[CentOS] ldap host attribute is ignored

Thu May 7 21:19:10 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
> login with the wrong password gives a denied login.
> login with the correct password always works.
>
> This is my sitution since the begin of my thread.

Got it.  I misread part of your last message, and thought that logins 
were /not/ working when sssd was running.

> But instead i get
> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
> <username>

"pam_unix" should be an indication that <username> appears in the local 
unix password files.  Make sure that it doesn't.

What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?

> So, maybe it is a pam problem.

Looks that way to me.

> I have installed on centos:
> fprintd-pam-0.5.0-4.0.el7_0.x86_64
> pam-1.1.8-12.el7.x86_64
> gnome-keyring-pam-3.8.2-10.el7.x86_64
> pam_krb5-2.4.8-4.el7.x86_64
>
> Are you sure i do not need nss-pam-ldapd?

Yes.  nss-pam-ldapd does, essentially, the same thing that sssd does. 
You also don't need pam_krb5.  sssd has krb5 modules to support Kerberos 
login.

> Googling around i have read
> something about a /etc/nslcd.conf which comes with this package. Is that
> needed?

No.  Before sssd, there was nss_ldap.  It sometimes caused boot problems 
by trying to connect to an LDAP server for user data before the network 
was up.

nss-pam-ldapd was written to address that with a daemon that handled 
queries, which was started after network init.  That mostly solved the 
problem for LDAP.

sssd does mostly the same thing, but handles LDAP, krb5, as well as 
extensions for FreeIPA and Active Directory.  It can cache credentials 
for offline use (for laptops).  When using sssd, you don't need the 
older PAM or NSS modules.

> On my opensuse i have much more:

I'm not terribly familiar with opensuse's authentication setup.  Your 
log says you're using sss there, so most of those modules are probably 
installed but unused.