[CentOS] ldap host attribute is ignored

Tue May 5 18:14:07 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>


On 05/05/2015 06:47 PM, Gordon Messmer wrote:
> On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
>> /etc/openldap/ldap.conf contains the line:
>> ------------------------------------------
>>   pam_check_host_attr     yes
> 
> /etc/openldap/ldap.conf is the configuration file for openldap clients. 
> It is not used for system authentication or name service.
> 
>> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
>> is a softlink to that file.
> 
> Those two files have completely different syntax and are used by
> different software.  Don't symlink them.

i deleted the link now. /etc/ldap.conf was not present before. I gave
openldap


> 
>> /etc/sssd/sssd.conf:
>> --------------------
> 
> If you're using sssd, then you're not using (or shouldn't be using) the
> PADL nss module.  In that case, /etc/ldap.conf shouldn't even be present.
> 
>> [domain/default]
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
> 
> ldap_access_filter should be an LDAP filter, not an OU.  However, it's
> only used when ldap_access_order=filter.  When using
> ldap_access_order=host, it should not be present.
> 


ldap_access_filter is now commented out.


>> in /etc/nscd.conf:
> 
> nscd is also not used when using sssd.
> 
>> /etc/nsswitch.conf:
>> ...................
>> passwd:     files sss ldap
>> shadow:     files sss ldap
>> group:      files sss ldap
> 
> This is wrong.  Don't use sss and ldap together.  It's redundant. At
> best it will cause performance problems.
> 
> Get rid of the ldap module and see if the system starts working
> correctly with just sssd.  It's possible that right now sssd is
> correctly filtering users, but the PADL ldap module is providing them.
> 


This was a good hint (i should have got the idea myself).
Now i set
passwd:     files ldap
shadow:     files ldap
group:      files ldap

and got "pam_unix(sshd:auth): check pass; user unknown"
the same when i set in sssd.conf
services = pam

So, does it mean only the NSS is providing the ldap user information,
and sssd cannot read the pam information? So pam is not set up correctly?

I am confused about what to do now.
Do i have to configure anything else in /etc/pam.d apart from system-auth?

With kind regards, ulrich