[CentOS] ldap host attribute is ignored
Gordon Messmer
gordon.messmer at gmail.com
Thu May 7 21:19:10 UTC 2015
On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
> login with the wrong password gives a denied login.
> login with the correct password always works.
>
> This is my sitution since the begin of my thread.
Got it. I misread part of your last message, and thought that logins
were /not/ working when sssd was running.
> But instead i get
> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
> <username>
"pam_unix" should be an indication that <username> appears in the local
unix password files. Make sure that it doesn't.
What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?
> So, maybe it is a pam problem.
Looks that way to me.
> I have installed on centos:
> fprintd-pam-0.5.0-4.0.el7_0.x86_64
> pam-1.1.8-12.el7.x86_64
> gnome-keyring-pam-3.8.2-10.el7.x86_64
> pam_krb5-2.4.8-4.el7.x86_64
>
> Are you sure i do not need nss-pam-ldapd?
Yes. nss-pam-ldapd does, essentially, the same thing that sssd does.
You also don't need pam_krb5. sssd has krb5 modules to support Kerberos
login.
> Googling around i have read
> something about a /etc/nslcd.conf which comes with this package. Is that
> needed?
No. Before sssd, there was nss_ldap. It sometimes caused boot problems
by trying to connect to an LDAP server for user data before the network
was up.
nss-pam-ldapd was written to address that with a daemon that handled
queries, which was started after network init. That mostly solved the
problem for LDAP.
sssd does mostly the same thing, but handles LDAP, krb5, as well as
extensions for FreeIPA and Active Directory. It can cache credentials
for offline use (for laptops). When using sssd, you don't need the
older PAM or NSS modules.
> On my opensuse i have much more:
I'm not terribly familiar with opensuse's authentication setup. Your
log says you're using sss there, so most of those modules are probably
installed but unused.
More information about the CentOS
mailing list