[CentOS] ldap host attribute is ignored
Gordon Messmer
gordon.messmer at gmail.com
Wed May 6 17:02:59 UTC 2015
On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
>
> Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
> like this:
Looks good.
> My /etc/openldap/ldap.conf is this:
OK, but that file isn't used for name service or authentication. Mostly
just the openldap tools (ldapsearch, ldapadd, ldapmodify).
> The sssd.conf is this:
...
> [nss]
> filter_groups = root
> filter_users = root
nitpick: those are the defaults. Probably don't need to set them.
> [domain/default]
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/ssl/certs
> ldap_tls_reqcert = never
Not sure about that setting. "allow" is probably what you want if
you're using starttls.
> access_provider = ldap
> ldap_access_order = host
> ldap_user_authorized_host = host
...
> When i stop the sssd deamon, no login at all is possible.
OK. Remember that previously you had both sssd and ldap configured to
provide user information.
You'll want to watch the logs for more information.
Start by determining whether the problem is in the name service or
authentication step. Use "id <user>" or "getent passwd <user>" to
determine whether user information is available through sssd. If it is
not, then you probably want to start paring out settings that you added
(assuming that you started with a file written by authconfig) until
that's working.
If user data is available, then start looking at your pam configuration.
It looks like you made some changes there, and not all of them make
sense. In the auth stack, you're calling pam_unix.so twice. Remove the
last one. You've also marked pam_sss.so as required instead of
sufficient, which is definitely wrong. On success of a "sufficient"
module, processing stops. On success of a "required" module, processing
will continue, and will reach pam_deny.so. See the man page for
pam.conf for more information.
More information about the CentOS
mailing list