, the LDAP server itself must have a valid CAcert (eventually the same as the sssd client) and a valid server-certificate with the Common-Name of the host it runs on. Follows our /etc/sssd/sssd.conf: [domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com ldap_default_authtok = ******** cache_credentials = true enumerate = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://casablanca.lan/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac] ------------------------------- In the /etc/nsswitch.conf you must have: ..... passwd: files sss shadow: files sss group: files sss ..... ------------------------------- sssd, in our config, logs into the /var/log/daemonlog ------------------------------- you must have authconfig set-up as you said in your message. ------------------------------- In case you see just "Unable to establish TLS connection" with the LDAP server from sssd then you may be better off to start sssd in debug mode: sssd -d0x777 -i In this debug you search for "Starting TLS". Wishing you good luck suomi