[CentOS] ldap host attribute is ignored
Ulrich Hiller
hiller at mpia-hd.mpg.de
Tue May 5 18:14:07 UTC 2015
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
> On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
>> /etc/openldap/ldap.conf contains the line:
>> ------------------------------------------
>> pam_check_host_attr yes
>
> /etc/openldap/ldap.conf is the configuration file for openldap clients.
> It is not used for system authentication or name service.
>
>> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
>> is a softlink to that file.
>
> Those two files have completely different syntax and are used by
> different software. Don't symlink them.
i deleted the link now. /etc/ldap.conf was not present before. I gave
openldap
>
>> /etc/sssd/sssd.conf:
>> --------------------
>
> If you're using sssd, then you're not using (or shouldn't be using) the
> PADL nss module. In that case, /etc/ldap.conf shouldn't even be present.
>
>> [domain/default]
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
>
> ldap_access_filter should be an LDAP filter, not an OU. However, it's
> only used when ldap_access_order=filter. When using
> ldap_access_order=host, it should not be present.
>
ldap_access_filter is now commented out.
>> in /etc/nscd.conf:
>
> nscd is also not used when using sssd.
>
>> /etc/nsswitch.conf:
>> ...................
>> passwd: files sss ldap
>> shadow: files sss ldap
>> group: files sss ldap
>
> This is wrong. Don't use sss and ldap together. It's redundant. At
> best it will cause performance problems.
>
> Get rid of the ldap module and see if the system starts working
> correctly with just sssd. It's possible that right now sssd is
> correctly filtering users, but the PADL ldap module is providing them.
>
This was a good hint (i should have got the idea myself).
Now i set
passwd: files ldap
shadow: files ldap
group: files ldap
and got "pam_unix(sshd:auth): check pass; user unknown"
the same when i set in sssd.conf
services = pam
So, does it mean only the NSS is providing the ldap user information,
and sssd cannot read the pam information? So pam is not set up correctly?
I am confused about what to do now.
Do i have to configure anything else in /etc/pam.d apart from system-auth?
With kind regards, ulrich
More information about the CentOS
mailing list