[CentOS] ldap host attribute is ignored
Ulrich Hiller
hiller at mpia-hd.mpg.de
Wed May 6 14:24:22 UTC 2015
Thanks a lot for the explanation. I have confused some things while
crawling through the manuals.
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplu
My /etc/openldap/ldap.conf is this:
TLS_CACERTDIR /etc/openldap/cacerts/
SASL_NOCANON on
URI ldap://ldap.mydomain.tld
BASE o=XXX
The sssd.conf is this:
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/default]
ldap_uri = ldap://ldap.mydomain.tld
ldap_search_base = o=XXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/ssl/certs
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYY,o=XXX
ldap_group_search_base = ou=YYY,o=XXX
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
autofs_provider = ldap
krb5_realm = #
[autofs]
When i stop the sssd deamon, no login at all is possible. But when i
start sssd, again login is successful, independendly from what i write
into ldap_access_order and ldap_user_authorized_host (if i don't commit
syntax errors). I also tried with ldap_access_filter and inserting
"pam_check_host_attr yes" into ldap.conf.
Still the same: When username and password are correct, the host
atribute is ignored.
Is there another config file i have to edit?
With kind regards, ulrich
On 05/05/2015 11:43 PM, Gordon Messmer wrote:
> On 05/05/2015 11:14 AM, Ulrich Hiller wrote:
>> On 05/05/2015 06:47 PM, Gordon Messmer wrote:
>>> This is wrong. Don't use sss and ldap together. It's redundant. At
>>> best it will cause performance problems.
>>>
>>> Get rid of the ldap module and see if the system starts working
>>> correctly with just sssd. It's possible that right now sssd is
>>> correctly filtering users, but the PADL ldap module is providing them.
>>
>> This was a good hint (i should have got the idea myself).
>> Now i set
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>
> That's exactly the opposite of what I suggested. Your system is now
> using the deprecated PADL ldap module for name service instead of sssd.
>
> You should probably remove nscd and nss-pam-ldapd from your system
> entirely. They're deprecated, and they're going to waste your time.
>
>> and got "pam_unix(sshd:auth): check pass; user unknown"
>
> That seems consistent with having "ldap" in nsswitch.conf and no
> /etc/ldap.conf.
>
> Don't use "ldap". Use "sss".
>
>> So, does it mean only the NSS is providing the ldap user information,
>> and sssd cannot read the pam information? So pam is not set up correctly?
>
> That's a confusing question, so let me explain the stack a little.
>
> At one end you have your applications. Everything that needs to resolve
> user names, groups, hosts, services, etc is here. For example, "ls".
> "ls" reads directories and stats files, those files have numeric user
> and group IDs, which need to be resolved to names.
>
> In the middle you have glibc and its "nss" API. "nss" provides a single
> interface to applications for resolving names and numbers for the types
> defined in nsswitch.conf.
>
> At the other end of the stack you have nss modules. These include the
> "unix" module which reads files in /etc, the deprecated LDAP module from
> PADL, and the sss module that's part of sssd.
>
> (sssd extends the stack a little bit. it provides one interface to nss,
> and has its own modules to resolve names through LDAP and other
> directories)
>
> PAM is completely separate from all of that. PAM provides
> authentication services. It's a completely different interface from
> resolving names and numbers.
>
> So, right now it sounds like you have the system configured to read
> information from the "ldap" module, but that module needs
> /etc/ldap.conf. You should be using the "sss" module in nsswitch.conf
> instead.
>
>> I am confused about what to do now.
>> Do i have to configure anything else in /etc/pam.d apart from
>> system-auth?
>
> You probably shouldn't ever touch the files in /etc/pam.d.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
More information about the CentOS
mailing list